"Cloud transformation initiatives are complex endeavors with a high failure rate. A risk based approach to cloud transformation focusing on cybersecurity controls results in significantly improved outcomes for the organization."

Agile Transformation: A Serious Consideration For Healthcare
The debate over the implementation of agile methodology especially within the healthcare industry has been a topic of consideration for several organizations. Regulatory and compliance requirements are often a key driving factor of this debate. When healthcare organizations decide to undertake digital transformation projects an important decision in front of management is to decide whether to take the traditional approach of waterfall development (typically preferred within the industry given the high regulatory scrutiny) or take an agile approach. While taking the waterfall route may be applicable for many use-cases, implementing large-scale organization-wide cloud applications with significant business impacts often requires taking an agile approach to obtain the highest returns on investment by ensuring the technology solution is maximized to meet the overall business and strategy needs of the organization. With the right tailoring of agile principles taking into consideration specific healthcare industry requirements will result in organizations creating well-integrated cloud application systems which would enhance overall efficiency of the organization.

Benefits Of Agile For Healthcare Organizations
Digital transformation implies integrating the latest technological solutions into all the processes that constitute a modern-day healthcare enterprise. Healthcare organizations can enjoy several benefits of taking an Agile approach. Key benefits include:

• Quicker software development timelines
• Improved software deployment quality
• Increased cross functional collaboration
• Higher returns on investment (ROI)
• Enhanced regulatory compliance and risk management

Cloud Cybersecurity Controls: Always An Afterthought?
With implementing agile principles, healthcare organizations should keep an eye out for the risks that may come with it. The principles of agile require organizations to move fast, often prioritizing a working prototype, and prioritizing cross functional collaboration. This often results in cloud cybersecurity controls getting pushed down the priority list. As a result of this, healthcare organizations take up significant risk of developing working prototypes that do not adhere to security controls and protocols including missing compliance requirements around complex healthcare regulations (such as HIPAA, HITRUST). To avoid this misstep, healthcare organizations should treat cloud cybersecurity controls with the same amount of intentional thought as other workstreams relating to software development. A best practice is to embed the cloud cybersecurity controls workstream as a distinct and dedicated workstream with a focus on deploying operational cybersecurity controls as part of the transformation effort. This upfront alignment will reduce transformation risk for healthcare organizations as cloud cybersecurity controls will be iterated (in line with other software features) through the develop, test, deploy agile life cycle - thus being taken into consideration throughout the transformation - instead of being an afterthought post the transformation. This approach often results in the highest returns for healthcare organizations from a dollars invested perspective as well as it significantly decreases the likelihood of security related deficiencies after the completion of the cloud transformation effort.

Implementing Cloud Cybersecurity Controls: An Agile Approach
Before we cover agile cybersecurity controls implementation, here's a quick overview of the steps involved in a typical agile sprint:

• Gather and prioritize requirements
• Develop initial prototype iteratively
• Test the prototype
• Deploy the prototype
• Obtain end-user feedback

As part of the agile cybersecurity controls deployment, it is critical to take the development of controls through the agile lifecycle mentioned above. This may include:

As depicted above, healthcare organizations need to give intentional thought towards embedding cybersecurity controls as part of a larger cloud transformation effort. While the specific cybersecurity controls will vary depending on the healthcare business model (which will drive risks within the model) and the type of cloud software being developed or deployed (which will impact the nature of agile approach being undertaken), healthcare organizations at a minimum should think about cybersecurity controls in two main categories:

• External cybersecurity controls: which protect against elements outside the organization (e.g., ransomware, malware, etc.)
• Internal cybersecurity controls: which protect against elements within the organization (e.g., employee sabotage or employee mistakes)

For additional considerations regarding the above two categories of cybersecurity controls specific to cloud ERP applications read this here.

Benefits Of Agile Cybersecurity Controls Development
While there are several benefits, the key benefit around deploying cybersecurity controls during (and NOT after) the cloud transformation effort is significant cost savings. Organizations will incur a cost for a dedicated cybersecurity controls workstream upfront, however this upfront investment will result in a robust cybersecurity framework at the end of cloud transformation, resulting in lower likelihood of cybersecurity control issues, audit costs/services, and remediation effort costs. The goal for any healthcare organization should be to eventually move to the fourth quadrant of cybersecurity controls maturity framework below using agile as a key driver while effectively jumping quadrants.

• 1 = Beginner (No or minimal controls, low controls cost)
• 2 = Intermediate (Low controls maturity, high controls cost)
• 3 = Advanced (High controls maturity, high controls cost)
• 4 = Optimized (High controls maturity, low controls cost)

Conclusion
Thus, healthcare organizations should consider taking an agile approach not just for large scale cloud transformation projects but also for developing robust cybersecurity controls during (and not after) the cloud transformation effort. The agile approach towards cybersecurity controls will result in increased likelihood of better designed and operationalized cybersecurity controls allowing organizations to enjoy significant cost savings and increased returns on their investments. Additionally, an agile approach also plays a crucial role in incorporating principles of swiftness and nimbleness in the operational culture of organizations - the benefits are which are often realized while adhering to complex healthcare regulations and compliance requirements.

Note: Opinions expressed are solely of the author and do not express the views or opinions of their employer.