"Cloud transformation initiatives are complex endeavors with a high failure rate. A risk based approach to cloud transformation focusing on cybersecurity controls results in significantly improved outcomes for the organization."
Agile Transformation: A Serious Consideration For Healthcare
The debate over the implementation of agile methodology especially within the healthcare industry has been a topic of consideration for several organizations. Regulatory and compliance requirements are often a key driving factor of this debate. When healthcare organizations decide to undertake digital transformation projects an important decision in front of management is to decide whether to take the traditional approach of waterfall development (typically preferred within the industry given the high regulatory scrutiny) or take an agile approach. While taking the waterfall route may be applicable for many use-cases, implementing large-scale organization-wide cloud applications with significant business impacts often requires taking an agile approach to obtain the highest returns on investment by ensuring the technology solution is maximized to meet the overall business and strategy needs of the organization. With the right tailoring of agile principles taking into consideration specific healthcare industry requirements will result in organizations creating well-integrated cloud application systems which would enhance overall efficiency of the organization.
Benefits Of Agile For Healthcare Organizations
Digital transformation implies integrating the latest technological solutions into all the processes that constitute a modern-day healthcare enterprise. Healthcare organizations can enjoy several benefits of taking an Agile approach. Key benefits include:
- Quicker software development timelines
- Improved software deployment quality
- Increased cross functional collaboration
- Higher returns on investment (ROI)
- Enhanced regulatory compliance and risk management
Cloud Cybersecurity Controls: Always An Afterthought?
With implementing agile principles, healthcare organizations should keep an eye out for the risks that may come with it. The principles of agile require organizations to move fast, often prioritizing a working prototype, and prioritizing cross functional collaboration. This often results in cloud cybersecurity controls getting pushed down the priority list. As a result of this, healthcare organizations take up significant risk of developing working prototypes that do not adhere to security controls and protocols including missing compliance requirements around complex healthcare regulations (such as HIPAA, HITRUST). To avoid this misstep, healthcare organizations should treat cloud cybersecurity controls with the same amount of intentional thought as other workstreams relating to software development. A best practice is to embed the cloud cybersecurity controls workstream as a distinct and dedicated workstream with a focus on deploying operational cybersecurity controls as part of the transformation effort. This upfront alignment will reduce transformation risk for healthcare organizations as cloud cybersecurity controls will be iterated (in line with other software features) through the develop, test, deploy agile life cycle - thus being taken into consideration throughout the transformation - instead of being an afterthought post the transformation. This approach often results in the highest returns for healthcare organizations from a dollars invested perspective as well as it significantly decreases the likelihood of security related deficiencies after the completion of the cloud transformation effort.
Implementing Cloud Cybersecurity Controls: An Agile Approach
Before we cover agile cybersecurity controls implementation, here's a quick overview of the steps involved in a typical agile sprint:
- Gather and prioritize requirements
- Develop initial prototype iteratively
- Test the prototype
- Deploy the prototype
- Obtain end-user feedback
As part of the agile cybersecurity controls deployment, it is critical to take the development of controls through the agile lifecycle mentioned above. This may include:
As depicted above, healthcare organizations need to give intentional thought towards embedding cybersecurity controls as part of a larger cloud transformation effort. While the specific cybersecurity controls will vary depending on the healthcare business model (which will drive risks within the model) and the type of cloud software being developed or deployed (which will impact the nature of agile approach being undertaken), healthcare organizations at a minimum should think about cybersecurity controls in two main categories:
- External cybersecurity controls: which protect against elements outside the organization (e.g., ransomware, malware, etc.)
- Internal cybersecurity controls: which protect against elements within the organization (e.g., employee sabotage or employee mistakes)
For additional considerations regarding the above two categories of cybersecurity controls specific to cloud ERP applications read this here.
Benefits Of Agile Cybersecurity Controls Development
While there are several benefits, the key benefit around deploying cybersecurity controls during (and NOT after) the cloud transformation effort is significant cost savings. Organizations will incur a cost for a dedicated cybersecurity controls workstream upfront, however this upfront investment will result in a robust cybersecurity framework at the end of cloud transformation, resulting in lower likelihood of cybersecurity control issues, audit costs/services, and remediation effort costs. The goal for any healthcare organization should be to eventually move to the fourth quadrant of cybersecurity controls maturity framework below using agile as a key driver while effectively jumping quadrants.
- 1 = Beginner (No or minimal controls, low controls cost)
- 2 = Intermediate (Low controls maturity, high controls cost)
- 3 = Advanced (High controls maturity, high controls cost)
- 4 = Optimized (High controls maturity, low controls cost)
Conclusion
Thus, healthcare organizations should consider taking an agile approach not just for large scale cloud transformation projects but also for developing robust cybersecurity controls during (and not after) the cloud transformation effort. The agile approach towards cybersecurity controls will result in increased likelihood of better designed and operationalized cybersecurity controls allowing organizations to enjoy significant cost savings and increased returns on their investments. Additionally, an agile approach also plays a crucial role in incorporating principles of swiftness and nimbleness in the operational culture of organizations - the benefits are which are often realized while adhering to complex healthcare regulations and compliance requirements.
Note: Opinions expressed are solely of the author and do not express the views or opinions of their employer.
Latest comments (27)
I found your article on how healthcare organizations can take an agile approach toward cloud security controls incredibly insightful. With cloud computing in healthcare evolving rapidly, balancing security, compliance, and agility is more critical than ever. Your emphasis on continuous monitoring and adaptive security strategies really stood out. As healthcare organizations navigate these challenges, Iām exploring how tailored cloud security solutions can enhance data protection and regulatory compliance.
Taking an agile approach towards cloud security controls in healthcare organizations is a crucial step. If you're interested in learning more about strategies and practices for healthcare enterprise risk management, you can find valuable insights in this article by Cleveroad. It can provide guidance on implementing effective security measures in the healthcare sector.
I appreciate the article's emphasis on agile cybersecurity controls development. By incorporating security into the agile sprint cycle, healthcare organizations can achieve significant cost savings. Investing in a dedicated cybersecurity controls workstream upfront pays off by minimizing the risk of control issues, reducing audit costs, and streamlining remediation efforts. It's a strategic approach that ensures long-term cybersecurity maturity.
As a cybersecurity practitioner in the healthcare industry, I have experienced the challenges of delivering robust cybersecurity using the traditional waterfall approach. The project I worked on had over 10,000 users, generated $5 million in revenue, and cost $1 million to implement. It was extremely difficult to keep up with evolving security requirements and deliver on time. The agile methodology could have provided us with more flexibility and adaptability, resulting in improved cybersecurity controls.
The article's focus on cloud security controls and the adoption of an agile approach is a game-changer in the field of cybersecurity. Cloud technologies are increasingly prevalent in healthcare, and traditional waterfall approaches simply can't keep up with the dynamic nature of cloud environments. Agile methodologies enable healthcare organizations to address security vulnerabilities promptly and adjust their controls in response to evolving threats.
upwork.com/freelancers/~018f64a10d...
What a great approach! I recently worked on a security project last year in the healthcare industry and my team implemented the security protocols and infrastructure following the agile access controls approach mentioned in this article. We realized immediate benefits of this new innovative approach. The overall security budget for the project was around $100,000 and we were able to reach our target at 50% of the budget thus saving costs and securing health data from potential breaches and attacks
According to Brain and company report
bain.com/insights/how-agile-is-pow...
Healthcare organisations are under increasing pressure to innovate in terms of product innovation, services, and consumer experience. Despite the fact that nearly 80% of medical institutions believe they need to be more Agile, only 30% are familiar with Agile innovation. Seventy-five percent of business leaders believe their Agile teams perform as well as or better than traditional teams.
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
Agile has demonstrated excellent outcomes. The following are some of the advantages of using agile:
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
Risk cannot be eliminated, but it can be managed. Anticipating risks ahead of time gives opportunity to deal with them. Some cloud security risk include misconfiguration, data breach, human error, and unmanaged attack surfaces.
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
I completely agree with you @mahendkr72 Risk is a constant in any endeavor, and would either need to be transferred, accepted or controlled. With cloud security, a risk like misconfiguration can cause data exposure but by applying practices in the above-mentioned agile cloud control access method, an organization can accurately control the risk of it occurring. The Human Factor is another risk that can be transferred to proper training schemes and departments that will reinforce staff on the dangers that lurk outside the organization using the agile cloud controls implementation methodology. My small IT agency has seen direct benefits of taking the approach mentioned above including generation of revenue of up to $60,000 in 2022. I know several other independent industry practitioners who have received similar nature of benefits (and in some cases better than the results I have received).
A complete cloud security strategy addresses all three aspects: risks, threats, and challenges, so no bugs exist within the foundation. In order to deploy application securely on the cloud, organization leverages a solid strategy must alleviate risk (security controls), defend against threats (secure coding and deployment), and overcome challenges (implement cultural and technical solutions).
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
According to Gartner, human error will account for 99% of all cloud security failures by 2025. When developing business apps, human error is an ever-present risk. On the other hand, deploying assets on the public cloud comes with significant risk.
gartner.com/smarterwithgartner/is-...
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
What an interesting take @mahendkr72 , however, I believe 99% might be too much of a stretch at this time when we factor in the further development of cyber related artificial intelligence in 2025. Yes, human error is indeed a big factor in protecting healthcare patient data and privacy and some studies have mentioned is upto at least 80% of cloud security breaches, but implementing agile cloud security practices into Cloud identity and access authorization security measures like encryption, MFA verifications, and privileged access management has proven to reduce cloud risk failures in organizations in my experience.