Tag: security

Future of Healthcare IT Outsourcing Market Hinges on US Election, Department of Justice Verdict | Press Release

Healthcare payers choose wait-and-see strategy for mergers, health insurance exchanges; focus on security, integrated operations is full steam ahead

The outlook for the global healthcare IT outsourcing (ITO) market is hanging in the balance, with all eyes watching to see the outcome of the U.S. presidential election and the verdict of antitrust proceedings filed by the U.S. Department of Justice opposing the proposed Aetna-Humana and Anthem-Cigna mergers. Despite these uncertainties, Everest Group predicts that the global healthcare ITO market will exhibit a 12 percent compound annual growth rate during the period between 2014 and 2020, reaching US$68.3 billion in 2020.

“This growth, a bright spot in an otherwise bleak IT outsourcing marketplace, will be driven primarily by healthcare payers as they gear up for various movements in the market, such as payer-provider convergence, patient-centric care, evolving reimbursement models and value-chain digitization,” said Abhishek Singh, practice director with Everest Group and leader of Everest Group’s Healthcare & Life Sciences research practice. “Tactically, payers need to evolve on their sourcing maturity journey. The cost and efficiency mandate will be best served by sourcing the best quality services at the lowest possible costs. In this regard, the maturing technology service provider landscape is ripe for payers to explore outsourcing in a big bang manner.”

Everest Group has identified four trends that will shape healthcare IT outsourcing demand in the next 24 months:

  1. Large mergers are being pursued in the healthcare payer market. As noted above, two such mergers are being held at bay by the U.S. Department of Justice, with antitrust proceedings slated to begin on December 5, 2016. Should the mergers proceed, they will (after an initial lull in demand) increase the IT consulting spend for merger planning and integration projects. Subsequently, the mergers will lead to vendor consolidation as the surviving entity attempts to eliminate redundant IT systems and processes.
  2. Disillusionment with health insurance exchanges (HIXs) will impact spending in the near future. Already, several payers are seeking market exit options from the HIX business due to heavy losses sustained in the past financial year. The U.S. presidential election in November 2016 will shape the outcome. Democrats are promoting HIX; Republicans are opposing it. Many factors such as subsidies, premium rates and private participation hang in the balance. Everest Group believes HIX will survive; however, the shape and size of the program will be determined by the largest national plans and by the new US presidential administration. In the meantime, payers have adopted a wait-and-see approach with regards to expanding, withdrawing or investing in the HIX market.
  3. Security is a top priority for more than 90 percent of CIOs. This will drive the next wave of tech spending. Recent high-profile data breaches combined with a shift in the enterprise perception of threats have given renewed impetus to security and a stronger demand for ROI accountability.
  4. Integrated operations is the way forward for large healthcare IT outsourcing deals in the mid-market. Service providers who are able to guarantee financial outcomes and predictable spend for adoption of integrated applications, infrastructure and processes will win the favor of payers.

Each of these trends—how they came to be and the implications they hold for payers, service providers and consumers—are discussed in detail in “Healthcare Payer IT Services: Outsource (Offshore) or Perish.” In this annual report, Everest Group analyzes the current trends and future outlook of large, multi-year ITO relationships in the healthcare payer market. The report also provides specific insights into enabling a go-to-market strategy for healthcare IT.

Why You Need to Buy Security Differently from Managed Services | Sherpas in Blue Shirts

In many newspapers these days, one doesn’t have to read very far without tripping over the latest sensational article on a security breach. The black hat community conducting security attacks is incredibly well funded and incredibly sophisticated and our traditional firewall security precautions are woefully inadequate. The implications of this for companies are stark and robust. I think we must start with how we approach security.

The list of attacks is long and includes, for instance, Target’s customers, Anthem’s healthcare customer records, and the U.S. federal government apparently being penetrated by the Chinese. Behind all this is the frightening prospect of a highly sophisticated black hat community potentially funded by national governments in China and Russia and increasingly being in alliance with organized crime. The black hats are conducting security threats on a scale that is both mind boggling and deeply worrying – not only right now but even more so over times as the R&D effort of this community drives increasing levels of sophistication.

To date, we have approached security as a hygiene vehicle – one and done. We think about it in terms of firewalls securing our data center or making different layers of IT or technology architecture secure. We invest once to try to imbue our technology with a level of defense, and then we seek to spread that investment over the technologies; and we expect the cost to decrease as the learning curve goes down. The problem with this is that it cannot stand against the R&D effort and the rate of improvement in the black hat community.

Therefore, we must change our expectations and how we buy security. We must have a separate security tower in which the expectation is the cost will rise over time and we will invest ever more money and time into ways to counteract the growing black hat menace. The black hats are not constrained to attacking just one functional element of an organization’s service chain; therefore, businesses need an overarching security solution that secures everything. The consequences of not countering this threat are immense.

When we approach security as a hygiene vehicle, we ask for a component of security and monitoring in each technology function. Whether it’s a data center, applications, network, or other infrastructure, we use firewalls, encryption, or other tools and techniques to harden our environment and make it less vulnerable. That’s all well and good, and this should continue. However, this is woefully inadequate on its own with the increasing sophistication and threat from the black hat community. We cannot expect to be defended or even maintain our corporate responsibility if we assume that a hygiene approach is adequate.

It’s clear that we must also procure a different kind of security that is overarching and that matches the rapidly changing security landscape vulnerabilities uncovered and exploited by extremely well-funded and incredibly gifted black hats. We must realize that a hygiene approach to security will prove to be dramatically ineffective against the black hats’ innovation. And we must expect that the cost of an overarching security function will increase because of the need to constantly invest in our capabilities to innovate – and innovate faster – to counteract their threats.

We see the changing expectations starting to happen with the chief security officer in a role outside of technology and reporting directly to the CFO, CEO or board. But we have not seen the kind of budget and capability being invested into that function that are necessary to counteract the growing threat.

Furthermore, we have yet to see service providers providing a managed service to this new entity. The managed services they offer are based on the normal managed services principle of providing a constant service that will get cheaper over time as the learning curve and technologies mature. That’s the underlying theme of all managed services. That principle gets stood on its head in the context of security when the adversaries’ sophistication keeps rising exponentially. The cost of sophistication to counteract the adversaries must rise equally – which doesn’t work in the managed services principle.

Furthermore, no one firm can have the sophistication to take on the Russians, Chinese, organized crime mob, and the black hat ecosystem. That’s not a reasonable expectation for even the largest organizations. Therefore, organizations must turn to service providers that can aggregate customers in order to match the investment of the black hat community. The services industry must get together to defeat this massive threat to businesses, but managed service offerings are not the answer. We must innovate at the same rate at the black hats; thus a provider’s expectation of cost dropping over time is false because the learning curve will not go down.

Bottom line: The cyber attacks situation will get worse. All businesses – including service providers and their customers – must expect that their investments in security will increase to match the ever-escalating threats.


Photo credit: Flickr

The Challenge of Security Services in the Internet of Things | Sherpas in Blue Shirts

The first thing to think about in the nature of Internet of Things security is that you have to recognize this is not “one and done.” The fight to secure your IoT environment is an activity that continues in perpetuity. The resources you initially allocate will be substantial, but they will escalate and costs will increase over time. It’s a very different way to think about a process than the services world’s normal engineering approach where you have a large up-front cost that becomes smoothed out, so you spend less and less money on it over time.

In the IoT, we can segment into two kinds of security. And there are different ways you approach the two. And both have a different level of funding.

The first segment is security at the edge, or device level. Here you need to be sure that each level is secure and monitored, from the device at the edge all the way through the network and the apps in an ecosystem. Think of this as a hygiene or compliance role in which you need to ensure that security exists, it’s adequate, you monitor it for effectiveness, and that any attack is limited and limited to only a small segment and can’t spread. Those are the things you need to look for at the compliance level.

The second kind of security is around architecture and end-to-end monitoring. This requires a thoughtful end-to-end view of the objective you want to accomplish through the IoT, how you view security in the total ecosystem, how you architect it into systems, and how you monitor it at a systems level for the entire process that you define within the IoT. This security level typically reports to the chief security officer and requires a different level of thinking, talent, and investment.

If you’re not doing both the hygiene approach and the architectural view, black hats potentially can use any holes to corrupt the whole chain.

Even though you believe you have adequate security by levels, that doesn’t mean you’re safe. The inventiveness of the black hats is so robust that you’ll have to continually invest in protection. You first need to invest in architecting your solution from end to end and then continually monitor it and adapt it as new threats emerge.

One thing you can be sure of is that threats will continue to emerge.

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

  • Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.