Tighten the organisation – The first point in Vrielink’s five-point plan is tightening of the organisation of the IT environment and structures to ensure secure operations. ‘There are still many hospital IT departments that operate on an ad hoc basis without clearly defined responsibilities. Tightening organisation here means spreading the IT tasks across the team in such a way that each team member is assigned tasks that fit their qualifications and competencies,’ he explains, adding that he is increasingly seeing facilities where the IT team leaders and their deputies carry 90 percent of the operational responsibilities with the entire rest of the team carrying only 10 percent of the weight. This, he claims, is not only a waste of security resources; it wastes of economic resources.
Needs to focus on own role
Vrielink suggests creating different IT sub-teams based on department size, which are in charge of defined applications (HIS, RIS, PACS, etc.) or network in respect of infrastructure. Additionally, he underlines, ‘responsibilities of department or division heads must be adjusted: management has to manage more and leave operations to their staff’.
Documentation is another important issue. All activities should be documented following unambiguous standards so as to trace and manage changes. Vrielink favours role-specific task definitions with clearly defined qualifications because, ‘This ensures each team member has or acquires appropriate qualifications and that new staff can be recruited according to actual need’. Investments in competent staff with a proper professional background are crucial. ‘Learning by doing or learning by reading is insufficient to keep you abreast of the developments and to become really familiar with the applications being used,’ he says, contradicting the proponents of Blended Learning, who consider this method to be the future of knowledge acquisition. ‘When day-to-day business makes concentrating on other issues difficult and when interruptions are part of the work day, a focused seminar away from the office hustle and bustle is clearly the better choice.’
To be able to operate the IT infrastructure safely hospitals have to know how many members of staff are needed for the task. Therefore quantifying the resource requirements is unavoidable, says Vrielink. Does that mean hospitals, many of which are already operating on a tight budget, have to hire more staff? ‘There is no clear-cut answer to that question,’ Vrielink says, ‘but indeed some of them will have to do that. If, as mentioned above, the costs are correctly calculated these human resource investments will be worthwhile. That is a management task, not a consequence of the IT security act. Additional costs should be within reasonable limits.’
Fill future security needs now
In the course of the next few years, building and medical technology must be reviewed from the IT perspective, since both areas will continue to increase the network density; but what to do with the data flood – where to store all the data? ‘This question, no doubt, will keep us busy in the next few years,’ Vrielink concedes. ‘There will be efforts to make the data collected in the hospital available for research purposes, or to turn dead data into revenue-generating data by making them available for analysis. This will create new security issues. Well-known problems such as interfaces to open networks, or the security of remote maintenance access for building and medical technology, will intensify.’
Management has to re-assess the IT strategy
Does that mean hospital management has to rethink its strategy and re-assess IT? The answer is ‘Yes, but’… ‘The re-assessment provides the opportunity to examine the entire facility and to identify black holes that gobble up money. Purchasing, redundancies, hidden double work, inefficiencies – these are but a few areas where targeted process optimation based on secure and confidential IT will reduce costs.
Implementing a security management system always involves close scrutiny of all business processes. For hospital managers who moan about the financial burden, Vrielink offers a recommendation: ‘Facilities that face insolvency should ask themselves whether their current situation is not the result of the ‘Ghost of Christmas Past’ – of misguided decisions. No hospital will have to shut down because of sensible investments in IT and IT security. It is wrong investments and omitted process and IT optimation that exacerbate financial pressure.’
The five-point plan:
1. Increase the degree of organisation in the IT department and create structures that allow safe and secure operations
2. Define responsibilities for documentation, operations and applications
3. Invest in competent staff with an adequate professional background
4. Quantify the resources required for secure IT operations
5. Re-assess building and medical technology to identify new security risks
Frederik Humpert-Vrielink, Managing Director of CETUS Consulting and specialist in data security and risk management, has comprehensive experience in the implementation of DIN 80001 – Risk Management for healthcare IT networks. He has been advising hospital groups on the development and successful implementation of IT security management systems for over a decade.