9.3 RESOURCES NEEDED

9.3.1 Engage Business Units

HIPAA compliance is an effort that involves every part of your organization. In the process of devising the plans for getting you there, representatives from all elements of the organization participated and helped to align these plans with business processes such that the solution not only made security sense, but did not impose undue hurdles on business operations. Such a partnership between the security needs of the organization and the business needs of the organization was critical for the plans to have the support of all elements of the organization. The alternative is a set of solutions that are imposed and owned by the security arm of the IT organization; a formula that is sure to fail under any circumstances.

This partnership is equally critical in the development of the budget proposal. Good cost justifications will require a good understanding of how a particular project will benefit the business unit(s) for which it was intended. So the resources that assisted in the development of HIPAA compliance planning will be very helpful resources in the budget proposal process as well. Being able to demonstrate the business side of the justification will put much more weight behind your cost justifications than expounding on the technical merits of a plan. A solution that streamlines or integrates well with business processes will often times have the effect of producing efficiencies that can translate to cost savings. In an environment where HIPAA mandates may be seen as an undue burden or imposition , any cost savings that can be realized by the application of a well planned project will be more readily accepted.

To recap, seeking the assistance of business units in your organization is always a good idea. Some of the information you will want to gather from them is as follows :

• Understand how the business units involved in a project operate

• Understand how the implementation of the plan affects the business units

• Find out what, if any, efficiencies the business unit expects to gain as a result of implementing the plan

9.3.2 Look to the Risk Analysis Results

The risk analysis process will take a pretty detailed look at the organization. This should yield a wealth of information that you can use in building your budget proposal. Some of the key pieces of information you can get from the risk analysis are as follows:

• A view of what is most critical in the organization

• An understanding of what is most vulnerable and how

• The basis for the remediation plans that to be put together

This information will help you prioritize and understand the problems that need to be addressed to achieve compliance. Your ability to articulate your cost justifications effectively will be greater with your clear understanding of what is critical to the organization and what exposures could have the greatest impact on your critical information assets. A properly conducted risk analysis will engage all the business units, and what emerges from that effort is a holistic view of the enterprise. What this means is that criticality is determined on the basis of business need and not so much on technical perspectives. These are the points that should be firmly established as information you will use to build the budget proposal is gathered.

An example of this could be that the compliance plan might call for a smart card authentication system to be used in conjunction with single sign-on capability at the nurse's station. The risk assessment clearly pointed to the nurse's station as a point of high vulnerability with respect to the potential for inadvertent exposure of protected health information. On a technical level, we could base our justification on a technology that provides a higher degree of security than static passwords, and when used in conjunction with single sign-on, authentication to applications is assured as is the identity of the user . Accordingly, this solution will resolve several HIPAA compliance issues.

However, looking at this same situation from the perspective of business operations, we can make our case in a slightly different way which may make better sense to the levels of management that would have to approve of this expenditure. For instance, the nurse's station is vulnerable because it is a place of high traffic volumes and the nurses that work there are often in a hurry to access patient information or enter information into patient records. Currently, to improve the efficiency of the operation of the nurse's station, a nurse will logon to a terminal and leave the session open for others to access in a hurry. While the station runs more efficiently this way, from a HIPAA perspective, there are clearly problems with this arrangement. One instance of an inadvertent leakage of PHI could expose the organization to stiff legal penalties and litigation fees.

To address this issue, two alternatives can be considered : imposing terminal session time-outs with strict enforcement of unique user logon policy, or implementing a smart-card system which can greatly speed the authentication process and can securely end a session upon removal of the card. The first alternative would quickly create problems; nurses that need to perform their duties will find ways around these controls. Those that get caught violating policy may face disciplinary action or termination which burdens the organization with further costs of hiring replacements and training them. The smart-card solution improves efficiency and gets the station to operate in a compliant manner. It also is more likely to gain acceptance among the nursing staff that would ultimately use the system.

In this scenario, you can see how the risk analysis produced some important information regarding a critical weak point that needed remediation. Our remediation plan proposed several ways of dealing with this issue, and using the business oriented approach, we were able to frame our justification argument in the context of the business operation being impacted rather than the technical merits of the technology. However, budgeting a plan is about articulating costs and how those costs will impact the organization over a period of time. We will be focusing on calculating costs and using cost figures in your justification statements shortly. For now, the discussion will continue to focus on getting the right resources to put a meaningful budget proposal together.

9.3.3 Understand the Organizational Financial Data

No organization can claim to have unlimited resources at its disposal to fund projects even if they are important to the organization justifiable. For this reason, it is important to have an understanding of what the spending limits might be for a given organization. This is not to say that a project which exceeds the limits you perceive should be discarded; if a valid justification exists and the numbers back it up, management can find ways to get the funding. However, in general, having an idea of what the reasonable spending constraints might be is a good practice and can be a tool with which to gauge whether or not your proposal is in line.

One technique would be to dig up documentation on any similar projects your organization has engaged in previously, such as Y2K budgets or projects. Obviously, if a project of similar scope was approved in the past, at the very minimum, it can yield some good information on how the cost justifications were presented, what documentation was actually submitted to upper management in the approval process and what kind of funding levels management might be used to seeing for such projects. On the other hand, try to avoid using such documentation as a template. Depending upon the nature of the project and how long ago the project was executed, management's perspective may have shifted or the strategic course of the organization may have changed. Every project will be different, so use existing documentation as a tool rather than a template.

Looking through some of the financial performance documents for a given department or business unit may be of value as well. This can help you identify trends in performance that the plan may impact in some way, and assist in understanding the resources that might be available. Two issues can arise from this strategy however. Some business units may be reluctant to divulge such detailed operating information for a variety of reasons, and for those that do not come from financial backgrounds, understanding detailed financial reporting may be somewhat of a challenge. In either case, be prepared to deal with these issues if they should arise. With respect to accessing detailed departmental operating information, this may be a task best handled by management. Asking for specific information rather than the whole report might be a more productive approach if you sense reluctance. Also, this might also be a good time to get to know the business analysts in your organization. A good business analyst can do amazing things with numbers, and if your accounting skills are dated, you will likely yield better results in a timelier manner this way.