Consolidating government IT services
If you read my post, Municipal shared services agreements for information technology, you know that I am skeptical about consolidation of multiple county and municipal IT operations. Because they are separate, independent business operations, the potential for unintended consequences, political meddling and perverse incentives is enormous. Another core problems is that very few counties or municipalities operate IT shops using widely accepted standards and frameworks for ITSM (Information Technology Service Management).
State governments, however, more closely resemble large corporate enterprises and there is a strong business case for the consolidation of IT services in such organizations. Elimination of redundant services, lower costs, and a smaller head count are essential goals, but consolidation can also provide uniform governance as well as enhanced quality and customer service if managed correctly.
During Ed Toner’s first week as CIO for the state of Nebraska in June of 2015, he found silos, duplication of tools and services, competition between IT groups and a culture that desperately needed change. A dearth of documentation and metrics presented significant challenges, but his education at Texas A&M in process improvement, ITIL and Six Sigma provided him with the tools to take on this type of task. Moreover, his previous ITSM experience with TD Ameritrade and First Data Corporation gave him the practical experience required for the job.
Ed reports directly to Governor Pete Ricketts and he began his consolidation of the state’s IT services in March of 2016. Six months of analysis lead him to the conclusion that a classic ITIL (IT Infrastructure Library) model was the best approach to lowering the cost of state-level IT services. Ed has taken what he describes as a soft-sell, carrot-without-a-stick approach to the project.
During my research, I discovered that Ed and I have a single, irreconcilable philosophical difference, but I will discuss that at the end. First, let’s take a look at how Ed implemented some essential ITIL components.
The project was rolled out in three phases in the following order:
- IT Infrastructure (Network)
- Server Admins
- Desktop support
In the first phase, the Nebraska OCIO (Office of the CIO) brought everyone into a single domain and in the second phase they migrated 6000 square feet of remote data closets into the data center. Phase three is in progress and will be completed within a few weeks, so Ed has achieved remarkable results in only 16 months.
Enterprise applications were also included in the consolidation. OCIO manages the infrastructure and largely leaves the application functions up to the Line of Business (LoB) to manage. This is an admirable model because it doesn’t put IT in the line of fire for determining and managing LoB application features and functionality.
The service catalog (SC)
Since Ed and his team entered into the project with neither documentation nor metrics, they opted to grow the service catalog organically from incoming calls.
The service level agreement (SLA)
When Ed started, no one could tell him how many IRs (incident records) and SRs (service requests) were coming in, but that has been completely turned around. “In terms of the user community, I think for the first time, they’re seeing that we’re being accountable. We’re posting metrics and we just started sending out surveys.” Ed’s team also publishes statistics on availability and their goal is 99.9 to 99.99.
Ed and his team meet weekly to analyze stats and their internal SLA is to satisfy 80% of IRs within 24 hours. They routinely meet that objective and report the data to the governor on a monthly basis. Their goal for SRs is to complete them within 24 hours 65% of the time.
As they mature, they are working on categorizing and prioritizing different classes of IRs to provide an SLA with resolution of specific IRs within 4 hours or less.
“We are seeing a huge uptick in changes, which means to me that we’re not making more changes in the state, we’re seeing more and more compliance every month.”
In terms of adoption of change management, Ed related, “I can tell you from my vantage point that the state of Nebraska adopted it much more easily than in my past in private industry. If something happens that causes some type of outage, even momentarily, we’re going to come in with problem management. The problem management template we created clearly asks, was this caused by a change? Did you validate? How did you validate? We have built in those fail-safe checkpoints that will indicate if a group has done a change that wasn’t sanctioned.”
Problem management and Root Cause Analysis
Every PR (problem record) is reviewed by the OCIO. ”We have a defined process for escalating issues. Those go into PR and no one wants to have a PR against their group. A problem record means we’re going to have a root cause analysis and were going to find out they made a change that didn’t go through change management. Problem management has helped to enforce change management because they know there’s another level of irritation from my office if the change didn’t go through change management.”
The Nebraska CIO’s office has been able to realize annual savings in excess of $2.8 million on payroll and contracts by eliminating all contractors in infrastructure and desktop support as well as by eliminating staff positions by attrition. “I have no IT infrastructure contractors at the state . . . No contractors doing server admin or desktop support.”
Server consolidation has helped realize $3.2 million annually in hardware savings. For instance, in one division they reduced 90 servers to four virtual servers and have eliminated over 70 physical servers in DHHS so far.
The state initially had three ITSM tools with multiple contracts for those tools, so Ed deployed an unused tool which they were already paying for in their application bundle and eliminated the redundant contracts.
The last word
Nebraska has done all the right things when it comes to building a solid IT service management program. Critical components include executive support and oversight from the CEO, a solid ITSM framework, transparency, and a CIO who is committed to the delivery of exceptional service and quality. Extraordinary managers all have one thing in common – they know that improving quality using rigorous processes reduces costs. How is your state doing?
I told you earlier that Ed and I have one irreconcilable difference of opinion, but it’s a whopper! Ed is an Aggie and I am a Longhorn. Hook ‘em horns, Ed.
© Copyright Jeffrey Morgan, 2017
Security Policy Checkup Service
For county and municipal government.
Is your security policy up to current standards? Here’s how we can help for a low fixed rate:
This fixed-fee service is designed for counties and municipalities and includes:
- Initial web workshop with management and key stakeholders.
- Completion of a survey to identify your organization’s procedures, practices and specific security requirements.
- Review of your security policy and acceptable use policy against best practices and your organization’s requirements.
- Web workshop to discuss results.
- Written report with specific recommendations for improving your policies.
How to get started
- e-mail us for a quote/SOW.
- We’ll send you a Statement of Work with an NDA (Non disclosure agreement). Sign it and return with a purchase order.
- We will promptly schedule a web workshop to gather information.
- We will discuss your concerns and complete a brief survey in order to understand your organization’s requirements.
Who should be involved?
We can perform this study for an authorized executive. However, we believe that working with a cross-functional workgroup consisting of Legal, HR, IT and executive management, and possibly other departments will help build a foundation for a more solid information security program in the long term.
Don’t have a security policy?
We can help. e-mail us to schedule a time to discuss the development of a custom security policy tailored to fit your organization.
Read more about this service at: http://www.e-volvellc.com/security-policy-checkup/
© Copyright Jeffrey Morgan, 2016
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by
In New York State, Governor Andrew Cuomo’s Countywide Shared Services Initiative “requires counties to assemble local governments to find efficiencies for real, recurring taxpayer savings… by coordinating and eliminating duplicative services and propose coordinated services to enhance purchasing power.”[i] New York is currently offering substantial financial incentives to municipal organizations that “create savings.”
According to a 2013 study[ii], about 8 percent of municipalities participate in IT shared services programs. Considering the financial incentives, I suspect that the percentage has increased significantly since that time.
In theory, shared services agreements among municipal entities appear to be a great deal for everyone involved, and especially for taxpayers. In reality? I am not only skeptical; I have seen the negative consequences of such agreements in the form of low-quality IT services that cost far more than similar services delivered by commercial vendors.
One possible scenario
A common scenario for shared IT services might take the form in which a county IT department becomes a service provider for cities, towns and villages in its jurisdiction. This may include email, infrastructure services, help desk services, software, printing of tax bills, break/fix services, hardware procurement and much more.
In this type of scenario, the county’s management may view such a deal as an opportunity to turn their IT operation from a cost center to a profit center. However, the differences in performance and productivity between the private and public sectors can be stark. Running a successful commercial IT services business is a tough, highly competitive undertaking that requires excellent management skills and continuous improvement.
For many municipal managers and elected officials, the one-time financial incentive may blind them to the necessity of examining the long-term consequences of such an arrangement. In other words, they will want to build the airplane in the air and the basis for the deal may be something that is not much more than a handshake deal, devoid of reality and details.
Get it right!
It is possible for a municipal shared services agreement to be successful, but success won’t be accidental. If you are involved in negotiating such an agreement, I provide the following suggestions to ensure that you make the best deal possible.
Use rigorous procurement methodology
A shared services agreement should be treated exactly the same as a deal with a commercial vendor. A few examples of documentation required for the evaluation should include the following:
- Service level requirements. This is a document that precisely defines your requirements. Before entering into any service agreements with outside agencies, your organization should thoroughly understand and document your business needs, goals and objectives.
- Service level agreement. This agreement is an essential part of any professional services contract. It defines requirements, responsibilities and accountability and includes financial penalties if the provider fails to meet agreed-upon service level targets.
- Catalog of services. What is the universe of services offered by your service provider? How much does each service cost, and when are such services available? How do you obtain services not covered in the agreement?
- PSA (professional services automation) system. An automated, auditable system for tracking incidents is a requirement for managed service providers. The system should be configured to send alerts to management and executives when the provider fails to meet agreed-upon service levels. Daily or weekly status reports should be available to the customer.
The agreement framework
Will this be a simple agreement using an MOU (memorandum of understanding) or some sort of BPA (business partnership agreement)? Regardless of the format recommended by your attorney, a clear exit path must be part of the agreement in case the relationship doesn’t work out. Agreements with commercial vendors always spell out how the relationship may be dissolved, but I have seen municipal shared services agreements that have no such escape clauses for the “customer.” Make sure you can get out of the deal if it isn’t working out.
Comingle infrastructure resources carefully
A significant risk of a shared services deal is that IT infrastructure built between the parties may become intertwined to an extent that may be difficult and expensive to unravel. Clear boundaries should be established that will allow the parties to simply unplug if the deal doesn’t work out. Also, who owns infrastructure and data? How do you get your data back once the relationship is dissolved?
Information security, governance and policy
Whose governance policies will apply? Acceptable use policies, security policies, regulatory compliance policies and personnel policies as well as organizational culture should all be considered. How will sanctions for policy violations be addressed between agencies?
Is the provider using best practices for ITSM (information technology service management) and ISMS (information security management systems). Are they in ITIL or ISO 20000 shop? How will security be managed? Do they follow any generally accepted frameworks for information security?
Who will define quality standards? In the commercial world, the customer determines quality. In the public sector, the provider often defines quality — the DMV being a perfect example. What recourse do you have if the provider fails to meet quality standards? With a commercial vendor, you simply terminate the deal. In a shared services scenario, terminating the deal may require political capital that is not available. These arrangements present the real risk that you could be stuck with a bad deal for years or even decades.
These are only a few examples of the processes required to evaluate and negotiate a successful shared services agreement.
The great advantage of democratic local government is that citizens have the ability to address poor municipal management through the democratic process. If we’re not happy with the decisions and actions of management, city council or a county commission, we can simply vote them out of office. The problem with the trend toward regionalization of government functions and services is that we lose that ability to control it through elections. Don’t lose your ability to control your information technology operations by making a bad shared services deal.
References and endnotes
“Shared Services Among New York’s Local Governments,” research brief, Office of the New York State Comptroller, Division of Local Government and School Accountability, November 2009
[ii] “Shared services in New York State: A Reform That Works,” George Homsy, Bingxi Quian, Yang Wang and Mildred Warner, August 2013.
This article first appeared on CIO.com at http://www.cio.com/article/3196248/leadership-management/municipal-shared-services-agreements-for-information-technology.html
© Copyright Jeffrey Morgan, 2017
Because Mother Nature is so stingy when she doles out the gene for common sense, frameworks and standards for IT governance had to be invented.
Recently, I heard about an incident in which a municipal IT director was planning and executing significant changes to a department’s critical infrastructure without informing the customer — the department personnel. After being confronted, he insisted that he wasn’t required to inform the stakeholders because it was routine and he didn’t need departmental approval. Huh! To make matters worse, the changes involved significant risks that were far beyond the understanding of that IT director and his staff.
This behavior is appalling on many levels, but it is representative of the service provided by many municipal IT managers who believe IT is a dictatorial, rather than collaborative, profession. A few of the things this scenario tells us about the organization include the following:
1. The organization isn’t using a framework for IT governance and IT Service Management (ITSM).
2. Executive oversight of IT is inadequate.
3. The organization lacks a risk management program with change-control policies and procedures.
I will address the first two items below, and we can address item No. 3 in a subsequent article, so don’t forget to check back.
Sacred cows and your executive legacy
Municipal IT operations tend to be monopolies, and the customer service they provide is all too often in keeping with what one would expect from any monopoly. There is no good reason for this state of affairs, and you can fix it with relative ease. Enabling deplorable IT services doesn’t have to be one of your executive legacies.
Municipal IT often operates on a charge-back model, where customers (internal departments) are forced pay a flat annual fee or an hourly rate for IT services. The customers are unable to pursue competitive services from external vendors that may provide considerably better quality at a significantly lower cost. In the bubble of government IT, market forces never apply the pressure required to initiate change, and the IT department remains a sacred cow trapped in outmoded thinking and ancient processes.
Solutions, tools and techniques
In previous articles[i], I have discussed several management tools, techniques and processes that will significantly improve IT performance and customer service in your organization. Here, I will add one more concept: the RACI (Responsible, Accountable, Consulted and Informed) model.
The RACI model is an excellent tool for clarifying roles and responsibilities within a process. Using RACI can increase transparency and address the lack of oversight, so that all the players clearly understand their roles in the grand scheme. Let’s take a look at an example of how it might be used to identify appropriate roles for the operation and maintenance of a county clerk’s software application.
Although your matrix may be different, what won’t be different is that multiple stakeholders are involved. If there are a significant number of public users of the system, such as attorneys and title researchers, you might want to add them to the matrix as well.
While the RACI model is an important component of frameworks and standards such as COBIT, ITIL and ISO 20000, undertaking a full implementation of any of these programs isn’t necessary to make significant performance improvements to your IT operations and customer service.
Don’t count on common sense as a reliable management tool; use IT governance instead.
For further reading
“How to Design a Successful RACI Project Plan,” by Bob Kantor, CIO.com, May 22, 2012
[i] “Improving IT Customer Service with Service Level Agreements (SLA),” by Jeffrey Morgan, e-volve Information Technology Services
“What Is the Biggest Threat to Internal IT Departments?” by Jeffrey Morgan, CIO.com, Oct. 3, 2016
“High Crimes and Misdemeanors of CIOs,” by Jeffrey Morgan, CIO.com, Oct. 17, 2016
“Improving IT Customer Service, Part 2: Using a PSA System,” by Jeffrey Morgan, e-volve Information Technology Services
This article was first published on CIO.com at http://www.cio.com/article/3195073/leadership-management/county-municipal-it-customer-service-and-the-raci-model.html
© Copyright Jeffrey Morgan, 2017by
What’s your municipal organization’s most valuable asset?
The correct answer is information, but you wouldn’t know it by observing the casual, haphazard manner in which information is managed in many county and municipal operations. Information is often the least valued and least understood asset in local government organizations.
Tangible assets such as buildings and equipment are insured and can be replaced with relative ease. If your data vanishes, you may never be able to replace it. A breach of confidential information can never be made right and your organization’s reputation will be tarnished for years to come. Litigation that results from poor information management can cripple your organization, and the cost of discovery alone often forces organizations to settle.
The core problem
Does your municipal organization have a formal information governance (IG) program?
Most municipal entities don’t have IG programs and consequently lack institutional, enterprisewide understanding of their information assets. The root of the problem is a dearth of leadership in information management that starts with senior executives and elected officials. In many cases, there are departmental managers who do understand their own information universes, but those individuals rarely carry enough clout to influence the decision-making processes at the enterprise level.
“Jeff, hold the phone! We already have a records management program and a CIO. We’re on top of this.”
Information governance isn’t records management, although records management is a subset of IG. Robert Smallwood provides an excellent definition of information governance: “Security, control and optimization of information.”[i] He takes it a step further and writes “Information governance is policy-based control of information to meet all legal, regulatory, risk, and business demands.”[ii] These two statements sound simple, but if you ponder their meanings a bit, they have enormous implications not only for information management in your organization, but for the way in which your entire organization is managed.
The role of the municipal CIO
In my experience, municipal IT operations are often poorly aligned with the business divisions they support and silos are an endemic problem in such organizations. I don’t want to paint with too broad a brush because there are plenty of CIOs who do understand their organizations’ business and information requirements. However, in municipal government, such people are rare.
While the title chief information officer implies a deep understanding of information, many municipal CIOs function more as technology directors and sometimes they more closely resemble purchasing managers or other roles. Since there is no universal definition of a CIO’s role, it is not reasonable to expect that they all come to their job with a clear understanding of information governance. Moreover, municipalities can have several dozen lines of business, each with its own set of complex regulatory requirements, so asking your CIO to be a Master of the Universe may be asking too much.
The solution: What IG can do for your organization
If you don’t have an IG program, I encourage you to start one. I am talking about creating an ecumenical view of your organization’s information assets and aligning that view with your business requirements at every level of your organization. Establishing such a program will allow you to build a superstructure that includes the following:
- Enterprise information management and strategic planning: auditing, risk management, records retention, metadata standardization, storage, FOIA, defensible deletion, eradication of silos and more.
- Enterprise information security (infosec) and cybersecurity: Develop policies, processes and procedures for security that are aligned with your organization’s risks and requirements. Create a culture of security in your organization. Vastly decrease security risks.
- IT service management (ITSM): Improve IT services by aligning them with the organization’s business requirements as determined by the IG committee. IT governance is often treated in county and municipal government as if it is somehow separate, but IT may be more productive if it is treated as a component of an overarching information governance program.
The IG committee
I am not a proponent of management by committee, but in a county or municipal setting with many lines of business, an information governance committee is appropriate not only to oversee information policies and procedures, but to provide guidance and oversight for IT operations as well. The makeup of your municipal IG committee will resemble the following:
- An executive sponsor: Preferably the county executive, city manager or similar role.
- An elected official: A county commissioner, city council member, etc. The primary governing board must be key part of IG team.
- The municipal attorney.
- A human resources official.
- An IT professional.
- A risk management specialist.
- A records management staffer.
- Representatives from other key departments, potentially including law enforcement, corrections, nursing home services, public health, mental health, social services the county recorder, etc.
References and resources
Following are links to some resources for more information about developing an IG program.
ARMA International, a not-for-profit association for professionals specializing in governing information as a strategic asset.
Information Governance Initiative, a forum for information governance professionals.
AIIM, a nonprofit membership organization for information professionals.
Institute for Information Governance, a provider of training in the fields of information governance and electronic records management.
EDRM, a provider of resources related to e-discovery and information governance. Part of the Duke Law Center for Judicial Studies.
“Defining the Differences Between Information Governance, IT Governance and Data Governance,” by Robert Smallwood, Aug. 18, 2014. Retrieved April 17, 2017, from the AIIM website.
Information Governance for Executives, by Robert Smallwood. Bacchus Business Books, 2016.
[i] Smallwood, Robert. Information Governance for Executives, 2016
[ii] Smallwood, Robert. “Defining the Differences Between Information Governance, IT Governance and Data Governance,” 2014
This article first appeared on CIO.com at http://www.cio.com/article/3192530/security/information-governance-for-counties-and-municipalities.html
© Copyright Jeffrey Morgan, 2017by
Download my current catalog of services in pdf! http://e-volvellc.com/cos.pdfby
Free Whitepaper download for County/Municipal executives.by
Over the course of the last year, both Macys stores within a reasonable drive closed. No doubt, those closings will seal the fate of the malls for which they were anchor stores.
I am getting a little tired of reading the business obituaries of Macys that claim Amazon is somehow to blame for their decline. It is easy for me to understand what happened to them and it has nothing to do with Amazon.
Macys committed suicide.
I remember buying a beautiful pair of 100% wool, Italian import navy dress trousers from them in the late 1990s. My Italian tailor loved them. As soon as I drop the 15 pounds I put on this winter, I will wear them again.
As a customer of Macy’s for decades, I don’t need to study financial statements and demographic trends to understand what happened. I have watched the slow, relentless decline of the quality of their merchandise for the last two decades. Since I bought those Italian pants nearly twenty years ago, I haven’t bought much from them and certainly not men’s clothing. They went from carrying excellent products to cheap, low quality “designer” products, manufactured in Chinese or other Asian sweatshops. Fit is a problem as well. Their men’s clothing all seemed to be designed for twenty-somethings who drink skinny soy lattes and have never seen the inside of a gym.
These days, I get suits and wool trousers from my haberdasher – H. Strauss. I can still purchase quality products there and they are often made in the United States. I buy underwear from Brooks Brothers because they fit nicely and last forever. I used to swear by their shirts too, but the fabric doesn’t seem to be of the same quality as it used to be and the selection is much smaller. Fortunately, my haberdasher does custom shirts for just a little bit more than I can buy them off the rack at Brooks Brothers.
Don’t blame the decline of Macys on Amazon. They did themselves in by abandoning quality.
© Copyright Jeffrey Morgan, 2017by
Are you a covered entity?
Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.
How do you know if you have or are a CE? If some department or division within your organization is a healthcare provider, a health plan or a healthcare clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), healthcare clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.
Are you in compliance?
If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.
In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?
I suspect what often happens is that executives look at something like information security policy requirements and say:
This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.
What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.
Trust but verify
There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.
Extend HIPAA to your enterprise
If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that that level while also getting compliant with federal law.
Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted, good practices.
Develop your policy with the HIPAA Security Rule
There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.
The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).
The security standards in HIPAA are broken down into three sections, each of which has multiple layers and sub components:
- Administrative Safeguards (9 components)
- Physical Safeguards (4 components)
- Technical Safeguards (5 components)
These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.
Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.
These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.
1. Find out where your organization stands in terms of information security policies and procedures.
2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?
3. Meet with your IG committee to discuss your findings.
4. If you don’t have an IG committee — start one!
5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.
6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintain continuous improvement.
7. Begin building a culture of security in your organization.
We’ll continue the discussion next week, so check back then.
This article first appeared in cio.com at http://www.cio.com/article/3188667/governance/hipaa-as-an-umbrella-for-countymunicipal-cybersecurity.html
© Copyright Jeffrey Morgan, 2017by