“The best way to find out what we really need is to get rid of what we don’t”
As spring approaches and organizations focus on budgets for the next fiscal year, it’s time to start thinking about application rationalization. The term “rationalization” usually refers to a process companies undertake to reorganize and increase operating efficiencies. Similarly, application rationalization is the process of identifying applications used throughout an organization to ultimately inform decisions about which ones should be kept, consolidated, or decommissioned, Like spring cleaning, application rationalization can be a daunting task given the sheer number of applications used throughout a healthcare enterprise and the data points that need to be captured. It’s important to know the rationalization goals in order to scope the work appropriately. Common goals include simplifying the IT environment, reducing costs, and increasing the security posture of the organization.
While creating the application inventory is the universal first step, subsequent activities could include:
- Contract rationalization
- Vendor risk management
- Portfolio management
- Data management
- Data archival
- Policy and procedure review
The need for application rationalization is usually caused by one of two things: 1) organic and unmanaged growth of the organization’s information technology assets; or 2) concluding a period of aggressive mergers and acquisitions.
In either case, the unfettered growth of applications inevitably leads to situations of redundancies (e.g., two or more apps with the same functionality), unused apps the organization is still paying for, and apps that weaken the overall security posture of the organization. This last point is particularly important given the increase in cybersecurity incidents in healthcare.
On May 12, 2017, a global ransomware attack disrupted the National Health Service (NHS) in the United Kingdom, with at least 40 of its hospitals unable to access their systems while the attackers demanded to be paid in Bitcoin.i
NHS hospitals had to cancel surgeries and to treat patients without access to their medical history, diagnostic tests, and crucial information such as allergies. As one doctor told a reporter: it would be a “miracle if no one comes to harm.”
Identity theft is big business and no longer the realm of “script kiddies” and loose collectives of hackers. A medical record is worth two or three times the value of a credit card number on the Dark Web. Healthcare records contain at least 18 protected personal health identifiers. As most people in our industry know, healthcare organizations have a greater and broader amount of your private data than your employer or your bank does.”ii
Poor management of applications throughout the enterprise brings inherent information security risks. Consider the following:
- Improper or lack of access controls. Managing application access, which includes who can access the app as well as which other system resources the app can access, is an important feature of any information security program. Knowing what applications have been implemented, on which networks, with what permissions and controls, is not easy for many organizations to answer. However, that information can be analyzed while creating the inventory for an application rationalization project.
- Lack of appropriate security patches. If an organization doesn’t know which apps are on its networks, it’s essentially impossible to ensure that every app has been appropriately patched to prevent attackers from exploiting well known vulnerabilities.
The New York Times reported that “The ransomware attack on the NHS never should have happened.” The NHS had been warned that its use of outdated technologies such as Windows XP, which Microsoft stopped supporting in 2014, left it exposed to attackers who might exploit known vulnerabilities.
There’s a dangerous misconception that application rationalization and cyber attacks are the concerns of large healthcare organizations. Given the value of a healthcare record, any organization of any size is a potential target. Consider the attack on the Federation of Sovereign Indigenous Nations (FSIN) that took control of files on “social insurance numbers, treaty card numbers and health claims of staff” and resulted in FSIN paying the ransomers $20,000 in bitcoin.iii
In addition to helping improve an organization’s security posture, application rationalization has many additional benefits:
- Reducing Costs. By eliminating duplicate or unused applications and their associated costs. This can lead to additional benefits such as reducing infrastructure and operational costs by repurposing or retiring infrastructure and system management resources no longer needed by the retired applications.
- Increasing Standardization. The consolidation of applications resulting from a rationalization project is one method for driving standardization across the organization, further reducing costs and complexity.
- Funding Innovation. Finding money for IT innovation can be a struggle for organizations whose IT budgets are committed to operations and “keeping the lights on activities”. Application rationalization can free up budget dollars to fund innovation initiatives.
Application rationalization can be a challenging task depending on its scope and the number of stakeholders that need to be involved. But the pain is worthwhile to achieve the benefits previously described. As Peter Walsh once said, “Spring cleaning doesn’t have to be a dreaded list of chores. It can be a rewarding experience that helps provide some structure and organization in your life.”
iBodkin H, et al. (2017, May 13). Government under pressure after NHS crippled in global cyberattack as weekend of chaos loom. The Telegraph. May 13, 2017.
iiInstitute for Critical Infrastructure Technology. (2016, January). Hacking Healthcare IT in 2016: Lessons the Healthcare Industry Can Learn from the OPM Breach. Washing-ton, DC: ICIT