How can IT Infrastructure Library (ITIL) improve information security?
The ITIL change management process is one of the very important processes that helps increase security for IT applications and infrastructure. For example, in healthcare and hospital environments, maintaining an eHealthRecord (eHR) application is an enormous IT task. Cerner, Epic, Allscripts, MEDITECH, Siemens and McKesson are the major vendors and cost many millions to purchase. It often requires millions more in resources to implement and maintain.
The ongoing task of maintaining a hospital eHealthRecord is a giant burden on IT. There are also many possible security issues, given that HIPAA compliance is required for any hospital or healthcare environment. According to industry research, some hospitals have a backlog of over 1000 eHealthRecord Requests for Change (RFC), and many are related to security.
Often when an aspect of the eHealthRecord is not working correctly, the IT help desk receives the phone calls, since they are the first point of contact to support clinical professionals such as physicians and nurses. After the help desk performs some troubleshooting, they may realize that there is an issue or an enhancement required to solve a problem or increase functionality. A good ITIL change management process is critical to organize all the RFCs and to make sure that the issues impacting security are prioritized high on the implementation list. It is easy to get caught in the thinking that features and functions are the most important changes, since clinical professionals are asking for these and they have responsibility for frontline delivery of healthcare services.
When a security breach occurs, it is often the result of hardware and software not being properly patched and upgraded to eliminate known security holes. Security has to be considered as part of the change management framework that a company implements. That way, it becomes part of the company’s culture.
When security and sound ITIL change management processes are not used, the following problems may occur:
- Unrelated systems are not tied together from a security perspective.
- Established change management processes may be waived due to lack of company compliance culture.
- Security is not at the root of the process, but more of an afterthought.
- Planning is not robust enough to migrate old platforms to new.
The change management process has to be part and parcel of the company culture to bring all the parties together and allow them to work in an atmosphere of trust and integrity. The IT, security and business teams have to work as one unit. Often, the security team is viewed similarly to the way sales and marketing organizations view the legal department -- as a necessary evil that has to be placated. The poor collaboration of the IT, security and business teams can lead to a breakdown in security.
The security team needs to be open to moving quickly, albeit with caution, and working in an iterative environment. The business teams need to embrace security and compliance policies, since these practices help keep the organization healthy in the long run and ensure its survival in a world of daily cyber terrorism. A security mindset has to be shared and embraced by senior leaders so that all parts of the organization can come together and work as one team.
There are many benefits of IT change management to increase security:
- It automates the submission, tracking and approval process for IT changes for quick prioritization and implementation of critical security issues.
- It increases visibility into IT changes before implementation so all stakeholders can see possible security impact.
- It boosts cross-functional communication with real-time reporting to reduce security risk.
- It enhances IT department productivity by providing automated workflow and escalation so nothing falls through the cracks.
- It decreases security risk by lowering change-related failures after implementation.
- It speeds business decisions and implementation by delivering accurate, real-time reports.
- It minimizes business risk by ensuring Sarbanes-Oxley regulatory compliance through audit trails of IT-related changes for security audits.
- It identifies opportunities for business process improvement by providing trend analysis reporting for successful and unsuccessful IT-related changes.
- It ensures standardized methods, processes and procedures are used for all changes.
- It facilitates efficient and prompt handling of all changes.
- It maintains the proper balance between the need for change and the potential detrimental impact of changes.
In summary, ITIL best practices can help reduce security breaches. Of all the ITIL practices, change management and patch management will have the most significant impact on reducing the risk of security breaches. Healthcare organizations are very susceptible to security breaches since the transition from paper to eHealthRecords is a resource intensive iterative process. IT, security and business teams have to come together and respect each other’s goals while remembering that security is of paramount importance.
Ron Avignone founded Giva in 1999 and is based in Silicon Valley, California, serving customers worldwide. Giva was among the first to provide a suite of HIPAA compliant help desk and customer service/call center applications architected for the cloud. Ron holds an MBA from the University of Chicago and is a New York State Certified Public Accountant with a minor in English. Ron is also an avid endurance athlete, vegan and mindfulness advocate.