When it comes to selling security into the healthcare market, most healthcare organizations aren't buying security solutions to comply with the Health Insurance Portability and Accountability Act (HIPAA). They are, however, investing in security solutions for plenty of other reasons. The trick is to understand the healthcare market well enough to properly position your security products and services.

Passed by Congress in 1996, HIPAA mandated that healthcare organizations meet certain requirements to ensure the privacy and security of personal health information. Technology providers reasonably expected the law to generate a healthy amount of business from hospitals and other facilities upgrading security technologies. But the deadline for meeting HIPAA's security requirements was April 2005, and even today, many still aren't in compliance.

"Probably only 50 percent of healthcare delivery organizations are compliant," says Barry Runyon, research vice president at Gartner and a former healthcare CIO. And most don't seem very concerned about it. In a survey early this year of U.S. healthcare IT professionals, only 18 percent rated compliance with HIPAA security regulations as a top security concern. The survey was conducted by the Healthcare Information and Management Systems Society (HIMSS).

Why the lack of enthusiasm? Because the government has yet to rigorously enforce HIPAA. In June 2007, a government audit of an Atlanta hospital raised concern that the government was going to start auditing organizations and enforcing HIPAA rules, but it didn't happen. The only activity was a July 2008 incident when Providence Health & Services, a Seattlebased healthcare system, was fined $100,000 by the Department of Health and Human Services after repeated security failures.

"When I talk to people about HIPAA security, they aren't scared," says John Albertini, founder and president of AIS Consulting, an IT auditing and security service. "I'm not seeing HIPAA driving sales."

Seeking Security Solutions
That doesn't mean that healthcare organizations aren't buying security solutions. Health Industry Insights, an IDC company, predicts that spending on security software by U.S. healthcare providers will jump from $335 million in 2008 to $475 million in 2010. And in the HIMSS survey, 42 percent said they planned to adopt more security technologies over the next two years.

It's a matter of emphasis. The HIPAA mandate doesn't directly drive buying decisions, but is a consideration when healthcare organizations are choosing products and services, says Rob Cote, vice president of sales at Viopoint, a security and risk consultancy that does one-third of its business in healthcare. "Do we lead with the HIPAA banner? No, we tend to back into it," he says, noting that IT managers sometimes use HIPAA as a justification for funding security projects.

Other factors are driving security spending. First is the simple fact that more and more personal health information is moving from paper to digital form, forcing healthcare organizations to invest in more IT, including security, says Marc Holland, research director of Health Industry Insights. Second, network endpoints in these organizations are proliferating and becoming more diverse, making it difficult to maintain control and manage access.

Successfully selling into this market requires addressing business needs in ways that will improve efficiency and cut costs, while helping the organization comply with regulations. Most important -- and perhaps the biggest challenge -- the doctors and nurses have to like your solution enough to use it. That means drilling down into these users' needs and the unique operating environments of healthcare facilities.

"Selling a security solution just because it's a tick on the HIPAA box is missing the point," says Paul Roscoe, president of Sentillion, which sells identity and access-management software. "Our approach, and what we encourage solution providers to focus on, is a combination of HIPAA enablement and other added-value qualities that will improve clinician usage and adoption. We try to quantify how our technology improves the lives of physicians, nurses and healthcare administrators."

Needed Technologies
Several security technologies meet this criterion in the healthcare market:

• Software that helps organizations manage passwords, authentication and a proliferation of endpoints
• Risk-management and compliance software that helps organizations pull together all the technology, policies and processes needed to achieve compliance

Single sign-on: In the first category are single sign-on products, which are a hot item in healthcare facilities, says Holland. HIPAA requires organizations to control and monitor access to the network and applications. This typically means that each user needs his or her own unique password and a different password for each application. That's unworkable in many healthcare environments. In a hospital, for example, where shared workstations proliferate in hallways and exam rooms, it's impractical to expect doctors and nurses to juggle multiple passwords for various applications. Even if it takes only a minute or two to log on, clinicians on average log on to various machines and applications 50 to 60 times a day. That can add up to hours of time better spent with patients. Because of these problems, healthcare workers often share passwords, which is a direct violation of the HIPAA regulations, notes Cote of Viopoint, which carries the OneSign platform from Imprivata.

Single sign-on gives users one unique ID that allows them to access machines and applications more quickly, and gives network administrators a record of who's been accessing what. It not only saves time and frustration for users, but can also dramatically reduce help desk costs, say vendors. In addition, many of these products support biometric readers and other devices like smart cards, so users don't have to remember or type in passwords -- they can just swipe their card or place their finger on a reader for instant access.

The biggest selling point, and the reason single sign-on technology is popular in healthcare, is ease and convenience, not HIPAA compliance, notes Eric Blatte, director of channel sales and programs at Imprivata. "In other industries, security and IT requirements drive a lot of the technology purchases," he says. "But in healthcare, the driver is convenience -- giving physicians the ability to do their jobs faster and making it easier for them to access patient data."

Security policy enforcement: Another problem with network endpoints is the proliferation of removable memory devices and the need to control what people download onto them. With so many thumb drives, iPods and other devices floating around, how can an organization be sure someone isn't walking out the door with patient information?

"Endpoints represent a huge risk because healthcare organizations usually don't have the technology to enforce their policies," says Matt Mosher, senior vice president at Lumension Security, which provides endpoint control solutions. "They may have a policy that prohibits downloading data onto a thumb drive, for example, but what good is that if you have no way to encrypt data or auto-enforce it?" With Lumension's product, an organization can see which devices are connected to the network, control which files can be downloaded onto specific devices, and produce audit reports of data downloads. Lumension also controls applications, allowing only specific applications to execute on specific end points.

Analyzing an organization's data flow, helping it create policies, and then selling technology to enforce and monitor those policies is where a solution provider can add value, says Mosher. Lumension's technology can be used in an "audit only" mode to show what devices are coming into the environment. "Most healthcare clients lack the fundamental visibility to even know what peripherals are being used," he says.

GRCM solutions: Good technology alone isn't enough to ensure high-quality security, nor to comply with HIPAA. At the highest level, organizations need to have a systematic approach that ties together technologies, policies and processes, says Gartner's Runyon. That's the job of governance, risk and compliance management (GRCM) software.

"Lots of organizations have policies in place, but no good ways to enforce those policies," says Runyon. "The intent of these products is to align the actual risks and controls with enterprise policies, regulations, service-level agreements and contracts, so the state of the controls and risks can be monitored." This can improve the organization's audit posture, reduce associated reporting costs and help assess its risk and compliance levels.

A leader in this emerging category is Modulo, which sells an application called Risk Manager. The company has been in risk management and IT consulting for 23 years, says Alan Mattson, vice president of business development. Eight years ago the company developed Risk Manager as a means of encapsulating its collective knowledge and automating the process of mapping risks to the controls an organization has in place to guard against them. The product comes with control lists for a variety of regulations, including HIPAA. It automatically queries and gathers data from the IT systems, and then creates manual checklists that key people must review to ensure regulatory compliance. "It's like a pilot going through a checklist every time he flies," says Mattson.

"It really gives you the ability to link the technology with business processes and see your client's whole risk," says Albertini of AIS Consulting, who uses and leases the product.

Implementing Best Practices
In the end, it doesn't matter what regulations an organization is required to meet; successful selling of security solutions boils down to implementing best practices.

"There's so much industry-specific regulation," says Mosher of Lumension, "but there's a lot of commonality in security best practices. It's just a matter of mapping these to specific requirements in the regulation." Whether it be HIPAA requirements or the organization's own rules, "the controls aren't the tricky part," says Cote of Viopoint. "The challenge is implementing them in the most efficient way."

PMV Technologies: The Art of Process Improvement
At PMV Technologies, a $6 million, 38-employee MSP in Michigan, efficient business processes are a major contributor to success, second only to having employees aligned with the company's values. "If we have that," says CEO Scott Goemmel, "all they need are effective processes, and the rest should work itself out."

An effective process is more than just efficient, according to Goemmel. It also must meet customer expectations and be measurable, so staff can be held accountable for their performance. These dynamics can be seen in PMV's present efforts to fine-tune its help desk processes. "Business development is delivering as many new managed-services clients as we can presently absorb," he says. "If I want to grow, we have to improve the help desk so we can add more clients while keeping the existing ones satisfied."

Goemmel's assessment of help desk performance includes a review of technology tools, process workflow and client expectations, as well as the consistency and quality of the service being delivered. Metrics are essential here, including the time it takes to answer the phone or respond to an e-mail; the time it takes to close a problem; and how often a problem is solved on first contact. "The key is knowing your workflow and being able to measure it," says Goemmel, "and not implementing anything you can't measure."

Measuring process performance depends on mining the PSA database and other data stores for the right information, a valuable skill for any solution provider to have. In fact, help desk metrics moving in the wrong direction led PMV to tackle process improvement.

If this sounds like science, Goemmel believes there's an art to process improvement as well, namely the part that deals with personnel. The help desk, for instance, will live and die by staffing decisions -- "which skills you place in which parts of the transaction most often." And changing any process means retooling the employees around it, getting them to work differently and enforcing new methods. That's why Goemmel advises taking process change slowly, identifying key pain points and addressing them one at a time. "Where there are people, there's resistance to change," he says, "and where there's resistance to change, there's a need for an extended time frame. You can't change everything at once and effectively manage it."

HTS: Leveraging Technology to the Max
Companies with multiple offices dispersed across a wide geography have a special need for documented and repeatable processes. Case in point: Heartland Technology Solutions (HTS), a $20-million, 80-employee MSP and solution provider, has eight offices spread across tertiary markets in Iowa, Kansas, Missouri, Nebraska and Oklahoma.

"The larger we've become, the more important it is to standardize what we do across locations," says Jane Cage, COO at HTS. "Without getting everyone on the same page, we can't leverage our economies of scale or provide services in the most efficient way."

In its quest for process efficiency, HTS has applied a range of technology tools to maximize automation. PSA software works to standardize services planning, workflow and billing. Microsoft SharePoint serves as an online repository for storing operational procedures and standardizing workflow, including returned material authorization (RMA) tracking, market development funding, human resources procedures and employee suggestions. And Microsoft Dynamics accounting software collects financial data for drilling down into process efficiency and business performance.

At present, HTS is applying these tools and its best minds to improve delivery of managed services, with customer onboarding the current focus. The pre-sales process is documented within SharePoint, but after the sale is made, a service request within the PSA tool tracks the onboarding process, with a workflow checkoff after each item is completed. Steps in the complex process include reviewing and approving the contract, creating a purchase order for thirdparty services (such as the Ingram Micro Seismic Help Desk), invoice setup, confirming that initial payment has been received, setting up the customer within the remote monitoring and management tool, performing inventory of the customer's infrastructure and setting up e-mail notification for service alerts.

"If someone had to remember this list, we'd have a problem," says Cage. "That's why we try to do fewer and fewer manual interventions." Cage herself makes good use of the data gathered by the PSA tool and other software to report on company performance, what she calls "the pulse of HTS." She regularly reports on key performance indicators such as the sales pipeline, profit margins and the makeup of the customer base, as well as service metrics from the PSA tool that illuminate process and employee efficiency. At present, engineers are expected to achieve 75 percent utilization of their time, and to generate more than 2.5 times their salary in services revenue -- those generating more than three times their salary receive a bonus. Over time HTS expects to implement dashboards for staff to access such information on demand.

"We've invested heavily in technology for process automation, collaboration and business intelligence," says Cage. "The payoff has been excellent in helping us analyze and improve our company's performance."