The transformation in action
Following are examples of how an IT risk management transformation presents itself in the areas of cybersecurity, IT operations, and IT internal audit.
Cybersecurity. While major advancements in cybersecurity technologies have occurred in recent years (for example, multifactor authentication and advanced endpoint protection), cyberthreats, including ransomware attacks, continue to grow in number and severity, with the healthcare industry a frequent target.1 Despite appropriate, layered security controls, the current high-threat landscape poses continuous risk for organizations. The “bad guys” are getting more sophisticated.
Use of integrated IT security tools can result in improved threat intelligence and the ability to act on threats more quickly. Better integration helps pull together siloed data, providing healthcare IT teams with a single source of truth, alerting them in real time to risk, and better informing response and remediation of threats.
As an example, the bad actors behind today’s cyberattacks often jump among a healthcare organization’s multiple data-generating IT systems. When those bad actors infiltrate these systems, they leave behind “breadcrumbs” that cyberthreat hunters can find. With multiple systems and tools in which breadcrumbs can be found and correlated, the job can be overwhelming. When threat hunting is performed in an integrated system with integrated data, fewer systems must be monitored, making the breadcrumbs easier to find. This results in a more proactive, continuous monitoring event – and a much more secure environment.
IT operations. Opportunities for improvement also abound in an organization’s IT operations in general. Hospital clinical systems, by their very nature, are some of the most complicated in the world and difficult to keep stable. For example, consider a hospital’s chronically unstable picture archiving and communication system (PACS). The clues to help the hospital fix the instabilities within a PACS are all contained within the system’s logs. However, these logs are huge, and the clues indicating problems are not straightforward. With an integrated system and use of artificial intelligence tools, however, the hospital can find these problems, take remedial steps to fix them in the short term, and work with the vendor on final fixes – quickly. Use of these tools can effectively eliminate costly and dangerous downtimes.
IT internal audit. Historically, IT internal auditors have spent a lot of their time conducting tests and sampling data to search for IT operations, process, and control problems. For example, during an audit of user access, an auditor might request reports from the IT and human resource departments to determine if a user erroneously has been granted user privileges or if a terminated employee still has an active account. Conducting an audit using this traditional method, with its many manual processes, can take time – sometimes several weeks or months. By the time the sampling is completed, the data is often stale and outdated.
In an IT environment in which data is integrated and the organization has the processing power to harness that data fully, auditors can do tests on full data sets – not just samples – in real time. This integrated approach to transforming IT risk management allows for continuous auditing, which can routinely test all the information and call out exceptions within the full population. As audits move toward continuous auditing and automation, auditors can spend less time manually searching for evidence and more time determining root causes of those issues and partnering with IT and management on remediation.