Clinical IT leads to security neglect at hospitals


This week's piece from Network World points to a troubling problem--that hospitals are in crosshairs these days when it comes to cyberattacks and other forms of black-hat hacking. Given the growing number of well-publicized security breaches over the last year alone, you'd think that IT leaders would have no trouble getting the bucks they need to  boost security protections. You'd think wrong.

With hospital leaders outside the IT suite under tremendous pressure to improve the quality of care--and document that they've done so--clinical data is a priority for most. But along the way, HIT executives are becoming increasingly concerned that their data protection efforts are inadequate.

Now, I'm not suggesting that there's anything wrong with wanting to improve care. But as I've said before, it seems to me that adding big-ticket, shiny clinical solutions without securing the network isn't smart. I know it's a balancing act, but it seems pretty clear that at this point, the balance isn't weighed enough in favor of robust security.

Now, with HHS doing surprise audits of hospitals' HIPAA compliance, some non-IT hospital leaders may get a rude shock when it comes to their security infrastructure. Some CEOs who had no idea that their networks were vulnerable are going to flunk the inspection. 

When that happens, maybe these execs will loosen the purse strings where better security protection is concerned. But it shouldn't take an outside agency to make this happen. Here's hoping that as the EMR furor settles down, HIT leaders can make their case for not neglecting the basics. -Anne