For most information security officers, winning funds for IT security investments remains one of the top challenges. While on the one hand the healthcare industry is seeing rigorous enforcement of information security regulations, on the other, most healthcare entities are yet to understand the importance of investing in information security measures. Decision-makers often have to be made to realize the multiple threats looming over their industry, and the risks of failing to mitigate them at the right time.
Sharing insights on how to win much needed funds for IT Security initiatives, Sharon Finney, corporate data security officer at Adventist Health System, and Chuck Christian, CIO at St. Francis Hospital in Columbus, GA, said that educating people is of primary importance. While Finney believes in giving monthly updates about security to her organization’s divisional CIOs and CTOs and quarterly updates to a compliance board committee, according to Christian, providing the appropriate level of education and sharing industry-related stories, studies and headlines are essential to gain buy-in from senior management. And this would mean keeping risk assessment up-to-date and executives well-informed.
A survey conducted by Healthcare Info Security about how information security budgets are being funded, revealed the following:
- 45% ask for money to be allocated from the overall IT budget
- 38% have an exclusive, clearly-defined security budget, separate from the IT budget
- 17% leverage risk assessment results to help funding
- 11% get funding from departments other than IT
- 9% have a clearly defined security budget as part of the IT budget
Key Takeaway Points
Christopher Paidhrin, Security Administration Manager in the information security technology division at Peace Health says that until this year, IT security was funded out of the IT division in a project-based way for capital expenses with staffing coming out of IT operation expenses. But now, the security budget has been separated into a department within IT. According to Paidhrin, since all capital requests require a ‘value-add’ rationalization, an ROI justification, and more importantly should be tied to business strategy, preparing for these security budgeting discussions would mean prioritizing all risks at the organizational level. In other words:
- Attach a rough cost of remediation and exposure to each risk
- Project-size the risks into business-meaningful and manageable chunks
- Design a comprehensive security governance model, framework, and action plan
For John Houston, Vice President and Privacy and Information Security Officer at University of Pittsburgh Medical Center, annual budget meetings are preceded by extensive groundwork including drawing out a security plan and identifying key projects that need funding, based on risk analysis. The organization uses a tool that ranks IT budget requests across divisions based on risk.
Determining the Size of Data Security Budgets
Healthcare Information Security Today’s survey findings reveal that spending 1 to 3 percent of the organization’s IT budget is most common, and that only 37 percent of the organizations expect their budgets to increase this year. Some organizations look at security spending as insurance. Security spending is also determined based on the likelihood of risk, and the cost of taking that risk versus the cost involved in avoiding it.
The Role of Regulatory Requirements
The use of Electronic Health Records as necessitated by the HITECH Act’s incentive program and the need to comply with the new HIPAA Omnibus Rule, have put additional pressure on security budgets. Healthcare entities therefore have to regard these requirements with greater seriousness and propose budgets that can accommodate these needs.
Hence what Healthcare organizations need, is one solution, that can address compliance and security while also enabling them to justify security spending. Aegify Security Posture Management and Aegify SecureGRC are designed to do just that. By providing comprehensive security and compliance capabilities at a reasonable cost, this platform is ideal for every healthcare organization and can fit well into any security budget.