Hospital Tracks Down Network Trouble - Page 2

Getting Buy-in

Many large-scale IT projects founder, running up against turf battles and budget cuts. Ramadoss ensured himself organizationwide buy-in, and the budgetary freedom he needed, by defining the project's overarching goals and framework.

"Setting up a strategy is a first step," he told eWEEK.

Ramadoss then listed the tools that were needed to meet that framework and did an inventory of the tools already being used.

The hospital was using bar-coded equipment and SMS to get updates-clearly not a sophisticated enough solution to track 8,000 IP assets and handheld devices serving 950 beds and 5,000 employees, let alone compliant with stringent regulations such as HIPAA.

Ramadoss said he looked for a standard to adopt as a framework-either ISO (International Organization for Standardization) or NIST (National Institute of Standards and Technology). The fact that he picked NIST Standard 800-53 is incidental, but the act of using an accepted standard as the framework for the project allowed him to get buy-in for the entire scope of his project. Every resource he uses and every expenditure he makes are predicated on attaining a level of compliance that has been vetted by senior management.

Ramadoss also plans to co-opt current management practices in later implementation stages of SecureFusion. Currently, director-level managers meet to review Web-based vulnerabilities and report back on their remediation steps during subsequent meetings.

When Ramadoss implements the vulnerability assessment portion of the SecureFusion application, those managers will have access to a portal that will produce reports customized for each department and will incorporate findings from those reports into their security meetings.

Ramadoss still isn't taking any chances-he won't apply the tool to the subnet serving those assets until he's finished testing the impact SecureFusion has on biomedical devices in laboratory conditions.