Embed Size (px)
Citation preview
IT governance and monitoring of operational and legal risks in hospitals
Mr. William Grollier,
IT Systems & Security Officer,
CHU (University Hospital Center) - Nice, France.
Agenda
CHU-Nice in a nutshell
IT governance and risks management principles
IT governance monitoring initiatives @ work
Solution benefits
Deployment phases and next steps
Agenda
CHU-Nice in a nutshell
IT governance and risks management principles
IT governance monitoring initiatives @ work
Solution benefits
Deployment phases and next steps
Nice CHU in a nutshell
22 departments
5 hospitals
1.700 beds
~60.000 patients hospitalized per year, ~180.000 visits
per year
8.000 employees
240 servers and 3700 workstations running 100
healthcare applications
Agenda
CHU-Nice in a nutshell
IT governance and risks management principles
IT governance monitoring initiatives @ work
Solution benefits
Deployment phases and next steps
Founding principles behind IT governance and risks management
Legal
• The legal risk is the consequence of operational risk
Operational
• The operational risk is more and more induced by IT risks
IT
• IT risks strongly relate to:
• The availability and the performance of IT systems
• The integrity and the confidentiality of data
• The compliance with IT standards and policies
IT Risk
• Poorly managed H/W, S/W infrastructure
• Weak protection and non compliant behaviors
• Heterogeneity of HC applications
• HC IT services unavailability
Ops Risk
• Services interoperability
• Diagnostic reliability
• Data corruption and leakage
• Procedures Efficiency
Legal Risk • Legal obligations
• Hospital Authority responsibilities
• Financial impact
Poorly managed H/W S/W infrastructure
•Waste of time
•Complexity
•Disruption due to
unwanted applications
•Non interoperability
•Poor QoS
•Poor ROI of existing
infrastructure
•Additional
management costs
Requirement :
Continuously monitor the PC standardization compliance
IT impact Operational Impact
Management Impact
Weak protection and non compliant behaviors
•Disruption
•Time wasted
•Repair cost
•Data
•Corrupted
•Loss
•Cannot be accessed
or updated
•Information leakage
•Penal impact
•Reputation
•Financial loss
Requirement :
Continuously monitor the security policy compliance
IT impact Operational Impact
Management Impact
Heterogeneity of the HC applications
•Expensive maintenance
•Application malfunctioning
•QoS degradation
• Non interoperable
versions
•Data corruption
•Wrong diagnostics
• Penal responsibility
• Reputation
• Cost and poor ROI
Requirement :
Continuously monitor the HC applications compliance level
IT impact OperationalImpact
Management Impact
HC IT service unavailability
•Malfunctioning
applications
•Poor availaility and
performnance
•Saturated bandwidth
• Data unavailable
• Unaccessible images
• Corrupted diagnostic
• Systems inefficiency
•Penal consequences
•Reputation
•Poor ROI
Requirement :
Continuously monitor the Quality of Services and users impact
IT impact Operational Impact
Management Impact
Approach
90% of incidents
have internal origin
20% of basic good
practices resolve
80% of the
problems
Security and Qos
are a matter of
proper governance,
competences and
taking control
rather than a matter
of means
Agenda
CHU-Nice in a nutshell
IT governance and risks management principles
IT governance monitoring initiatives @ work
Solution benefits
Deployment phases and next steps
IT governance monitoring @ work
PC standardization compliance
Security policy effectiveness
HC applications compliance level
Quality of Service and user support
Well managed H/W S/W infrastructure
PC standardization compliance monitoring
Well managed H/W S/W infrastructure
PC standardization compliance monitoring
Well managed H/W S/W infrastructure
PC standardization compliance monitoring
Well managed H/W S/W infrastructure
PC standardization compliance monitoring
Strong protection and compliant behaviors
Security policy compliance and effectiveness monitoring
Strong protection and compliant behaviors
Security policy compliance and effectiveness monitoring
Strong protection and compliant behaviors
Security policy compliance and effectiveness monitoring
Shared or stolen user code identification (1/3)
Security policy compliance and effectiveness monitoring
User codes connected on several machinesover a period of 30 minutes (2/3)
Se
cu
rity
po
licy c
om
plia
nce
a
nd
effe
ctive
ne
ss m
on
ito
rin
g
User codes connected simultaneously on several machines (3/3)S
ecurity
polic
y c
om
plia
nce and e
ffectiveness m
onitoring
HC IT services availability
Quality of Service monitoring
HC IT services availability
Quality of Service monitoring
HC IT services availability
Quality of Service monitoring
HC IT services availability
Quality of Service monitoring
HC IT services availability
Quality of Service monitoring
HC IT Services Support
Dynamic workstation monitoringTroubleshoting (1/3)
Dynamic workstation monitoringTroubelshooting (2/3)
Dynamic workstation monitoringTroubleshooting (3/3)
Program installed at 6:00 AM - New binary detected
Suspicious exe searches - query
Identified binaries executed over a periodof time (retrieve Hash codes from library)
Comparing binaries’s signature usingNEXThink library
Detection of system32.exe, Version 0.0.0.0, Ranfrom a USB
Monitoring IT risks governance drastically reduces ops and legal risks
Legal
• The legal risk is the consequence of operational risk
Operational
• The operational risk is more and more induced by IT risk
IT risks
• Availability and the performance of IT systems
• Integrity and the confidentiality of data
• Compliance with IT standards and policy
HC IT Services Governance Life Cycle
•Risk Detection and Security Compliance
•World class Quality of Service and Support
•Cost effective HC infrastructure maintenance
Assess gap against
target and plan action
Execute and Monitor progress to reach target
Monitor to Maintain on
target
Agenda
CHU-Nice in a nutshell
IT governance and risks management principles
IT governance monitoring initiatives @ work
Solution benefits
Deployment phases and next steps
Solution benefits
IT
Cost of ownership: super fast deployment, lightweight, zero coding
Non intrusive, zero infrastructure performance impact
360°IT governance in one unified environment
On Demand diagnosis
OOTB, Investigation, Reporting, Alerting, Library
Extensible to backend monitoring solutions
Operations and Management
G.R.C.: desktop configuration and usage compliance
World class support / user satisfaction
360°view over the QoS / impact analyses in real time
Financial: infrastructure rationalization based on real usage
Consistent PMSI repo*
* http://fr.wikipedia.org/wiki/Programme_de_m%C3%A9dicalisation_des_syst%C3%A8mes_d%27information
Agenda
CHU-Nice in a nutshell
IT governance and risks management principles
IT governance monitoring initiatives @ work
Solution benefits
Deployment phases and next steps
Project phases
End point Assessment Baseline (evaluation)
Installation and deployment: 1 day
Information collection: 3 weeks without work
Configuration: 2 days
Full deployment
New dashboards creation and deployment
Reporting and alerting
NEXT Steps
New dashboards, reports, alerts
Integration to backend monitoring platforms to enable end-to-end
monitoring
Thank you!
Contact:
Francois D’Haegeleer
+33 6 14 10 04 91
