"Cloud transformation initiatives are complex endeavors with a high failure rate. A risk based approach to cloud transformation focusing on cybersecurity controls results in significantly improved outcomes for the organization."
Agile Transformation: A Serious Consideration For Healthcare
The debate over the implementation of agile methodology especially within the healthcare industry has been a topic of consideration for several organizations. Regulatory and compliance requirements are often a key driving factor of this debate. When healthcare organizations decide to undertake digital transformation projects an important decision in front of management is to decide whether to take the traditional approach of waterfall development (typically preferred within the industry given the high regulatory scrutiny) or take an agile approach. While taking the waterfall route may be applicable for many use-cases, implementing large-scale organization-wide cloud applications with significant business impacts often requires taking an agile approach to obtain the highest returns on investment by ensuring the technology solution is maximized to meet the overall business and strategy needs of the organization. With the right tailoring of agile principles taking into consideration specific healthcare industry requirements will result in organizations creating well-integrated cloud application systems which would enhance overall efficiency of the organization.
Benefits Of Agile For Healthcare Organizations
Digital transformation implies integrating the latest technological solutions into all the processes that constitute a modern-day healthcare enterprise. Healthcare organizations can enjoy several benefits of taking an Agile approach. Key benefits include:
- Quicker software development timelines
- Improved software deployment quality
- Increased cross functional collaboration
- Higher returns on investment (ROI)
- Enhanced regulatory compliance and risk management
Cloud Cybersecurity Controls: Always An Afterthought?
With implementing agile principles, healthcare organizations should keep an eye out for the risks that may come with it. The principles of agile require organizations to move fast, often prioritizing a working prototype, and prioritizing cross functional collaboration. This often results in cloud cybersecurity controls getting pushed down the priority list. As a result of this, healthcare organizations take up significant risk of developing working prototypes that do not adhere to security controls and protocols including missing compliance requirements around complex healthcare regulations (such as HIPAA, HITRUST). To avoid this misstep, healthcare organizations should treat cloud cybersecurity controls with the same amount of intentional thought as other workstreams relating to software development. A best practice is to embed the cloud cybersecurity controls workstream as a distinct and dedicated workstream with a focus on deploying operational cybersecurity controls as part of the transformation effort. This upfront alignment will reduce transformation risk for healthcare organizations as cloud cybersecurity controls will be iterated (in line with other software features) through the develop, test, deploy agile life cycle - thus being taken into consideration throughout the transformation - instead of being an afterthought post the transformation. This approach often results in the highest returns for healthcare organizations from a dollars invested perspective as well as it significantly decreases the likelihood of security related deficiencies after the completion of the cloud transformation effort.
Implementing Cloud Cybersecurity Controls: An Agile Approach
Before we cover agile cybersecurity controls implementation, here's a quick overview of the steps involved in a typical agile sprint:
- Gather and prioritize requirements
- Develop initial prototype iteratively
- Test the prototype
- Deploy the prototype
- Obtain end-user feedback
As part of the agile cybersecurity controls deployment, it is critical to take the development of controls through the agile lifecycle mentioned above. This may include:
As depicted above, healthcare organizations need to give intentional thought towards embedding cybersecurity controls as part of a larger cloud transformation effort. While the specific cybersecurity controls will vary depending on the healthcare business model (which will drive risks within the model) and the type of cloud software being developed or deployed (which will impact the nature of agile approach being undertaken), healthcare organizations at a minimum should think about cybersecurity controls in two main categories:
- External cybersecurity controls: which protect against elements outside the organization (e.g., ransomware, malware, etc.)
- Internal cybersecurity controls: which protect against elements within the organization (e.g., employee sabotage or employee mistakes)
For additional considerations regarding the above two categories of cybersecurity controls specific to cloud ERP applications read this here.
Benefits Of Agile Cybersecurity Controls Development
While there are several benefits, the key benefit around deploying cybersecurity controls during (and NOT after) the cloud transformation effort is significant cost savings. Organizations will incur a cost for a dedicated cybersecurity controls workstream upfront, however this upfront investment will result in a robust cybersecurity framework at the end of cloud transformation, resulting in lower likelihood of cybersecurity control issues, audit costs/services, and remediation effort costs. The goal for any healthcare organization should be to eventually move to the fourth quadrant of cybersecurity controls maturity framework below using agile as a key driver while effectively jumping quadrants.
- 1 = Beginner (No or minimal controls, low controls cost)
- 2 = Intermediate (Low controls maturity, high controls cost)
- 3 = Advanced (High controls maturity, high controls cost)
- 4 = Optimized (High controls maturity, low controls cost)
Conclusion
Thus, healthcare organizations should consider taking an agile approach not just for large scale cloud transformation projects but also for developing robust cybersecurity controls during (and not after) the cloud transformation effort. The agile approach towards cybersecurity controls will result in increased likelihood of better designed and operationalized cybersecurity controls allowing organizations to enjoy significant cost savings and increased returns on their investments. Additionally, an agile approach also plays a crucial role in incorporating principles of swiftness and nimbleness in the operational culture of organizations - the benefits are which are often realized while adhering to complex healthcare regulations and compliance requirements.
Note: Opinions expressed are solely of the author and do not express the views or opinions of their employer.
Top comments (26)
Cloud computing and virtualization are fast, interactive and flexible so that the development process runs smoothly right up to production. Cloud computing and virtualization make it easy for Agile development teams to seamlessly combine multiple development, test and production environments with other cloud services.
I absolutely agree with you @gastonrodriguez Cloud computing and virtualization have truly transformed the development process by delivering quick, interactive, and adaptable solutions. They provide a strong ecosystem for when Agile development teams have to delivered results under resource constraints. Their quick, interactive, and adaptable nature, combined with the seamless integration of cloud services, simplifies the management of numerous environments and provides a smooth development process all the way through to production when the agile cloud access controls best practices laid out above are used.
George Kaduru
linkedin.com/in/george-kaduru/
Great point @gastonrodriguez! Cloud computing and cloud environments come with their unique challenges with regards to developing agile controls. A key thought while implementing agile cybersecurity controls is to understand specifically is owned by the cloud provider so that controls can be developed, tested, and moved to production.
In software development, agile methodology is an approach usually used for the efficient management of project. Through iterative and incremental work cadences, known as sprints, the agile methodology helps teams to respond to the unpredictability of building software.
Thanks @neyda for the comment! How have you used agile development for cloud cybersecurity solutions in the healthcare context?
According to Gartner, human error will account for 99% of all cloud security failures by 2025. When developing business apps, human error is an ever-present risk. On the other hand, deploying assets on the public cloud comes with significant risk.
gartner.com/smarterwithgartner/is-...
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
What an interesting take @mahendkr72 , however, I believe 99% might be too much of a stretch at this time when we factor in the further development of cyber related artificial intelligence in 2025. Yes, human error is indeed a big factor in protecting healthcare patient data and privacy and some studies have mentioned is upto at least 80% of cloud security breaches, but implementing agile cloud security practices into Cloud identity and access authorization security measures like encryption, MFA verifications, and privileged access management has proven to reduce cloud risk failures in organizations in my experience.
Taking an agile approach towards cloud security controls in healthcare organizations is a crucial step. If you're interested in learning more about strategies and practices for healthcare enterprise risk management, you can find valuable insights in this article by Cleveroad. It can provide guidance on implementing effective security measures in the healthcare sector.
The incorporation of agile methodologies for health care improves the dynamic health care environment and improves processes to help achieve project milestones. It also simplifies the human effort required for patient care. Dividing major projects into sprints allows healthcare professionals to maximize their tasks.
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
@mahendkr72 While the agile cloud control practice would allow the creation of sprints and getting more tasks done with deliverables, there are some scenarios where it should be applied strategically (and not indiscriminately) to the cloud security projects for healthcare organisations in question. The waterfall methodology may in certain scenarios do better where adherence to regulations and bureaucracy are prioritised before the next phase of the project can be tackled, however with the rapid pace of changes in healthcare in the last year and upcoming years anticipated agile cloud access controls approach will be higher caliber methodology of securing cloud environments based on my prior experience implementing the approach in the health regulatory space. It would also work better for a given set of requirements and documentation with a straightforward execution plan in mind, which is also recommended from a security standpoint.
The article's focus on cloud security controls and the adoption of an agile approach is a game-changer in the field of cybersecurity. Cloud technologies are increasingly prevalent in healthcare, and traditional waterfall approaches simply can't keep up with the dynamic nature of cloud environments. Agile methodologies enable healthcare organizations to address security vulnerabilities promptly and adjust their controls in response to evolving threats.
upwork.com/freelancers/~018f64a10d...
What a great approach! I recently worked on a security project last year in the healthcare industry and my team implemented the security protocols and infrastructure following the agile access controls approach mentioned in this article. We realized immediate benefits of this new innovative approach. The overall security budget for the project was around $100,000 and we were able to reach our target at 50% of the budget thus saving costs and securing health data from potential breaches and attacks
Yes I completely agree with cybersecurity must not be an afterthought process. In any organization, the challenges a DevOps teams is facing is that Agile methodologies can deploy small scale tasks in less time, while security expert usually takes longer time. Finding a balance between the two to is area where cyber expert is looking for.
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
While I agree that agile methodologies offer advantages, we shouldn't dismiss waterfall approaches entirely. In certain contexts, such as highly regulated environments, a more structured and sequential approach can ensure compliance and accountability. It's essential to strike a balance between agility and robustness to maximize security outcomes.
upwork.com/freelancers/~018f64a10d...
Agile has demonstrated excellent outcomes. The following are some of the advantages of using agile:
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
Risk cannot be eliminated, but it can be managed. Anticipating risks ahead of time gives opportunity to deal with them. Some cloud security risk include misconfiguration, data breach, human error, and unmanaged attack surfaces.
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
I completely agree with you @mahendkr72 Risk is a constant in any endeavor, and would either need to be transferred, accepted or controlled. With cloud security, a risk like misconfiguration can cause data exposure but by applying practices in the above-mentioned agile cloud control access method, an organization can accurately control the risk of it occurring. The Human Factor is another risk that can be transferred to proper training schemes and departments that will reinforce staff on the dangers that lurk outside the organization using the agile cloud controls implementation methodology. My small IT agency has seen direct benefits of taking the approach mentioned above including generation of revenue of up to $60,000 in 2022. I know several other independent industry practitioners who have received similar nature of benefits (and in some cases better than the results I have received).
According to Brain and company report
bain.com/insights/how-agile-is-pow...
Healthcare organisations are under increasing pressure to innovate in terms of product innovation, services, and consumer experience. Despite the fact that nearly 80% of medical institutions believe they need to be more Agile, only 30% are familiar with Agile innovation. Seventy-five percent of business leaders believe their Agile teams perform as well as or better than traditional teams.
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
A complete cloud security strategy addresses all three aspects: risks, threats, and challenges, so no bugs exist within the foundation. In order to deploy application securely on the cloud, organization leverages a solid strategy must alleviate risk (security controls), defend against threats (secure coding and deployment), and overcome challenges (implement cultural and technical solutions).
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
In agile methodologies, one of the approaches to the test the automation is the agile automation testing. Its objective is to make the software development process more effective and efficient while maintaining the quality and time as well as resource consumption. However, the implementation of such a process requires a lot of coordination and collaboration between teams.
Cyberthreat intelligence needs to be applied to automate the risk assessment process. Many tools in market are available. One of the innovative solutions is the EvolveAST tool. It enables cybersecurity team to automate the integration of application security testing into the software development pipeline.
threatintelligence.com/evolve-ast-...
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
Adopting agile methodology to any organization may suffers with many challenges. One of the challenges is to deal with human-relation perceptions. Human-related perceptions about the change process have been the major transition challenges. People find it very easy to retain their old methods and processes except in the case when they are vividly presented with solid “whys” they need to embrace the transition to Agile.
sciencedirect.com/science/article/...
Mahender Kumar
[https://scholar.google.co.in/citations?user=4syrB4UAAAAJ&hl=en]
I appreciate the article's emphasis on agile cybersecurity controls development. By incorporating security into the agile sprint cycle, healthcare organizations can achieve significant cost savings. Investing in a dedicated cybersecurity controls workstream upfront pays off by minimizing the risk of control issues, reducing audit costs, and streamlining remediation efforts. It's a strategic approach that ensures long-term cybersecurity maturity.