Rigorous Change Management and Vendor Management in Healthcare

In light of recent outages, let’s go back to basics and reexamine best practices for change management and vendor management in healthcare. 

Healthcare Change Management Discussion 

An appropriate change management program is one of the pillars of maintaining a robust, resilient, and secure IT environment in healthcare. This program should be governed by a team of multi-disciplined professionals who can ascertain and scrutinize the impact of changes being introduced into the healthcare production environment. What do we mean by “changes”? Anything being added, subtracted, or altered in the production IT environment is a change. The smallest faulty change to this environment can have a huge negative impact. This is a big challenge since a medium-sized hospital can run hundreds of applications and maintain hundreds of servers and the cybersecurity infrastructure needed to support this environment. What can go wrong? For instance, a cybersecurity vendor updating their software on your network with a faulty update that touches all of your computing devices. This scenario can bring your entire healthcare organization down.  Changes to the environment, with such a broad reach and high risk, should be extensively scrutinized.  

Change Management Considerations 

• Have a change calendar for visibility for the entire organization 

• Communicate change activities to departments affected by awareness 

• Governance by a diverse team with a 360-degree view to scrutinize the impact 

• Only one change entered into the environment at a time 

• Testing plan with acceptance criteria for the change 

• Cybersecurity review of the change 

• Post-change monitoring of the environment for impact 

• Have an emergency change process 

• For Vendor changes, impose all of the above also  

Vendor Management Discussion  

Best practice would dictate taking control of your vendors and imposing cybersecurity and technical standards.  Ideally, healthcare entities would author a document describing acceptable standards for vendors to meet in order to do business together.  After all, you’re putting their software into your critical, highly sensitive, government-regulated environment. Hospitals are not testing sites for software updates or unproven products.  Typically, hospitals have rigorous change management programs internally, that scrutinize everything they are entering into their production IT environment.  The same standards should be extended to vendors.   

Because hospitals are strapped for resources, it would be hard for hospitals to test every vendor's update within their own environment.  However, this is a fundamental breach of good quality practices with checks and balances.  It’s a cavalier trust of these major vendors. When entering into purchasing agreements with hardware/software vendors, hospitals should be able to dictate a level of quality control that is entered into by the vendor.  Testing and validation should be included, and proof of this should be provided by the vendor, PRIOR TO DEPLOYMENT OF UPDATES AND PATCHES to hospital infrastructure.  Oftentimes, updates and patches are critical and meant to fix major vulnerabilities, hence the expedience.  The challenge here is finding a balance between the immediacy of the fix and the quality. 

 Vendor Management Considerations 

• Automate your vendor interactions with a risk management tool 

• Document criteria for doing business with vendors 

• Have rigorous standards, such as required testing plans 

• Insist your vendors test their products with other products in your environment 

• Setup your own in-house testing lab, use automated tools 

• Include critical vendors in your disaster recovery plan 

Paul J. Caracciolo is the Executive Vice President of CSI Companies' Cybersecurity, Risk, and AI Management practice.  Our practice uses automated risk and Cybersecurity compliance tools to get hospitals in a posture of real-time management of their environments.  Our offerings have a large impact relating to very clear ROI and cost savings in these applications.  An added benefit is that we enable organizations to take a proactive approach to managing risk and security instead of being in a firefighting, reactive, and outdated periodic audit mode. Paul can be reached at pcaracciolo@csicompanies.com.