IT governance and monitoring of operational and legal risks in hospitals

Mr. William Grollier,

IT Systems & Security Officer,

CHU (University Hospital Center) - Nice, France.

Agenda

CHU-Nice in a nutshell

IT governance and risks management principles

IT governance monitoring initiatives @ work

Solution benefits

Deployment phases and next steps

Agenda

CHU-Nice in a nutshell

IT governance and risks management principles

IT governance monitoring initiatives @ work

Solution benefits

Deployment phases and next steps

Nice CHU in a nutshell

22 departments

5 hospitals

1.700 beds

~60.000 patients hospitalized per year, ~180.000 visits

per year

8.000 employees

240 servers and 3700 workstations running 100

healthcare applications

Agenda

CHU-Nice in a nutshell

IT governance and risks management principles

IT governance monitoring initiatives @ work

Solution benefits

Deployment phases and next steps

Founding principles behind IT governance and risks management

Legal

• The legal risk is the consequence of operational risk

Operational

• The operational risk is more and more induced by IT risks

IT

• IT risks strongly relate to:

• The availability and the performance of IT systems

• The integrity and the confidentiality of data

• The compliance with IT standards and policies

IT Risk

• Poorly managed H/W, S/W infrastructure

• Weak protection and non compliant behaviors

• Heterogeneity of HC applications

• HC IT services unavailability

Ops Risk

• Services interoperability

• Diagnostic reliability

• Data corruption and leakage

• Procedures Efficiency

Legal Risk • Legal obligations

• Hospital Authority responsibilities

• Financial impact

Poorly managed H/W S/W infrastructure

•Waste of time

•Complexity

•Disruption due to

unwanted applications

•Non interoperability

•Poor QoS

•Poor ROI of existing

infrastructure

•Additional

management costs

Requirement :

Continuously monitor the PC standardization compliance

IT impact Operational Impact

Management Impact

Weak protection and non compliant behaviors

•Disruption

•Time wasted

•Repair cost

•Data

•Corrupted

•Loss

•Cannot be accessed

or updated

•Information leakage

•Penal impact

•Reputation

•Financial loss

Requirement :

Continuously monitor the security policy compliance

IT impact Operational Impact

Management Impact

Heterogeneity of the HC applications

•Expensive maintenance

•Application malfunctioning

•QoS degradation

• Non interoperable

versions

•Data corruption

•Wrong diagnostics

• Penal responsibility

• Reputation

• Cost and poor ROI

Requirement :

Continuously monitor the HC applications compliance level

IT impact OperationalImpact

Management Impact

HC IT service unavailability

•Malfunctioning

applications

•Poor availaility and

performnance

•Saturated bandwidth

• Data unavailable

• Unaccessible images

• Corrupted diagnostic

• Systems inefficiency

•Penal consequences

•Reputation

•Poor ROI

Requirement :

Continuously monitor the Quality of Services and users impact

IT impact Operational Impact

Management Impact

Approach

90% of incidents

have internal origin

20% of basic good

practices resolve

80% of the

problems

Security and Qos

are a matter of

proper governance,

competences and

taking control

rather than a matter

of means

Agenda

CHU-Nice in a nutshell

IT governance and risks management principles

IT governance monitoring initiatives @ work

Solution benefits

Deployment phases and next steps

IT governance monitoring @ work

PC standardization compliance

Security policy effectiveness

HC applications compliance level

Quality of Service and user support

Well managed H/W S/W infrastructure

PC standardization compliance monitoring

Well managed H/W S/W infrastructure

PC standardization compliance monitoring

Well managed H/W S/W infrastructure

PC standardization compliance monitoring

Well managed H/W S/W infrastructure

PC standardization compliance monitoring

Strong protection and compliant behaviors

Security policy compliance and effectiveness monitoring

Strong protection and compliant behaviors

Security policy compliance and effectiveness monitoring

Strong protection and compliant behaviors

Security policy compliance and effectiveness monitoring

Shared or stolen user code identification (1/3)

Security policy compliance and effectiveness monitoring

User codes connected on several machinesover a period of 30 minutes (2/3)

Se

cu

rity

po

licy c

om

plia

nce

a

nd

effe

ctive

ne

ss m

on

ito

rin

g

User codes connected simultaneously on several machines (3/3)S

ecurity

polic

y c

om

plia

nce and e

ffectiveness m

onitoring

HC IT services availability

Quality of Service monitoring

HC IT services availability

Quality of Service monitoring

HC IT services availability

Quality of Service monitoring

HC IT services availability

Quality of Service monitoring

HC IT services availability

Quality of Service monitoring

HC IT Services Support

Dynamic workstation monitoringTroubleshoting (1/3)

Dynamic workstation monitoringTroubelshooting (2/3)

Dynamic workstation monitoringTroubleshooting (3/3)

Program installed at 6:00 AM - New binary detected

Suspicious exe searches - query

Identified binaries executed over a periodof time (retrieve Hash codes from library)

Comparing binaries’s signature usingNEXThink library

Detection of system32.exe, Version 0.0.0.0, Ranfrom a USB

Monitoring IT risks governance drastically reduces ops and legal risks

Legal

• The legal risk is the consequence of operational risk

Operational

• The operational risk is more and more induced by IT risk

IT risks

• Availability and the performance of IT systems

• Integrity and the confidentiality of data

• Compliance with IT standards and policy

HC IT Services Governance Life Cycle

•Risk Detection and Security Compliance

•World class Quality of Service and Support

•Cost effective HC infrastructure maintenance

Assess gap against

target and plan action

Execute and Monitor progress to reach target

Monitor to Maintain on

target

Agenda

CHU-Nice in a nutshell

IT governance and risks management principles

IT governance monitoring initiatives @ work

Solution benefits

Deployment phases and next steps

Solution benefits

IT

Cost of ownership: super fast deployment, lightweight, zero coding

Non intrusive, zero infrastructure performance impact

360°IT governance in one unified environment

On Demand diagnosis

OOTB, Investigation, Reporting, Alerting, Library

Extensible to backend monitoring solutions

Operations and Management

G.R.C.: desktop configuration and usage compliance

World class support / user satisfaction

360°view over the QoS / impact analyses in real time

Financial: infrastructure rationalization based on real usage

Consistent PMSI repo*

* http://fr.wikipedia.org/wiki/Programme_de_m%C3%A9dicalisation_des_syst%C3%A8mes_d%27information

Agenda

CHU-Nice in a nutshell

IT governance and risks management principles

IT governance monitoring initiatives @ work

Solution benefits

Deployment phases and next steps

Project phases

End point Assessment Baseline (evaluation)

Installation and deployment: 1 day

Information collection: 3 weeks without work

Configuration: 2 days

Full deployment

New dashboards creation and deployment

Reporting and alerting

NEXT Steps

New dashboards, reports, alerts

Integration to backend monitoring platforms to enable end-to-end

monitoring

Thank you!

Contact:

Francois D’Haegeleer

francois.dhaegeleer@nexthink.com

+33 6 14 10 04 91