It has been said that the “hero of a successful digital transformation is GRC.” The ISACA website states, “to successfully manage the risk in digital transformation you need a modern approach to governance, risk and regulatory compliance.” For GRC program development, it is important to understand the health information technology resources and tools available to enable long term success.
What is GRC and why it important?
According to the HIPAA Journal, the average cost of a healthcare data breach is now $9.42 million. In the first half of 2021, 351 significant data breaches were reported, affecting nearly 28 million individuals. The needs have never been more acute among healthcare providers, insurers, biotechnology and health research companies for effective information security and controls. Protecting sensitive data and establishing a firm security posture is essential. Improving health care and reducing cost relies on structured approaches and thoughtful implementation of available technologies to help govern data and mitigate risk across the enterprise.
Effective and efficient management of governance, risk, and compliance, or GRC, is fast becoming a business priority across industries. Leaders at hospitals and health systems of all sizes are looking for ways to build operating strategies that harmonize and enhance efforts for GRC. Essential to that mission are effective data governance, risk management, regulatory compliance, business continuity management, project governance, and security. But rather than stand-alone or siloed security or compliance efforts, a cohesive program coupled with GRC solutions allow for organizational leaders to address the multitude of challenges more effectively and efficiently.
What are the goals for I.T. GRC?
For GRC efforts, leaders are looking to:
- Safeguard Protected Healthcare Data
- Meet and Maintain Compliance to Evolving Regulatory Mandates and Standards
- Identify, Mitigate and Prevent Risk
- Reduce operational friction
- Build in and utilize best practices
Managing governance, risk, and compliance in healthcare enterprises is a daunting task. GRC implementation for healthcare risk managers can be difficult, especially during this time of rapid digital and cloud transformation. But relying on internal legacy methods and tools leads to the same issues that have been seen on-premises, stifling innovation and improvement. As organizations adapt to cloud environments as a key element of digital transformation and integrated health care, leaders are realizing that now is the time to leverage the technology to implement GRC frameworks that accelerate their progress toward positive outcomes. What’s needed is expertise and a clear roadmap to success.
Cloud Automation of GRC
The road to success starts with a framework, aligned to business objectives, that provides cloud automation of Governance, Risk, and Compliance. Breaking this into three distinct phases, ideally this would involve:
- Building a Solid Foundation – within the cloud environment, ensuring infrastructure and applications are secured before they are deployed.
- Image/Operation System hardening automation pipelines.
- Infrastructure Deployment Automation Pipelines including Policy as Code to meet governance requirements.
- CI/CD Pipelines including Code Quality and Code Security.
- Disaster Recovery as a Service (DRaaS) meeting the organization’s Business Continuity Planning requirements.
- Configuration Management to allow automatic remediation of your applications and operating systems.
- Cost Management strategies with showback and chargeback implementation.
- Automatic deployment and enforcement of standard security tools including FIM, IDS/IPS, AV and Malware tooling.
- IAM integration for authorization and authentication with platforms such as Active Directory, Okta, and PingFederate, allowing for more granular control over users and elevated privileges in the clouds.
- Reference Architectures created for the majority of the organization’s needs that are pre-approved, security baked-in to be used in the infrastructure pipelines.
- Self-service CMDB integration with tools such ServiceNow, remedy and Jira ServiceDesk allowing business units to provision their own infrastructure while providing the proper governance guardrails.
- Resilient Architecture designs
- Proper Configuration and Maintenance – Infrastructure misconfiguration is the leading cause of data breaches in the cloud, and a big reason misconfiguration happens is infrastructure configuration “drift,” or change that occurs in a cloud environment post-provisioning. Using automation to monitor and self-remediate the environment will ensure the cloud environment stays in the proper configuration eliminating the largest cause of incidents. Since workloads will live most of their life in this phase, it is important to ensure there isn’t any drift from the original secure deployment. An effective program will need:
- Cloud Integrity Monitoring using cloud native tooling.
- Log Management and Monitoring with centralized logging, critical in a well-designed environment.
- Application Monitoring
- Infrastructure Monitoring
- Managed Services including patching to resolve issues.
- SLAs to address incidents and quickly get them resolved.
- Cost Management to ensure that budgets are met and there are no runaway costs.
- Perimeter security utilizing cloud native and 3rd party security appliance and services.
- Data Classification
- Use of Industry Leading Tools – for risk assessment, reporting, verification and remediation. Thwart future problems and provide evidence to stakeholders that the cloud environment is rock solid. Tools and verification components would include:
- Compliance reporting
- Risk Registry integration into tools
- Future attestations (BAAs)
- Audit evidence generation
Where do you go from here?
Your organization needs to innovate faster and drive value with the confidence of remaining in compliance. You need to get to a proactive state instead of being reactive. Consider an assessment to help you evaluate your organization’s place in the cloud journey and how the disparate forms of data in the organization are collected, controlled, processed, stored, and protected.
Start with an assessment that includes:
- Identification of security gaps
- Identification of foundational gaps
- Remediation plans
- Managed service provider onboarding plan
- A Phase Two (Foundational/Remediation) proposal and Statement of Work
About 2nd Watch
2nd Watch is a trusted and proven partner, providing deep skills and advisory to leading organizations for over a decade. We earned a client Net Promoter Score of 85, a good way of telling you that our customers nearly always recommend us to others. We can help your organization with cloud native solutions. We offer skills in the following areas:
- Developing cloud first strategies
- Migration of workloads to the cloud
- Implementing automation for governance and security guardrails
- Implementing compliance controls and processes
- Pipelines for data, infrastructure and application deployment
- Subject matter expertise for FHIR implementations
- Managed cloud services
Schedule time with an expert now, contact us.
-Tom James, Sr. Marketing Manager, Healthcare