Health Data Management recently asked healthcare security consultants and attorneys for situations under which providers should consider outsourcing one or more components of their information technology security.

Here are some answers:

Gerry Hinkley: Partner, law firm of Pillsbury Winthrop, Shaw, Pittman

“It is likely that every institutional healthcare provider will need some form of managed security services to level the playing field with the bad guys. At provider organizations, there are often insufficient internal resources available to manage data security at a state-of-the-art level, which makes outsourcing options desirable. The reasons for institutional providers to adopt an outsourced service include these common factors:

* “A complex IT infrastructure,

* “An emerging collection of disparate cloud and SaaS solutions that are linked together,

* “A large number of data users and endpoints (100+)—especially those that are physically exposed such as SCADA (a supervisory control and data acquisition system) and POS (point of sale devices), and

* “A brand built on and dependent on reputation.”

Daniel Gottlieb, Partner, law firm of McDermott Will & Emery

“As provider organizations increasingly move their data centers to third-party providers or acquire information technology from the cloud on a SaaS basis, they need to rely on third parties for key components of IT security. For example, the service providers can back up data in remote locations and periodically test the reliability of back-up files to assure data availability following a disaster. Third parties also can administer virus scanning, firewalls and other defenses against cyber-attacks and hackers remotely. It is essential that all parties have a clear understanding of their respective roles and responsibilities in order to minimize vulnerabilities.”

Also See: Work to Begin on Effort to Share Cyber Threat Information

Tom Walsh, President and CEO, tw-Security

“My two suggestions for outsourcing IT security components include when a provider does not have staff with adequate security qualifications (especially smaller organizations), and to monitor their external facing systems using a Managed Security Service Provider to monitor audit logs, regardless of organization size and staff qualifications. On average, a MSSP can provide a service at about half the cost of having an internal network engineer monitor the logs. Besides, is that the best use of time for a network engineer? They need to focus on internal support issues. Further, using a MSSP transfers some of the cybersecurity risk.”

Linn Freedman, Partner, law firm of Robinson & Cole

“We do not recommend that you outsource governance, risk and compliance functions, but rather functions that are more appropriate for outsourcing, like firewall management, network security monitoring and vulnerability scanning. Further, if the organization has the necessary skill set but just not the capacity to handle all of the security in-house, then we would favor outsourcing other IT functions prior to outsourcing security functions.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access