Making the Business Case for SecurityHow to Win Support for Information Security Spending
"Executives want to do the right thing; they just need a clear reason to do it," says Paidhrin in an interview with HealthcareInfoSecurity.com's Howard Anderson [transcript below].
Security professionals need to demonstrate how information security investments, such as for audit logs or encryption, directly support key business goals, Paidhrin says.
In the interview, Paidhrin comments on the results of HealthcareInfoSecurity's inaugural Healthcare Information Security Today survey, which shows that almost 70 percent of organizations estimate they devote 3 percent or less of their IT budget to information security, but 43 percent expect that percentage to increase in the year ahead.
"Money is tight. Healthcare executives and physician practices are challenged by the loss of revenue, especially with ever lowering reimbursement rates, and the overall cost of healthcare is increasing, but little of it benefits the provider," Paidhrin says. "So, IT security is considered a luxury that few can afford."
But spending, inevitably, will increase, he says, "as healthcare leaders discover how much more vulnerable their information systems are, and the real costs for breaches."
In the interview, Paidhrin also:
- Explains how the movement to smart phones, tablets and other mobile devices is influencing security priorities;
- Points out that a poorly trained staff "will undermine any technology spending or compliance effort."
Before joining the staff at 340-bed PeaceHealth Southwest Medical Center in Vancouver, Wash., Paidhrin worked for many years in IT and business operations in higher education, the private sector and entrepreneurial environments, where he held numerous director-level positions.
Complete survey results are now available.
Infosec Not a Top Priority
HOWARD ANDERSON: The survey shows that only 60 percent of organizations report they have a documented information security strategy in place and only about 42 percent report having a defined information security budget. Why do you think that information security is not yet a top priority for so many organizations apparently?
CHRISTOPHER PAIDHRIN: I would suppose that the 60 percent of organizations that have a strategy also have someone who has the role and responsibility for managing security. I can easily see that a large share of the remaining 40 percent don't have a defined security role, function or an office. In small to medium-sized organizations, the security role often falls to the office manager, who may be efficient at running a clinical office, but may have limited familiarity with information security. And I'm also not surprised that only 42 percent have security budgets. Money is tight. Healthcare executives and physician practices are challenged by the loss of revenue, especially with ever lowering reimbursement rates, and the overall cost of healthcare is increasing but little of it benefits the provider. So IT security is considered a luxury that few can afford. From a provider perspective, it's a technology cost center and the top priorities are making payroll and reducing the reimbursement cycle. Security is largely seen as a necessity like a cleaning service. It's necessary, but it's not a top priority.
IT Security Budgets
ANDERSON: Almost 70 percent of organizations estimate that they devote three percent or less of their IT budget to information security, but 43 percent expect that percentage to increase in the coming year. What do you think is the best way to determine an adequate level of spending for security, and should that level typically be higher than three percent of the total IT budget, do you think?
PAIDHRIN: What big questions. If I could answer them accurately, I would make a good living as a consultant. I do have several thoughts. Three percent or less of an IT budget doesn't surprise me. IT infrastructure and the skilled people to make it work are expensive, often 80-90 percent of IT budgets. IT security is most often a part-time or single person role and they may have a batch of policies, and if the organization is fortunate, a small handful of technologies, usually the minimum necessary to get the essential job done, protecting information. I'm not surprised by the expectation that IT security budget funding will increase. As healthcare leaders discover how much more vulnerable their information systems are, and the real costs for breaches, the return on investment calculus is shifting. An example is the explosion of tablet use and "bring your own device" [BYOD]. Providers and staff want mobile connectivity and that alone will greatly increase vulnerability concerns and costs. And as for whether security budgets should be higher than three percent of all IT spending, I think that depends on the organization and how they manage risk. Three percent of half a million can only do so much. Three percent of ten million can do a lot more, but when the baseline for healthcare security compliance is the same for all sizes, the smaller organization is much more constrained. I don't think small provider offices can afford three percent.
ANDERSON: Almost 60 percent of organizations say they have only 1-4 staff members devoted to information security, with about 22 percent saying they have no full-time staff members devoted to this arena. Based on your experience, what's the key to winning the senior executive support for staffing and funding for information security?
PAIDHRIN: It may not be coincidence that the ratios line up like this. If 22 percent have no full-time security staff, how can the organization manage a security program? If there isn't funding for the security role, there's likely little money for expensive security controls and technologies. But for winning executive support, it takes both skill and a strong argument, and a solid business case of justifications. The key as I see it is to focus a business case for security in simple terms, in no more than four bullet-point slides. Each organizational priority must have a directly associated security tag that shows why security strengthens and aligns with each priority. Executives want to do the right thing; they just need a clear reason to do it.
Top Technology Investments
ANDERSON: Top information security technology investments for the coming year, according to this survey, are audit logs, mobile device encryption, data loss prevention and e-mail encryption. Why do you think those are the top spending priorities of the survey, and what other technologies do you think should be top priorities for most organizations?
PAIDHRIN: Again, I'm not surprised by these findings. The more mobile the workforce becomes, the more healthcare becomes outpatient-centric, distributed and exposed, the greater the risks. Each of these technologies addresses an aspect of information on the move. Audit logs are a HIPAA requirement, but mobile device and e-mail encryption address information in transit, and data loss prevention is another layer of information and risk containment. It's all about extending security controls to where the information is located. So when you say what other technologies do I think should be top priorities, I think there's a reason why these are the top priorities, because as the information moves out, the controls need to move with the information. They're reasonable top priorities.
Surprising Survey Results
ANDERSON: Finally, did you find any of the other results of the survey to be particularly surprising or concerning?
PAIDHRIN: I did, and I'm disturbed but not surprised by the numbers related to insider threats and breaches. I question that only 25 percent of organizations had experienced reportable breaches. I think that number is much, much higher. And when asked what the single biggest security threat is, the survey respondents said that the number of staff mistakes, about 28 percent, and snooping incidents, about 24 percent, make up more than half of their concerns for the biggest security threat. I'd say that should be a wake-up call for executives, and when almost 42 of the survey participants rank their organization's staff training program's effectiveness as failing, poor or needing improvement, I am very concerned. It comes down to information security spending. You mentioned three percent; it could be three percent or 13 percent. But unengaged, poorly trained staff will undermine any technology spending or compliance effort. Those are my biggest concerns.