How Do You Decide Which Security Functions To Outsource?

  • March 01, 2018
NTT DATA Services HCLS Security Blog

Security continues to be an area of high risk for healthcare organizations, and it is one with few easy answers. While a few very large health systems may have the bandwidth and resources to employ dedicated security professionals, medium and small sized systems seldom have that luxury. And that means they will likely need the help of a security vendor at some point.

Given that need, IT and compliance execs spend a lot of time pondering what functions to outsource, and what functions to keep in house. It’s a tough question to answer, because there is no one-size-fits-all answer. The decision will vary from organization to organization.

Most IT departments have staff who can manage the basic security functions, including software updates and security patches, access management, enforcement of password strength and protocols and training of employees in safe use of email and web downloads. But even those basic functions can be outsourced. In some cases, organizations hire security consultants to help them assess their current situation and design a more comprehensive strategy. That way, you get the expertise you need, but can accomplish the day-to-day work with your own staff. But you can also hire a vendor to manage your entire security program.

While I can’t give you a definitive answer to the question of what to outsource and what to do in-house, I can offer advice on how to make the decision yourself, and what factors you should consider.

You can’t outsource the responsibility

Outsourcing security is not an all-or-nothing proposition. You certainly can contract for an all-inclusive managed security service, but you can also contract for specific services that you don’t have the expertise or bandwidth to provide in-house. Either way, outsourcing won’t relieve you of the responsibility for managing and overseeing security.

When you outsource to a vendor, you’ll need to set parameters, and establish a service level agreement with incentives, penalties or both. You’ll need a regular reporting cadence and ensure that you have the information to verify that the job is being done to your specifications.

Outsourcing can, however, free you and your staff from the daily tasks, giving you more time to focus on other needs. Just don’t expect to hire a vendor and then forget about security.

Staff bandwidth and vendor capabilities must be part of the equation…

When looking at whether to outsource more advanced security functions, you need to consider not only staff capabilities but also bandwidth. If your most capable security staffer is overloaded with other tasks, security may take a backseat to other projects or those other projects may be neglected. On the other hand, if you have a staff member with both the expertise and the time, that may be a viable option, particularly if you have requirements that are unique to your organization.

Another consideration is the critical mass of operations. Is your organization big enough to devote staff solely to security? And do you have access to the resources to keep your security staff up to date on current threats and techniques? This is an especially important question if your security staff is small, because to stay current, your security staff will need to interact with peers. And hiring top-notch security resources can be a challenge. Large security firms not only offer competitive salaries, they also offer the chance to be immersed in the security world, which can be persuasive.

Vendor expertise and experience should also be considered carefully. It does you no good to hire a vendor who lacks the depth of expertise you need or who has little real-world experience in healthcare. Has the vendor done similar work for organizations like yours? Do they have the experience to understand the compliance and regulatory issues in healthcare? A security firm with lots of banking experience, for example, may not have the specialized healthcare knowledge you need, even if they have the security expertise.

…along with, of course, cost

Cost, of course, will be a critical consideration. You’ll need to weigh the cost of using vendor staff against the cost of in-house staff. Vendors will typically structure their services to include the required manpower, tools, reporting and ongoing education required to meet your needs. Providing the same service in-house will mean the costs associated with all those items will come from your budget. The more specialized the security expertise you need, the more likely that using vendor staff will be more cost-effective. - It pays to run the numbers and see what your costs will be over several years. If your organization is big enough and has ongoing need of a particular skill set, it might pay off to hire someone with those skills. On the other hand, if your needs are intermittent, using vendor staff could be less expensive.

Look for a partner, not just a vendor

Trust is important in this relationship, because security experts will have access to your most sensitive systems. Take the time to vet the security firm and make sure you are comfortable with the people. Find a firm that has a partnership attitude, because that’s a firm that will be proactive about keeping your informed and giving you a head’s up when the situation demands it. You want a partner who cares as much about your security as you do.

Subscribe to our blog

NTT DATA Services Frank Negro
Frank Negro

Frank Negro is a Senior Managing Consultant for NTT DATA Services. A 40-year veteran of the healthcare IT industry, Frank has served in a variety of leadership roles for several major providers including CIO positions at community, regional and national health systems. In his current role, Frank is provides advice to healthcare executives on strategic issues related to healthcare information systems. He earned his BS from Rensselaer Polytechnic Institute and a Certificate in Data Processing from ICCP.

Related Blog Posts