Information technology outsourcing has over the last several decades experienced substantial growth to become a basic strategy employed by many organizations across the world, with academics and industry suggesting that this growth is bound to be prolonged and maintained in the near future (Abu-Musa, 2011).
These authors further posit that IT related activities, which were once executed almost exclusively in-house by most organizations, are now regularly outsourced or off-shored to dedicated vendors.
But as observed by Goodman & Ramer (2007), outsourcing or offshoring of IT services inflates the potential for organizations to be exposed to a number of system vulnerabilities, mainly due to the intimate connections with network systems.
This paper purposes to not only describe how Northern Arizona Healthcare hospital chain has outsourced an intrusion detection system (IDS) to prevent such system vulnerabilities on critical patient health information, but also to outline some potential advantages and disadvantages of outsourcing this component.
According to Schoberle (2007) personal health information (PHI) privacy and security concerns should be central to any health organization as the health data is perceived as one of the most private facets of life for many people.
To secure such data, therefore, effective IDS can prove to be an invaluable tool because it would have the capacity to perform early detection of malicious activity and probably thwart more serious attacks to the protected site (Barnes, n.d.).
In this regard, the Northern Arizona Healthcare hospital chain has outsourced IDS from Perot Systems to assist in the process of analyzing logs to determine system vulnerabilities, auditing and prevent intrusion (Brenner, 2005; Bezroukov, 2011).
The IDS can be said to form the third layer of the physical security of the health organization outsourced from a third party (Perot Systems) with a view to manage, monitor, and respond to physical security alerts through systematic and coordinated analysis of system logs to detect system and network vulnerabilities.
The IDS in Northern Arizona Healthcare is basically composed of three components, which include sensors, analyzers, and the user interface (Brenner, 2005). While the sensors are charged with the responsibility of gathering data or evidence of an intrusion, the analyzers are responsible for receiving input from the sensors and determining if an intrusion has really occurred.
Indeed, it is the analyzers that provide direction on what actions the Managed Security Service Provider (Perot Systems) should take as a consequence of the intrusion. Lastly, the user interface to IDS allows the analysts to observe output from the network system or manage the behavior noted in the system (Brenner, 2005; Ya-Yueh, 2011).
Although the IDS does not prevent malicious actions or network threats, it has been instrumental in assisting the health organization get early warning signs of a malicious attack or misuse, thus enabling the Managed Security Service Provider to not only alter installations defensive posture to enhance resistance to attack, but also confirm secure configurations and operation of other security features such as firewalls (Ya-Yueh, 2011).
Consequently, intrusions and attacks on the organization’s patient health information database have been reduced.
Available literature demonstrates that there exist many advantages and several disadvantages of outsourcing IDS to enhance security for sensitive patient information.
One of the main advantages of outsourcing IDS to a Managed Security Service Provider, According to Fitzparick (2008), “…is that security should be the MSSP’s key business function; thus, they should focus their resources on the current security technologies, strategies, education and personnel while monitoring the internet for the latest vulnerabilities and threats” (p. 14-15).
Outsourcing not only ensures that the health organization is able to create competitiveness through focusing on core activities and engaging in cost and efficiency savings, but it increases productivity, enhances operational control, and facilitates staffing flexibility (Abu-Musa, 2011 ).
As already mentioned, outsourcing information security has its own downsides. Fitzparick (2008) argues that as the responsibility for intrusion detection shifts to the third party service provider, “…the client loses experience, knowledge, and skills that are gained by investigating security events; technical skills are dulled as the internal team relies on the knowledge of the MSSP analyst” (p. 17).
Second, the service provider may not have the capacity to understand their client’s security requirements, thereby occasioning a situation that will see the client receive very generic service from the provider.
Outsourcing also increases the potential for possible attacks and other system vulnerabilities by elongating “communication channels and increasing the number of organizations and computer networks that touch the data” (Goodman & Ramer, 2007, p. 812). Lastly, it is expensive to outsource IDS.
To conclude, it is indeed true that ensuring the security and safety of patient health information should be a foremost responsibility for any health organization (Schoberle, 2007).
This paper has discussed how such information could be secured through outsourcing intrusion detection and prevention components, and the pros and cons associated with such outsourcing. The onus, therefore, should be for individual health organizations to decide how best they could protect sensitive patient health information – and outsourcing IDS represent one of the many possibilities.
Reference List
Abu-Musa, A.A. (2011). Exploring information systems/technology outsourcing in Saudi organizations: An empirical study. Journal of Accounting Business & Management, 18(2), 17-73. Retrieved from Business Source Premier Database.
Barnes, J. (n.d.). Intrusion detection systems in hospitals: What, why, and where. Web.
Bezroukov, N. (2011). Syslog analyzers. Web.
Brenner, B. (2005). Report: IT shops lax about logging. Web.
Fitzparick, V. (2008). Intrusion detection and prevention: In-sourced or out-sourced. SANS Institute.
Goodman, S.E., & Ramer, R. (2007). Global sourcing of IT services and information security: Prudence before playing. Communications of AIS, 20(2), 812-823. Retrieved from Business Source Premier Database.
Schoberle, C. (2007). Personal health information: Privacy and security considerations in outsourcing and offshoring decisions. Web.
Ya-Yueh, S. (2011). Effects of the outsourcing of information systems on user satisfaction: An empirical study at Taiwanese hospitals. International Journal of Management, 28(1), 127-138. Retrieved from Business Source Premier Database.