The Most Expensive Single Server Upgrade, Ever (So Far)

One server, that’ll be $41,000,000.00.

Excluding top secret government systems, or experimental research, most commercial entities expect server upgrades to result in a net savings, or at least to maintain a baseline of performance.  And servers can be quiet pricey, ranging from $5,000 to $20,000+ if you want to own the actual hardware.  Cloud based servers are $0 (to try) up to several thousand dollars, again, depending on what you require.

Imagine a server that cost $100,000.  Or $500,000.  Or $1,000,000.  What would you expect from such a computing powerhouse?  What if all you received was a basic, run-of-the-mill server, with basic competent on-site installation, would you feel like it was a bad deal?  Why would anyone pay so much?

Nobody, at least not intentionally.  But that’s exactly what a Northern California hospital did.  Not intentionally, but by a series of events a single server cost St. Joseph’s Health over $41 million!  That’s a lot of new MRI machines, doctor’s salaries, and clinical improvements, combined.

Cause Cost
Controls and Systems Upgrade $17 million
Class Action Settlement $15 million
Credit Monitoring $4.5 million
Victims Fund (ID theft damages) $3 million
HHS OCR Civil Monetary Penalty $2.14 million
Total $41.64 million

The only difference between St. Joseph’s and a number of other hospitals and healthcare networks is that we know about what happened at St. Joseph’s.  Others are just waiting to be discovered.  And at the risk of sounding like an armchair quarterback, the problem in this case wasn’t an IT problem, it wasn’t even an IT security problem, it was a management problem.

Information security is not IT security.  Information security includes IT security, and risk management, and regulatory compliance, and management policies (referred to as governance).  In this instance, the server was installed, and no doubt it was fully functional and configured according to SOP.  What was missing was a process to manage the installation of new technology, especially where ePHI was stored, transmitted, or processed.

When we trust our doctor to treat our medical information confidentially, we are trusting the supporting cast of professionals to do likewise.  It is incumbent on healthcare leadership to incorporate information security into the overall culture and strategic vision of their organization, to take responsibility for the due care that our most intimate medical information deserves.

Contact RMO Consulting today to learn how we can work together to determine your organization’s information security needs.


3-Steps to Review Your Vendor’s Information Security

With the New Year comes the resolve to do things for ourselves to make our lives better.  With that in mind, you should take the occasion to revisit your vendor management, particularly where information security is concerned.

The American Recovery and Reinvestment Act of 2009 required that all business associates (i.e. vendors) must comply with the privacy and security provisions of HIPAA as the covered entities they work with, and that these requirements must be included in your contracts.  While putting some language in contracts may satisfy legal minds, providing your business associates with specific guidance for compliance can eliminate confusion and demonstrate due diligence above and beyond.  Below are three key steps that can be the foundation of sound vendor management.

A good first step is to perform a risk analysis on your vendor relationship.  While there are many approaches to a risk assessment, find one that works for you and stick with it.  The value of a risk assessment comes in the consistent use of method or tool so you can make apples to apples comparisons.  If this is new to your organization, reach out to experienced professionals who can help, a little or a lot, to develop an approach that works for you.

Next, with a risk assessment in hand, look at the business associates with the most risk, and analyze if the current information security regimen is sufficient to reduce risks to an acceptable level.  Some questions you might consider:

  1. What transparency do you have into the operations and information security of your vendor?
  2. Are your vendors independently certified or audited?
  3. How responsive are my vendors when I send questionnaires or requests for attestation?

Consider requiring vendors to obtain independent certification in the next 18-24 months.  Among the many standards available, ISO 27001, HITRUST, and NIST are widely accepted.  The advantages to using a standard certification is the uniformity in controls selection, independent audit and assessment approach, and the reduction in compliance costs.

Third, be a promoter of the value of risk-based, objective vendor management.  The value of this approach is that is helps prioritize where your attention needs to be, and provides a clear measurement of just how important some of your business associations truly are.  This information can be shared throughout your organization, and can be integrated with other risk management, information security, and business intelligence activities.

As more business practices become outsourced, the need for sound vender management practices has never been greater.  Integrating your information security risk management approach with vendor management provides supply chain transparency and produces demonstrable due diligence.  Finally, by taking the above approaches, inconsistencies and short-comings are more likely to be identified and remedied before an embarrassing reportable event occurs.