Outsourcing Small Company Computer Security

At the Big Thompson Medical Group in Loveland, Colorado, the previous director of IT operations, Marc Soldner, contracted security to an outside firm because he didn't have the staff to handle it internally — and saved by not having to hire a dedicated person.

Big Thompson, a $20 million to $30 million healthcare group with 250 employees spread across eight local clinics in Colorado with about 200 computers, did fine with just a single IT staff member at the company headquarters reporting to Mr. Soldner. In addition, Mr. Soldner had one person with a non-IT job at each site trained in basic issues and available for rudimentary fixes, such as checking connections and powering a machine off and on. IT functions in the company's accounting department are handled separately.

The system works on such slender staffing because it relies on outside companies for a number of IT functions, including security. Mr. Soldner estimates that by outsourcing security, he saved the yearly cost of hiring and managing at least one network security professional. And the organization is happy with the relationship he set up with the outside security vendor.

–> TIP #1: Figure out what functions require security to put together your request for proposal or statement of work.

Included in the $30,000 security outsourcing deal were detailed specifications such as secure connectivity for employees needing to reach sites outside the company, for outside doctors who needed to contact other secure or insecure areas while visiting the building (such as a hospital's secure data on a patient), and for staff members connecting to Big Thompson's secure site from home.

The network consists of eight sites, with the central site in Loveland, Colorado, a few hours outside Denver. In October 2000, when the company launched an external-facing Web site for marketing and informational purposes, Mr. Soldner hired the outside security company. Prior to that, "We didn't need security because we weren't connected to the outside world." A major upgrade followed in December 2003.

The driver for outsourcing security was financial, Mr. Soldner said. "I can hire a company to manage our routers for significantly less [than handling it internally]."

There were two parts to the initial security contract, Mr. Soldner said — to upgrade the routing environment for the company's own Metro Area Network (MAN), making it secure and fast, and to put together a Wide Area Network (WAN) for connecting the company to the outside world via the Internet. That involved some routing, some firewalls, setting up secure environment, and more.

–> TIP #2: Don't assume you'll simply pay a retainer. Explore all pricing options.

After the initial work was done, Mr. Soldner set up an ongoing arrangement with the company, a small firm based in Boulder, CO called The Root Group. For ongoing work, the service provider proposed two hourly rates. Under one structure, Mr. Soldner could get immediate service at an expensive price, in which The Root Group either dials into the client network or sends someone immediately onsite. The second option is a less expensive "bundled hours" setup, in which the client buys hours in advance as a package and accepts a slower response time.

Big Thompson Medical's Web sites themselves are managed by a separate company out of Denver, so the security firm handles everything else, including e-mail, firewalls, and routers. "[Internal people] set up and manage the e-mail accounts," Mr. Soldner said, and "[The Root Group] makes sure the process is safe. They do the routers, the firewall, and they're the next tier up if Qwest [the Internet service provider] can't [fix a problem]."

Mr. Soldner said he began the outsourcing effort by looking for companies "that would let us connect to the outside world, transfer data, and maintain the integrity of patient records." This was pre-HIPPA, the Health Insurance Portability and Accountability Act, the government regulation mandating a higher level of confidentiality in patient records.

–> TIP #3: Expect to justify the outlay for IT security services to management. And do it in a form (and forum) they'll understand.

Big Thompson is a privately held corporation that is owned by the physicians who work at the clinics; so explaining and selling technology solutions to doctors was part of Mr. Soldner's job.

He said that in the face of HIPPA and other regulations, the importance of securing patient records especially was well understood by management, which took only a financial interest – "ROI kinds of things" — in his proposed solutions. "They were interested in security, interested in different processes for achieving it, and the benefit it had," he said.

His company was already HIPPA-compliant, Mr. Soldner said, but any change to software can raise HIPPA issues, so he looked only at outsourcing companies that were familiar with HIPPA.

He met with the decision-making doctors initially in one-on-one meetings, then held a series of meetings of 15 doctors at a time, giving them the opportunity to ask questions and bring up concerns. Questions included, Why are we doing this? What is it going to cost us? Can I trust it?

At the same time, Mr. Soldner was working with an outside Web company to build the firm's Web pages, which were to be kept on the outside of the firewall. The security company helped, for example, when it was time to put in the routers. "They have the people who can configure them," Mr. Soldner explained. "I didn't have anyone who was router-savvy.”

–> TIP #4: Expect to negotiate on new projects that aren't part of the original discussions.

The structure for managing the relationship with the vendor, Mr. Soldner said, was informal by his choice. Since both are small firms, the arrangement worked well. "I could either call or e-mail them [for assistance]. There's a flat fee set-up, so they charged me for time after that."

For a project such as setting up a new clinic, for example, Mr. Soldner said he negotiated that as a package deal with the security company. "There's no monthly retainer. If I had a failure, I called [and] they diagnosed." That arrangement, he said, can be "very pricey" because of the guaranteed 24/7 response, which he finds critical in the medical field. Thompson Medical, as a series of medical clinics, simply can't afford to have a site down when someone may be trying to reach them.

With the relationship in place, Mr. Soldner said the time he spent on the vendor relationship was "very minimal — probably just a few hours a year." The initial setup took "a couple of weeks working out what we needed and wanted."

When he did have an issue — someone using his mail server for spamming — it was resolved quickly and successfully. "We knew this because we monitor bit packages going in and out to watch traffic, and that suddenly jumped way up. I called the security firm to ask what was going on. They dialed into the server through the VPN [and] found the configuration error. It took one phone call from me, and they had everything worked out in half a day."

The cost of that emergency fix? Just $600 to $700, Mr. Soldner said, clearly "well worth it, just not to be irritating users."

"I was pleased," Mr. Soldner said of the security deal. "For this organization, this is a really good setup." In addition to giving him two pricing options, depending on urgency, he liked the "run-over-by-a-bus advantage" of having outside experts who know the company technically. If something happened to him, "there was somebody out there who really knew what was going on. I think that's really important, especially in small businesses."

That worked both ways, since Soldner was highly technical himself: "If something happened to the security company, I knew how to get hold of the router configurations."

Useful Links:

Big Thompson Medical Group
http://www.bigthompsonmedical.com/

The Root Group
http://www.rootgroup.com/

Information about a free, practical Webinar about what aspects of security should and shouldn't be outsourced:
/home/home.aspx?i=02_8/16/2005_cn_229_1_00_00