By Bill Siwicki | April 15, 2016 

sa“Healthcare entities that want to be well positioned against cybersecurity threats must know what resources they have, how those are configured, and tightly control any changes,” IT Process Institute chief executive Scott Alldridge said.

IT Process Institute CEO Scott Allridge has cybersecurity advice for healthcare executives: Consider ITIL, the framework formerly known as the Information Technology Infrastructure Library.

“Following ITIL best practices becomes the ultimate backstop for your security posture,” said Scott Alldridge, CEO of the IT Process Institute, a research firm that studies top-performing organizations and best practices.

Despite all the money healthcare organizations spend on security tools, such as firewalls, intrusion detection and prevention systems and email security it is becoming painfully clear — especially in light of the ongoing ransomware attacks — that executives and employees are the biggest threat.

“People are being phished and enable viruses and encryption piracy tactics,” Alldridge said. “As a result, we have to go deeper than technology solutions and have great detective-based and best practices-based controls, and better social engineering around awareness, because if a hacker can phish a person or become a person’s connection, then a threat becomes very difficult to detect.”

Controls that detect when an employee is circumventing a policy or procedure, whether knowingly or unknowingly, are lacking in healthcare, Alldridge said.

“Good security becomes about being able to track and monitor their behavior and have the proper controls in place so they are not able to circumvent policy and procedures and security practices,” Alldridge said. “That is tricky.”

Alldridge added that the IT Process Institute believes ITIL offers the best descriptive framework for developing best practices in IT, including security practices. ITIL is owned by AXELOS, a joint venture by the U.K. and a company called Capita.

“Our research and other research has proven that through the implementation of various best practices there are benefits to the business and the IT organization,” he said.

When it comes to security, ITIL encompasses best practices for improved mean time to detection (MTTD), longer mean time between failures (MTBF) and better mean time to repair (MTTR).

ITIL also takes into consideration configuration management, change management and release management as key processes healthcare organizations can master to bolster cybersecurity.

“Change management is the golden achievement, but you cannot do effective change management if you do not know what you have, so you thus have to be able to manage configuration,” Alldridge said. “And if you are going to be developing things to release that will lead to a change, there should be a go-live release practice that feeds into good change practices. It becomes a closed loop process.”

If a healthcare organization knows the IT resources it has, knows those resources are configured well, only allows changes if changes are approved, and does not develop or implement new resources unless they are tested, that organization will be positioned well to deal with cybersecurity threats, Alldridge said.

“While it is fairly simple to describe it is not necessarily so easy to do,” he said. “It is a challenge to figure out where you begin to implement or bootstrap proven best practices into your IT organization.”