Tips for Getting Security Budget Buy-InCISOs, CIOs Share Advice on Winning Needed Funds
To help make the case for information security spending at healthcare organizations, it's essential to ensure that those who hold the purse strings understand near-term and emerging threats - and the risks involved to the organization if those threats aren't mitigated, three leading CISOs and a CIO say. That means keeping your risk assessment up to date - and keeping executives well-informed.
"Don't wait until you need something to educate your people," says Sharon Finney, corporate data security officer at Adventist Health System, which operates 37 hospitals. She gives monthly updates about security to her organization's divisional CIOs and CTOs and quarterly updates to a compliance board committee. "Very few things pop up and bite you," she says.
Providing the appropriate level of education and "sharing industry-related stories, studies and headlines" are important steps to take to gain buy-in from senior management, suggests Chuck Christian, CIO at St. Francis Hospital in Columbus, Ga.
"Getting and maintaining funding is always a chore; that is, unless you have an 'issue' that you've recently had to deal with," he says. "Many times spending for security programs may be viewed as insurance. Project-specific funding is an approach, but these may be tied to physical hardware acquisitions; other projects may be related to program or risk analysis."
When it comes to making the case for security funding "each organization's approach appears to be different, many based upon their own experience or the experience of others that they know," Christian says. "It's taken me some time to understand that my job is to identify the risk and propose an appropriate process to mitigate that risk; it is then up to the administration to either accept the risk or the proposed plan."
Sources of Funding
As for how information security budgets are funded, the recent Healthcare Information Security Today survey, conducted by HealthcareInfoSecurity, finds that:
- 45 percent of organizations ask that money be allocated out of the overall IT budget as needed for security projects;
- 38 percent have a clearly defined information security budget that's separate from the IT budget;
- 17 percent leverage the results of risk assessments to help funding;
- 11 percent have funding that comes from departments other than IT;
- 9 percent have a clearly defined security budget that's part of the IT budget.
Until recently, PeaceHealth's IT security was funded out of the IT division in a project-based way for capital expenses, with staffing coming out of IT operation expenses, says Christopher Paidhrin, security administration manager in the information security technology division at the delivery system in the Pacific Northwest. But this year, the security budget has been separated into a department within IT, he says.
"All capital requests require a business-aligned 'value-add' rationalization - an ROI [return on investment] justification. A justification may be project-driven, but more likely the business requirements are tied to organization strategy and the IT roadmap," he says.
To prepare for budgeting discussions at PeaceHealth, Paidhrin says it's important to prioritize all risks at the organizational level.
"Attach a rough cost of remediation and exposure to each," he says. "Project-ize the risks into business-meaningful and manageable chunks, and then get each project funded. This is not to say that security should be 'point-solution' based. There needs to be a comprehensive security governance model, framework and action plan - a roadmap. But it can't be accomplished easily as a large amorphous domain," he says.
Paidhrin says the goal is to allocate funds to the highest priorities, and that senior leaders "own the risk acceptance of what is not done first," if priorities aren't funded.
Do Your Homework
At University of Pittsburgh Medical Center, the security budget is part of the IT budget. The organization uses a tool that ranks IT budget requests across divisions based on risk, compliance needs and other factors, says John Houston, vice president and privacy and information security officer. "We get hundreds of requests for money that we need to entertain," he says.
Before Houston walks into annual budget meetings with CIO Dan Drawbaugh and other senior leaders, he has a security plan in hand with the half-dozen or so key projects that need to be funded based on the risk analysis.
"Threats are constantly changing, technologies are changing, such as cloud, how we're delivering our services are changing, and the technologies to secure our systems are changing," he says. "As all these factors shift, we need a security program that addresses that."
Five years ago, health data security was simpler, when most information was within the data center perimeter, he says. "But now it's like warfare, it's like fighting in Iraq, where there are insurgents everywhere - there's a constant need to update and manage," he says.
Piece of Budget Pie
As for size of data security budgets, the Healthcare Information Security Today survey finds that spending that's equivalent to 1 percent to 3 percent of an organization's IT budget is most common. Only 37 percent expect their budgets to increase this year.
"I don't have a percentage of the IT budget dedicated to security," says Adventist's Finney. "I need to defend each dollar."
Much of security spending is looked at as insurance, Finney says. "I don't go through a lot of ROI analysis," she says. "We work closely with the risk management team, based on the likelihood - whether high or low - that something will happen, the dollar amount of what taking that risk might cost, and the dollar amount to avoid that cost."
Finney submits a capital budget request for any new enterprise security projects that need to be funded for all three of Adventist's main divisions.
Regulatory demands are putting some pressure on security budgets, whether it's to support rollout of electronic health records under the HITECH Act's incentive program or compliance with the new HIPAA Omnibus Rule.
At PeaceHealth, "compliance deadlines are regarded with all seriousness, especially with the heightened awareness of leadership for the cost of managed remediation," says Paidhrin. "By that I mean, a 90 day remediation plan mandated by Department of Health and Human Services [as part of an enforcement action] would be far more expensive than a one-year remediation plan managed in-house."
When it comes to HIPAA Omnibus Rule compliance efforts at Adventist, "we haven't seen anything that will make a big difference in the costs," Finney says. "A lot of HIPAA Omnibus is more about privacy and liability being extended to business associates," she says. "We already had extensive breach notification processes in place, and we will do enhancements over the next 12 months in [HIPAA compliance] training."