Why fly when you can SOAR? 5 things you’re getting wrong about security orchestration, automation and response

Security orchestration, automation, and response (SOAR) solutions are often billed as a panacea that will solve all of a security operations center’s (SOC) problems, reduce mean time to repair (MTTR), improve efficiency, act as a single pane of glass, and even make a really good cup of coffee. You name it and someone somewhere has claimed that a SOAR platform can do it. The truth, however, is a little more complicated.

Yes, a SOAR solution can automate a great number of tasks—if properly implemented. If a task can be broken down into steps that are repeatable, reusable, and consistent, then it has the potential to be automated. But if an organization tries to take on too much at once or is unfocused in its approach, the implementation can rapidly get out of hand and lead to failure and ultimately shelfware. Here are a few examples of common mistakes and misconceptions about SOARs.

Boiling the ocean

A SOAR solution can be incredibly powerful; the initial desire to automate everything in sight is akin to the first time you get a label maker. You want to apply it to everything, all at once. Some of the worst experiences I’ve seen have come from an environment where they tried to build a complex interweave of use cases and became bogged down in the details and frustrations. The key to a successful implementation is to start small. Find one or two simple use cases that allow the SOC team to get a handle on what can be done and the thought process to build the use case. Initial simple automations and response actions such as threat enrichment of an IOC (indicator of compromise), hash, or URL are particularly effective as they can be easily reused as part of more complex actions later.

Training? I don’t need any stinkin’ training!

Yes, you do. While this is often the first thing on the cutting room floor when budgeting for a new solution, training usually makes the difference between a successful implementation and a package becoming shelfware. This is the opportunity for your team to ask questions of the people who implement and use the technology daily. Take advantage of it. A SOAR platform, like most integration-focused solutions, has many hidden features and nuances to how complex actions like a workflow are created. These are going to be automated actions that are hopefully going to run your business and you’ll need to understand how they are constructed.

I have scripts, isn’t that the same thing?

Most engineers, analysts, or administrators who have worked in IT for more than a few years have ended up running into tasks that they find themselves doing repeatedly. Inevitably, someone on the team will write a script, whether it is Visual Basic, a batch file, or a snippet of Java for each of those routine tasks. Those scripts are running continually in SOC near you right now. So, the question becomes: If I’ve already got scripts running, why do I need a SOAR? Remember, SOAR stands for security orchestration, automation, and response. Automation refers to performing singular tasks repeatedly, orchestration is putting multiple singular tasks together, and response is really the key because it’s the ability to evaluate, make a choice, and then perform additional actions. The ability to build-in complex response actions, either in an automated fashion or via human interaction, is one of the primary differentiators of a good SOAR platform. This doesn’t mean throwing the scripts out, it means taking them and converting them into SOAR workflows that can provide response choices, in-depth auditing and error tracking, and consistent integration across multiple platforms. This is where SOAR sets itself apart.

It will be done tomorrow right?

Not likely. While an initial set of use cases or workflows can usually be imported from the SOAR vendor, they still need to be customized to your environment. For instance, it may have been written for a different firewall or threat feed vendor. Each of these steps will need to be verified and tested with the current version of the existing platforms deployed in the environment. A simple version difference in the target platform can make a huge difference. Which brings us to…

Integrations are simple

Umm, no. To be successful, a SOAR platform will need to communicate with many different platforms that already exist in your environment. Let’s face it, the IT space is full of companies that are often competing with one another in multiple verticals and one vendor is rarely sole-sourced throughout the organization. It’s not uncommon to see vendors significantly change APIs, database structure, architecture, and platforms in between versions with either missing or incorrect documentation to go with it. These changes are not made to purposefully break outside integrations but are instead made with their own interests in mind. Simply put, IT infrastructures are complex environments with lots of moving parts that need to be carefully integrated to get the best value from the solutions. Often the response from vendors’ support teams will boil down to “not my problem.” Ultimately, a good SOAR vendor will try and keep up with the integrations as new versions are released, but some of this will also come back to a good relationship between you and your vendor. Simply letting them know that a new version released and that you intend to upgrade soon can change the integration team’s process to better support you.

Things to keep in mind

So, what are the main takeaways? SOAR solutions can be incredibly powerful enablers of the cyber and operations teams if some simple rules are followed:

  • Stay focused. Choose a singular task to learn what works in your organization. Use this as your inhouse training scenario to learn the process.
  • Take your time. Diagram the workflow on a whiteboard and take your time finding the lowest common denominator to help pick one or two use cases to leverage as your showcase.
  • Identify simple integrations. Choose the deployed solutions that can be easily integrated to start with. Typically, they will be API driven and allow you to combine with threat enrichment to see immediate benefits.
  • Re-use. Ideally, your SOAR platform allows you to reuse the work you’ve already done. You’ve created the first piece of the puzzle for the future and you can leverage that same structure and concept again to reduce the amount of effort on your next workflow.

Merlin Cyber has partnered with Swimlane to help our public-sector customers avoid these and many other challenges that they encounter. Swimlane provides a comprehensive SOAR platform leveraging a drag-and-drop workflow builder that enables organizations to rapidly build and deploy workflows to the field. With built-in case management, auditing, reporting, and a robust integration library, Swimlane provides environments with the tools they need to be successful.


If your organization wants to rapidly improve staff efficiency and drastically decrease MTTR by leveraging a powerful SOAR platform, we can demo Swimlane and help customize a solution that meets your objectives. 

Cyber hygiene starts with good tools configuration

Last month, the Government Accountability Office released a new report titled DOD Needs to Take Decisive Actions to Improve Cyber Hygiene. The GAO report found that the Defense Department is behind on three major cyber hygiene initiatives and lacks cybersecurity accountability among its leadership. If a critical government agency like the DOD struggles with cyber hygiene, what about a regular company?

An average-sized company usually has 25-plus security vendors. Organizations have implemented tool after tool in efforts to secure their data, systems, and users. This has left them with misconfigured, repetitive, or siloed tools and an uphill climb toward proper cyber hygiene.

RELATED: 5 of the biggest cyber hygiene myths

While proper cyber hygiene involves tools, training, and policies, having a fragmented toolset makes the concept a non-starter. Tool fragmentation and overlapping tool capabilities put additional burden on IT staff, making it difficult to respond to threats, quantify risks, or effectively manage an organization’s most critical security controls. As a result, the organization’s cyber hygiene suffers.

Poor cyber hygiene creates security vulnerabilities that require decisive action. It’s vitally important to correctly configure, maintain, and ensure that your security tools are effective. In other words, cybersecurity leaders should consider maximizing the ROI on already-purchased tools before adding new ones to their crowded ecosystem.

Tool-proof your cyber hygiene

Practicing proper cyber hygiene goes beyond just purchasing and implementing security tools. Using the tools correctly is what helps solidify overall cybersecurity posture. And it all starts with proper configuration of the tools you have.

Establishing configuration baselines is a fundamental but often overlooked cyber hygiene task. Why else is tool misconfiguration a frequent cause of breaches? While we rely on security tools to maintain proper hygiene, their effectiveness is entirely in our hands.

Here’s how to weigh the performance and usage of existing security tools:

  1. Analyze if the tools you’re using are engineered properly and behaving correctly. For example, if it’s a vulnerability scanner, is it updated and scanning your entire IT landscape? If it’s a next-generation firewall, are you using all the features appropriately?
  2. Review and score every tool with a critical eye. Try to rationalize each tool against your organization’s current and future needs. Move past qualitative descriptions and into quantitative analysis by ranking and scoring them with questions like:
    • Does this tool have a niche or special purpose?
    • Is it more or less secure than other options?
  3. Examine each tool’s actual configuration. Is it configured securely? Does it have default passwords or other weak controls? How easy is it to harden?

The complexity of today’s IT infrastructures coupled with security tool fragmentation and misconfiguration makes cyber hygiene challenging for companies of all sizes. Security tools are only as strong as an organization’s internal process for maintaining them. Luckily, there are solutions that automate much of the work and provide organizations with a comprehensive way to implement and maintain proper cyber hygiene.

5 of the biggest cyber hygiene myths

Tackling common misconceptions about enterprise security

Proper cyber hygiene is a desirable but sometimes elusive practice for many organizations. And it can be hard to separate fact vs. fiction. Read on as Miguel Sian, Merlin’s Director of Solutions Architecture and Engineering, busts a handful of security posture myths.

Cyber muyths busted graphic

 

Most organizations would agree that proper cyber hygiene is essential for maintaining their cybersecurity posture. Each will also likely affirm that they practice good cyber hygiene; yet, we find that many have considerable blind spots. We’ll shine a light on these blind spots by exposing five of the biggest myths about cyber hygiene.

First, a primer. What is cyber hygiene? The CERT Resilience Management Model (CERT-RMM) defines cyber hygiene as a set of practices for effectively managing the most common and pervasive risks to the organization. The Center for Internet Security (CIS) defines cyber hygiene as a set of baseline cybersecurity protections that help to secure an organization. Fundamentally, cyber hygiene involves the strategies and activities that ensure your enterprise IT security is in tip-top shape (health) and protecting your organization from threats (prevention).

RELATED: Cyber hygiene starts with good tools configuration

Proper cyber hygiene spans people, process, and technology. It starts with having complete visibility of all your assets, followed by effective security tools and processes to identify, detect, and protect your assets against threats. Last but not least, you must implement effective access management. With this as the backdrop, let’s quash five common myths about cyber hygiene.

MYTH #1


“We have several management tools (i.e., NAC, SCCM) and a CMDB that ensure we know precisely what’s on our network.”

How many CISOs honestly believe that they have a truly accurate count of their hardware and software assets? Just one glance at two systems management tools (vulnerability management and Active Directory) would likely reveal a discrepancy of the total number of computer accounts in your enterprise. Furthermore, increasing cloud adoption and remote work can undermine what you believe might be on your network.

 


MYTH #2

 

“My users and endpoints are adequately protected with endpoint security tools such as anti-virus and EDR, along with policies we’ve implemented to protect our devices.”


Anti-virus and endpoint detection and response (EDR) solutions have long been good practices for endpoint hygiene, but they are no longer enough. New, emerging threats in the hardware layer – on mice, keyboards, webcams, switches – can go undetected by these endpoint security solutions. Furthermore, attacks on the supply chain compound the risks from these emerging threats.

 


MYTH #3

“We have security tools and processes established for configuration management, patch management, and vulnerability management that ensure our basic security hygiene.”

Organizations often overlook and fail to adequately monitor the tools themselves and processes that ensure these basic security hygiene tasks. This is likely a result of lacking a central place to monitor the configuration and effectiveness of all their enterprise tools. Furthermore, organizations typically can’t relate these security challenges to overall business impact. For a complete picture of cyber hygiene, it’s important to know the tools’ security posture and effectiveness in meeting the organization’s security controls, and how they protect the applications that deliver on the business outcomes.


MYTH #4

“Our annual compliance audits against industry security frameworks provide adequate security and communications for our stakeholders.”

Regular audits are essential and frameworks such as NIST CSF provide a comprehensive set of security guidance. Yet, we’ve found that organizations are unable to continuously monitor their most critical security controls. As a result, organizations are unable to prioritize what’s truly important nor effectively communicate the risks across the enterprise.

 


MYTH #5

“We have controls that ensure proper access management.”

If this is true, we should not be seeing an increase in data breaches since a majority start with privilege credential abuse. Organizations must take a comprehensive approach to access management. There are silos of identity sources and disparate identity management tools in the enterprise. This makes securing access across the enterprise challenging. It’s critical to establish visibility, then monitor the security controls for access to critical systems.

It’s time to take a strategic approach to cyber hygiene. With today’s rapidly shifting situation in IT and business, risks and uncertainties abound. A renewed focus on the basic fundamentals of cyber hygiene provides us with the key principles and foundation needed to establish a comprehensive cybersecurity posture for our enterprise.

Eliminate the strain

Fundamental health hygiene is more important now than ever before. The same holds true for cyber hygiene – this is your foundation for proactive cyber defense. We’re already seeing cyber criminals, as well as nation state sponsors, taking advantage of the COVID-19 situation by attacking hospitals, corporate enterprises, supply chains, as well as senior executives with a variety of phishing scams, malware deployments, and attacks designed to penetrate vulnerabilities in the network.

The strain being put on your remote employees to access your network is immense. In order to ensure the security of your enterprise infrastructure and to step up to ensure business continuity, you need to understand and maintain pristine cyber hygiene on your existing network VPN, firewalls, endpoints as well as remote access.

Implementing a cyber hygiene monitoring tool like Cyber Observer enables you to track and score cybersecurity in near real time. By continuously measuring the status of your security environment with Critical Security Controls from relevant security tools, Cyber Observer empowers you to make insightful decisions to help you ensure the security you have in place is doing what it is intended to do while equipping you with the data and knowledge you need to make the right risk-based decisions. The platform provides a comprehensive view of enterprise Cyber Readiness to improve your ability to prevent and detect cyber-attacks.

As important as it is to assess personal health, now is the time to also assess your cybersecurity health. Doing so with Cyber Observer gives your security team confidence and control, and enables them to concentrate their time on mission- and business-critical priorities.

Contact us to learn more about our special offer.

The Key to Reducing Cybersecurity Risk

During the first three months of 2019 there were 1,903 total breaches, 85% were the result of unauthorized access into services or systems (i.e. hacking). It’s not that companies aren’t safe guarding their data, the opposite is actually true. We’ve seen a trend in increasing cybersecurity across all industries (mo money, mo [cyber] problems), but hackers are still finding ways to gain access to “secure” systems. Reviewing more recent articles on data breaches the cause gets sited as vulnerabilities or misconfigurations of specific cybersecurity tools. It’s not that something was missing, it just wasn’t working. Even if your tools are installed perfectly constant changes to your systems and tool updates or patches can expose you to threats you’re not even aware of.  A recent Ponemon Study found that 53 percent of IT leaders have no idea how well the tools and software implemented in corporate networks are performing. A cybersecurity tool is only as effective as your process for keeping it in good working order, also known as Cyber Hygiene.

The key to reducing cybersecurity risk is awareness and visibility. However, gaining this insight through the complexity of your security is no small task. Organizations need to unite the silos of their security teams, processes and technologies all in one place. After referencing security complexity as a major pain point it may seem counterintuitive to add another tool on your already complex security system but automating your monitoring is the most effective route to continuous awareness and visibility. While hiring additional security staff continues to be an industry crisis leaning into solutions that can automate the process will deliver rapid and actionable information so proactive steps can be taken remediate issues. To learn more about Cyber Hygiene monitoring check out Cyber Observer and it’s four layers of cybersecurity.

Mo Money, Mo [cyber] Problems

Stop spending, use cyber hygiene…

Gartner reports that average annual cybersecurity spend per employee has doubled, from $584 in 2012 to $1,178 in 2018. With increased spend you might infer that companies have newer more effective cybersecurity tools and are therefore safer, but we aren’t seeing that increased spend necessarily equals increased safety. Large scale data beaches are still happening, and the stakes are high with fines for these breaches costing some over half a billion. Simply throwing money (i.e. more cyber security tools) at the problem won’t solve it. Companies have created a fog of too many tools and a challenge of how they manage those tools to ensure they are configured and running properly. That’s where Cyber Hygiene can help.

The term Cyber Hygiene was first used by Vint Cerf in 2000, he referenced it as the “steps we know can be taken to improve security and resilience.” More recently the Center for Internet Security (CIS) and Council on CyberSecurity (CCS) launched a Cyber Hygiene Campaignand broke down those steps into the “5 top priorities.”

  1. Count: Know what’s on your systems and what you need to protect
  2. Configure: Continuously manage systems using “known good” configurations
  3. Control: Know and limit who has administrative privileges of security settings
  4. Patch: Keep software and hardware up-to-date to protect against known vulnerabilities
  5. Repeat: Cybersecurity is an iterative process with no finality

A great place to get started is prioritizing what you are trying to protect and deciding how you will measure your success. Aligning to an industry recognized framework (such as NISTor CIS Critical Security Controls) will help guide you during both implementation and assessment. Once critical security controls have been implemented, which is no small task, adherence to your chosen framework(s) through Cyber Hygiene will ensure the health and effectiveness of your cybersecurity ecosystem. If you’re looking for ways to measure your success doing an audit assessment or penetration test will be helpful in showing the state of your environment at that given time. If you’re interested in continuous metrics and measuring, implementing a Cyber Hygiene monitoring tool, like Cyber Observer, will enable you to track your improvement and score cybersecurity in near real time.

Comfort, not Chaos: How to Reduce the Cyber Risk of Healthcare Operational Technology (OT) Solutions

In a hospital at night, a patient wants to read a book, so she turns up the lights through her room’s dimmer switch. When she’s finished, she prepares for bed by turning off the lights, and closing the window blinds. Shortly after, she feels too warm, so she lowers the temperature on the thermostat.

What’s more, she’s able to do all of this from the comfort of her bed, by using a hospital-supplied remote-control device. Elsewhere, patients do the same using apps on their phones.

This illustrates how healthcare organizations are investing into what’s called Operational Technology (OT) – solutions which monitor or alter physical systems – to improve the patient experience and run their buildings. Whether the solutions control lighting, thermostats, security cameras, elevators, power management or additional systems via wired or wireless configurations, the healthcare industry is increasingly dependent upon them. And this dependence is helping drive worldwide demand for OT, which is expected to grow to a $40.42 billion market by 2022, up from $27.2 billion two years ago, according to a forecast from MarketsandMarkets.

However, as is the case with biomedical devices, security has emerged as a concern. Internet of Things (IoT) innovation supports a great deal of OT solutions, which, of course, creates issues: Nearly nine of ten healthcare organizations have experienced an IoT-related security breach, and one-half have encountered malware within IoT-connected systems, according to research from Hewlett Packard Enterprise’s Aruba Networks. The healthcare and life science sectors now account for 6 percent of all global OT incidents– up from zero percent three years ago, according to the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

In the modern era of cyber threats, hospital CIOs cannot prevent 100 percent of OT-linked attacks. But they can significantly reduce their risk exposure by taking the following steps:

Inventory every endpoint.

As indicated, certain OT products are wired in, and others are wireless. Either way, CIOs must gain total visibility of where they are, and what they do.

Beyond the pure volume of endpoints here, the various parties which implement OT solutions will introduce complications. CIOs don’t order lights and thermostats, after all. Building maintenance supervisors do. In addition, those supervisors may hire a third-party contractor to install, say, an OT-enabled speaker system without the CIO knowing about it. (Or knowing whether the contractors evaluate the security features of the products they offer.) Still, once these products connect to the IT network, their continued connectivity becomes IT’s responsibility. Thus, it’s essential for CIOs and their teams to conduct a complete inventory – and take at least partial ownership – of their organization’s OT “threatscape”.

Segment the environment.

The best way to keep OT-triggered threats from damaging or disrupting the network is to, well, remove them from the main network. That’s what segmentation does, by creating an entirely separated IT environment for OT products. With this, if bad guys exploit an OT vulnerability, they can only cause a limited amount of chaos, because OT is no longer part of the core network.

Even better, IT teams can more effectively monitor OT performance within a segmented environment, because everything is clustered within the same place. So when those in-room lights fail to dim, the teams will see this, and take corrective action to keep patients (and hospital supervisors) happy.

Set standards.

OT doesn’t work like other technologies and, subsequently, can’t be “fixed” like other technologies. (You can’t patch that thermostat, can you?) Given this, CIOs must get with building managers and anyone else who acquires these solutions to develop cybersecurity standards for OT vendors. If the vendors fail to comply with the standards, then they don’t get the hospital’s business.

Like any other developing technology, OT will usher in a new wave of risks. Therefore, as with all cyber systems, IT should apply optimal visibility, accountability, oversight and action from implementation to monitoring to – if needed – mitigation. That’s how to, ahem, “keep the lights on” and otherwise ensure a pleasant patient experience while still protecting the network.

IGA Tools Ensure that Healthcare Employees Get the Job Done While “Staying in Their Lane”

It takes a wide variety of employees accomplishing a vast range of tasks to make a healthcare organization work. But, today, these organizations face challenges in ensuring their staffers “stay in their lane” by not overstepping the boundaries of their roles.

Research nurses, for example, can write up orders for blood tests, but they’re not authorized to release the orders. That is the physician’s job.

A billing administrator may write up charges for a patient’s visit, but cannot actually receive the payment. Otherwise, the administrator could conceivably commit financial fraud by falsifying charges and pocketing the money.
For IT managers and teams overseeing electronic medical record (EMR) and other systems, enforcing the limitations of authorized activity for these and countless additional roles creates confusion and frustration. It amounts to monitoring in piecemeal fashion one siloed system after another, without a cohesive, unified way to “see” everything and respond accordingly.

The constant threat of cyber attacks linked to the employees’ behaviors – whether they intend to cause a hacking incident or not – makes the situation all the more foreboding. In the absence of an entirely integrated “eye” over all activity that is acceptable and that which is not, the healthcare enterprise remains highly vulnerable.

This is where Identity Governance and Administration (IGA) can step in to help. As defined by Gartner, IGA tools manage digital identity and access rights throughout multiple systems by aggregating, correlating and distributing related data to better control user access. Areas of focus include identity lifecycle/ entitlements management, access requests/certification, workflow orchestration and reporting.

Overall, the global IGA market is expected to increase to $5.8 billion in 2021, up from $3.2 billion last year, according to projections from IHS Markit. Clearly, significant concerns expressed by healthcare security and IT professionals make a strong case for across-the-board industry adoption, with the rising risk of employee-linked cyber attacks keeping them up at night: More than three of five healthcare organization IT and IT security practitioners rank malicious insiders as a top security threat, and 64 percent say the same about employee negligence or error, according to survey research conducted by the Ponemon Institute and sponsored by Merlin International.

In attempting to respond, organizations are most challenged by a lack of tools to monitor employees and other insiders (as cited by 27 percent of healthcare IT leaders), according to additional survey research from Imperva. Other challenges include inadequate staffing to analyze permissions data when employees seek to call up files, information, systems, etc. (as cited by 25 percent of survey respondents); the growing number of employees, contractors and business partners connecting to the network (24 percent); and the abundance of company assets stored within the network or in the cloud (24 percent).

IGA products tackle these issues head-on, allowing IT teams to “see” in real-time who is accessing what data and critical workloads – and whether that person’s job function is cleared for such privileges. IGA helps the teams flag behaviors on the part of users who may unintentionally invite risks, in addition to alerting them to when a malicious insider could be stealing or destroying data. It provides access control and audit log management, as well as privacy- and breach-management maps to satisfy security requirements of the Health Insurance Portability and Accountability Act (HIPAA) Audit Protocol. In fact, identity management/authentication is considered among healthcare IT and IT security practitioners as the most effective step in achieving security objectives, as cited by 71 percent of respondents in the Ponemon/Merlin International survey.

Beyond enhanced cybersecurity monitoring and mitigation, IGA solutions empower organizations to address the following, key needs:

Segregation of Duty (SoD) rules

This refers to the previously described scenarios involving the nurses, billing administrators and everyone else on staff who must “stay in their lane.” For starters, it’s simply the best way to run a healthcare organization. What’s more, HIPAA and other regulations require the enforcement of SoD.

Fortunately, with IGA-level visibility in place, leadership and IT teams acquire a “single pane of glass” perspective of their entire infrastructure access ecosystem (including cloud environments like Amazon Web Services and Microsoft Azure), file sharing/collaboration activity (such as the usage of Dropbox and SharePoint), EMR usage and enterprise resource planning (ERP)/business functions (Salesforce, PeopleSoft, etc.) Thus, when the annual audit comes around, IT won’t have to gather endless records from many siloes to demonstrate appropriate role/access authorizations and controls. Instead, it will collect the information from a single source.

Provisioning automation

Too many healthcare organizations are still saddled with traditional, time-consuming manual processes when bringing in new employees (or contractors) and configuring their user access authorizations. In this case, HR typically sends a notice to various managers about who’s coming in, and what they’re allowed to do, and IT manually sets up provisioning. If the users’ roles change, then the authorizations require (manual) updating. If they leave the company, then their access rights must be removed (again, manually).

IGA eliminates these tedious inefficiencies by automating all provisioning – from onboarding-stage authorizations to promotions/role expansions to the end of a user’s association with the organization. The solutions do this for temporary hires too: If a contractor is only supposed to work on-site for three months, IGA will automatically grant allowable access for those three months, and shut it off when the job is done.

Ultimately, that’s what IGA is about – users getting their jobs done, without going beyond any authorized activity. Managers and IT teams are no longer stretched from silo to silo attempting to track who’s doing what, nor do they spin into a mad scramble come compliance-time to prove that they’re in good standing. Everything is “all there … in one place.” As a result, healthcare organizations boost efficiencies and save on operating costs while focusing more on what they do best: improving the lives of their patients.

Electronic Health Records: It’s the Data. Not the App.

Organizations get locked into vendors’ apps

In seeking ways to gather and analyze – and hopefully act upon – electronic health records (EHRs), organizations are following a familiar path: They assess their needs, and then hire a vendor to support them. At this point, they’re locked into the selected vendor’s app, in terms of how they input, review and analyze data.

However, we now exist in an age in which data is delivering endless possibilities; when we pursue information discovery and seek to make good decisions from the resulting, newly acquired knowledge, we’re really only limited by our imaginations. Which is why traditional, vendor-centric approaches are no longer relevant.

In other words, it’s about the data. Not the app. Given that the EHR market is expected to grow to $33.41 billion in value by 2025, according to a forecast from Grand View Research, the stakes are too high to cling to antiquated models.

The limitations of vendors’ apps

Let’s illustrate with a realistic scenario: A patient encounters blood pressure issues, even though he’s already taking medication for his condition, so a hospital doctor writes up a new prescription. Because it’s new, the doctor wants the patient to take daily blood pressure readings with an at home monitor and report back. Steady information over a stretch of time, after all, provides more value than that observed during occasional office visits.

The data isn’t difficult to collect. The patient can do it on his own, and call it into the doctor’s office. But what if the existing vendor tool doesn’t allow for the inputting of daily blood pressure readings? What if it caps this inputting to, for instance, four readings a year? In this case, both the doctor and patient are stuck with what the vendor has to offer. Sure, the doctor can work through higher-ups at the hospital to see if the vendor would upgrade the app so it’s configured for daily blood pressure readings. But the vendor may have other upgrades they need to address first, putting new requests on the back burner for months or longer.

You can apply the same sort of scenario to a patient’s weight, heart rate, blood-sugar level, cigarette/alcohol usage or any one of a number of other components which lend insights into someone’s state of health. The information is ready and available. But if the solution isn’t configured to incorporate it into a data capture/analysis program, the information will end up in limbo.

Tailoring apps to organizations’ needs

So what’s the solution?

Again, it’s about the data. Or, more precisely, thinking “data first” and then app.

Organizations should initially consider what exactly they want to capture, whether it’s blood pressure readings, cancer screenings, cholesterol checks, smoking cessation success rates, etc. Then they can figure out what kind of app will work best. Tech innovation is driving swifter and greater adoption of agile practices. IT departments are now positioned to more readily and easily develop (or pay to have developed) mini-apps to perform specialized functions – further rendering obsolete the monolithic, rigid, “our way or no way” mega-vendor tools.

All that’s required is a secured, indexable database. With this, organizations and users input whatever they wish into the database, and then build mini-apps accordingly so teams create chart visualizations, analytics tools, treatment plans, etc.

Problems with the traditional model

To cite another scenario, let’s say that same hospital doctor from before would like to know if her patients were picking up their prescriptions in a timely manner. Obviously, her local drug stores would have to compile and report this information to her. They could even work together to set up an alert notification system should patients fail to pick up their prescriptions within two weeks. Sounds simple, right?

Not if we’re still talking about the traditional model: The doctor might tell the vendor what she plans to do, and the vendor could respond that their product isn’t configured for data related to prescription pickups. Further complicating things, the app may need to be work with multiple reporting systems used by the various drugstore companies with no way to determine if compatibility. Setting up a workable solution might take a year – or longer.

The modern approach

But through a modern, agile approach, the doctor simply comes up with a data collection/notification alert plan with the drug stores, has IT construct a secure, indexable database, and then design (or, again, hire someone to design) a mini-app to monitor prescription transactions, send alerts for late pickups and otherwise enable the doctor and her team to analyze various patterns within.

Or take another example: two or more unrelated entities (like a pharmacy and a diagnostics lab and a hospital) are all trying to get data into the same EHR, but if they don’t share the same EHR for the same patient (and they don’t) then they can’t do it directly. With a standard data-based health model they could throw transactions into the same pot to be discovered by relevant applications later.

A data-first strategy

The upshot: For too many years, organizations dependent upon EHRs have resigned themselves to an “If we build it, you will come” arrangement with their vendors, i.e., the vendor builds the tool, and organizations buy in and adjust to its quirks and limitations. And being that other hands-on health care priorities often take precedence, who could blame them?

But today, those same organizations can advocate for a “Let the data come first, and then we’ll build it …” strategy. By determining the intent of their discovery initiatives and data models, they necessitate COTS vendors and Open Source developers to build functionality around them. Subsequently, the market ultimately provides a better solution and HCOs end up with information that is more comprehensive, immediate, insightful and actionable – empowering them as more effective healthcare practitioners and better “custodians” of EHRs.

What Healthcare Organizations Should Consider Before Migrating to the Cloud

Limited cloud adoption

On the surface, findings from a Healthcare Information and Management Systems Society (HIMSS) research convey a sense that healthcare organizations are universally embracing the cloud. According to the study, an estimated 84 percent currently use cloud services.

But dig a little deeper and you discover that adoption is limited, especially for critical functions related to electronic medical records (EMRs) and enterprise resource planning (ERP). Only 34 percent of healthcare organizations have migrated clinical applications and data to the cloud, and just 32 percent use the cloud for archived data and Health Information Exchange needs. In addition, less than one-quarter are turning to the cloud for back office apps and data.

Key considerations before migrating

In my interactions with industry executives, many say they’re testing the waters, with email, file storage and the like. Even so, they’re reluctant to wholly replace in-house data centers with public cloud versions. Use of EMR, ERP and analytics vendor hosting is popular, however. But this should generally be considered as private cloud hosting in a geographically separate data center.

Yet, given the vast and often-reported benefits of the cloud – including the improvement of workflows through greater flexibility, collaboration, efficiency, rapid scalability, and productivity – many of these same executives are seeing advantages in an increased presence. In determining whether the cloud is right for an organization, I stress four key considerations:

1. Security remains the greatest concern

Indeed, security ranked #1 among adoption barriers in the HIMSS study, as cited by 54 percent of study participants. While the sentiment is understandable, I believe the issue is somewhat overblown. Cloud vendors have more security measures in place, with more infrastructure and power. If breaches do occur, they’re usually the result of employees not adopting proper guidelines and security best practices. In my experience, following a reputable cloud vendor’s rules will keep you as or even more protected than would keeping everything on-premise.

2. Network reliability can be uncertain

If you use a private host for your network, you likely have strong datacenter redundancy for maximum uptime. But if you’re running your network on a public cloud, you’re entirely dependent upon the internet. If your connection to the Internet goes down, you will lose access to business-critical resources until connectivity is restored. That’s a big gamble. You could reduce risk by paying for two or three regional internet services– but this may prove too costly for some organizations. And for those in rural areas, it’s not even feasible.

3. Speaking of costs…

If you’re planning to store massive volumes of data in the cloud, you’re looking at a hefty monthly bill – one that will typically exceed what you’d pay with an on-premise datacenter. That said, if you have a large amount of infrastructure which has to be replaced, it could make sense. You eliminate the “short-term pain” of a huge capital investment by rolling it into a monthly, operational expense. For some organizations, this approach may be more fiscally realistic.

4. “So what if we simply ‘dip our toes’ into the waters with a hybrid model?”

This comes up in my conversations all the time. Healthcare executives want to put “safe” data assets in the public cloud, and keep more sensitive/mission-critical ones closer at hand. However, hybrid models elevate the complexities of ID management. If you extend the network over a combination of on-premise, private hosted, private cloud and/or public cloud options, you create ID management issues which could result in operations disruptions and potential employee backlash over the inability to access the data, files and apps that they need to do their jobs. HIPAA data access logging and auditing become a larger and more diverse challenge.

Currently, there are few tools available which would help IT teams resolve these problems. We have experience at Merlin with a very powerful tool that provides a single “pane of glass” to manage identities across all environments and many key applications regardless of where they are hosted.

Weighing the pros and cons

As you can see, deciding whether to migrate significant IT functions to the cloud isn’t a “one size fits all” proposition. You must measure the pros and cons based upon your organization’s size, location, industry niche and other relevant factors, while also assessing the various comfort levels with any changes the cloud may bring. Finally, calculate expected ROI comparing it against the financial impact of not making the switch.

In other words, cloud migration is as much a business proposition as it is a “tech thing.” Proceed accordingly.