Transforming IT risk management: Are you ready?

Daniel T. Yunker, John Norenberg
| 5/3/2022
Transforming IT risk management: Are you ready?

The healthcare industry has abundant data that it is using to help guide patient care and enhance hospital operations. What it doesn’t have quite yet is a better, more integrated way to use that information to manage IT and cyber risks.

An integrated approach to transforming IT risk management can help today’s increasingly complex healthcare systems lower costs, achieve greater functionality of IT systems, reduce cyber risk exposure, and make more productive use of IT staff members. But before healthcare systems can evolve, they need to have certain elements in place. Following are descriptions of those elements and examples of the value an IT risk management transformation can bring to an organization.

3 key elements needed for the transformation

For an organization to evolve, it needs three fundamental elements.

1. Data. As mentioned previously, fortunately, most healthcare organizations today do not lack data. Hardware and software typically possess self-reporting characteristics, and the answers to most risk questions (for example, Are criminal elements intruding on the network? Are systems stable? Are staff members using the systems for appropriate tasks?) are embedded in that data. It follows, therefore, that all the data necessary to manage IT and cyber risk within an organization already exists. Unfortunately, because the data sets are so large, more effective tools might be needed.

2. Processing power. Because data sets are so huge, powerful computers are needed to pull them together and transform them into usable information.

3. Integrated tools. Once a healthcare organization’s IT, cybersecurity, and audit groups have the necessary data and sufficient processing power, they need integrated tools – those that perform the functions of several disparate tools and share information across all functions in a single data view – to operate more efficiently. An integrated tool set has logic capabilities that automatically create insights, further taking the burden off analysts. A cybersecurity department might have 20 or more tools at its disposal, which require approximately one to three full-time equivalents (FTEs) to administer. Using a set of fewer but integrated tools can reduce the need for FTEs or reallocate those staff to more valuable work.

In addition, using integrated tools can provide healthcare organizations with a bigger-picture view of risks versus the smaller snippets shown by each of the more disparate systems. When using several disparate systems, it might take days, weeks, or even months to investigate a complicated IT problem, such as a cyberthreat. When an organization’s data and cybersecurity tools are integrated, however, that timeline can be reduced to days, hours, and maybe even mere minutes.

The transformation in action

Following are examples of how an IT risk management transformation presents itself in the areas of cybersecurity, IT operations, and IT internal audit.

Cybersecurity. While major advancements in cybersecurity technologies have occurred in recent years (for example, multifactor authentication and advanced endpoint protection), cyberthreats, including ransomware attacks, continue to grow in number and severity, with the healthcare industry a frequent target.1 Despite appropriate, layered security controls, the current high-threat landscape poses continuous risk for organizations. The “bad guys” are getting more sophisticated.

Use of integrated IT security tools can result in improved threat intelligence and the ability to act on threats more quickly. Better integration helps pull together siloed data, providing healthcare IT teams with a single source of truth, alerting them in real time to risk, and better informing response and remediation of threats.

As an example, the bad actors behind today’s cyberattacks often jump among a healthcare organization’s multiple data-generating IT systems. When those bad actors infiltrate these systems, they leave behind “breadcrumbs” that cyberthreat hunters can find. With multiple systems and tools in which breadcrumbs can be found and correlated, the job can be overwhelming. When threat hunting is performed in an integrated system with integrated data, fewer systems must be monitored, making the breadcrumbs easier to find. This results in a more proactive, continuous monitoring event – and a much more secure environment.

IT operations. Opportunities for improvement also abound in an organization’s IT operations in general. Hospital clinical systems, by their very nature, are some of the most complicated in the world and difficult to keep stable. For example, consider a hospital’s chronically unstable picture archiving and communication system (PACS). The clues to help the hospital fix the instabilities within a PACS are all contained within the system’s logs. However, these logs are huge, and the clues indicating problems are not straightforward. With an integrated system and use of artificial intelligence tools, however, the hospital can find these problems, take remedial steps to fix them in the short term, and work with the vendor on final fixes – quickly. Use of these tools can effectively eliminate costly and dangerous downtimes.

IT internal audit. Historically, IT internal auditors have spent a lot of their time conducting tests and sampling data to search for IT operations, process, and control problems. For example, during an audit of user access, an auditor might request reports from the IT and human resource departments to determine if a user erroneously has been granted user privileges or if a terminated employee still has an active account. Conducting an audit using this traditional method, with its many manual processes, can take time – sometimes several weeks or months. By the time the sampling is completed, the data is often stale and outdated.

In an IT environment in which data is integrated and the organization has the processing power to harness that data fully, auditors can do tests on full data sets – not just samples – in real time. This integrated approach to transforming IT risk management allows for continuous auditing, which can routinely test all the information and call out exceptions within the full population. As audits move toward continuous auditing and automation, auditors can spend less time manually searching for evidence and more time determining root causes of those issues and partnering with IT and management on remediation.

Just the beginning

Having accurate data, adequate processing power, and integrated IT systems and outputs is a good start on the transformation to improving IT risk monitoring – but it is merely a start. To truly transform the business and gain all the value promised, jobs need to be changed to take advantage of these advanced systems, and that means that organizations will need to change as well.

The tools are emerging, and it couldn’t come at a better time as healthcare organizations face challenges finding and holding IT and audit talent. The path forward and the rewards are becoming clear. Are organizations ready to be fully equipped to handle IT risk in today’s digital world?

1 Emily Skahill and Darrell M. West, “Why Hospitals and Healthcare Organizations Need to Take Cybersecurity More Seriously,” Brookings, Aug. 9, 2021,

Contact us

Dan Yunker portrait
Daniel T. Yunker
Senior Vice President, Risk and Compliance, Kodiak Solutions
John Norenberg
Senior Manager, Healthcare Consulting