After I wrote the 2-part blog posts on "CISO Challenges: The Build vs. Buy Problem" I emailed a few of my CISO friends in healthcare to ask them 3 simple questions on how they make decisions on what to build in-house or what to outsource ... This is a difficult topic to discuss openly but I think it's critical that we address it since many medium sized organizations are facing the challenges right now as you budget for FY13.
The 3 questions:
- How do you decide what to build in-house and what you're going to outsource?
- In your healthcare space- what things can you absolutely NOT outsource?
- What role do regulations play in your decisions to outsource, vs in-source ?
Director - Information Security
WellStar Health System
- We, generally, outsource most system builds. As a not-for-profit we focus our internal resources on what we believe our core areas are and leverage a group of trusted partners to build systems or do other "one-off" work.
- The only thing you cannot outsource in healthcare is accountability for your patients Protected Health Information. The decision to outsource any function is finding the balance of costs, risks, and benefits. Some functions may require the addition of compensating and/or reporting controls that a vendor would charge so much for that the cost of an outsource makes no economic sense or the cost of maintaining existing SLAs would be so high that a significant SLA downgrade would be needed to make the deal workable.
Outsourcing is *not* a security problem. It's a business problem/opportunity.
- Regulations (HIPAA, HITECH, etc.) play large in our decision making. That being said nothing in the compliance frameworks we are subject to prohibit outsourcing. The regulations *do* prescribe the types of controls that have to be in place but a creative mind can come up with ways of solving this in-source or outsource - of course the costs between the two may be very different.
Providence Health & Services
- We look at whether the need is urgent and immediate, what skills we have in house and whether this is likely to be an ongoing enterprise capability, or a limited duration point solution. Tool development is not part of our wheelhouse
- We have to be careful about data access and biomedical equipment
- Regulations, generally, don’t affect our sourcing decisions
A little bit of analysis between the two answers...
- Both CISOs seemed to agree that long-term or strategic tasks are something that should be curated in-house, and not a great candidate for outsourcing while repetitive or "one-time" technical tasks are easily outsourced. This comes down, I believe, to a question of closeness to the business objectives. In healthcare, you won't find a lot of non-essential technology expertise because in-house talent is laser focused on patient care or delivering quality technology to that goal. When deciding on what will get budget, CISOs have to think strategically, and the tasks that further business goals the most directly, at the highest level, often are the ones that are in-sourced.
- It seems like in healthcare, much like other verticals, one of the only things you can't outsource is accountability. This forces you to make smart decisions, as the CISO, on what tasks you can afford to source outside the organization. Compensating controls, and rules can be put around simple tasks, or even technical non-essential tasks, but when it comes to bio-medical equipment or data access (which require lots of content, and are super-critical) it's often best to have those in-house.
- Compliance and regulations requirements in healthcare, although they may be an excuse to in-source, should not impact the overall decision when it comes to deciding what to in-source or outsource. It appears as though the right answer, at the right time is likely to be achieved with a little creativity as Martin points out.
Thanks to Martin & Eric for being good sports and taking the time out of their day to answer these questions.
If you'd like to discuss further, leave a comment here and of course don't forget to leave your Twitter handle, so we can engage you directly!