Long-term neglect has put healthcare behind the curve in terms of security, according to David Kibbe, M.D., president and CEO of DirectTrust.
"I think we're getting the message, but we could do a lot better," he says in an interview with HealthcareInfoSecurity.
The healthcare industry is feeling the pressures of two competing concepts, he says: that information needs to flow more freely to better coordinate care, and that the more "liquid" flow of data is more vulnerable to hacking.
"Healthcare as an industry has not taken seriously security in the past, to the extent that other kinds of industries have taken security and privacy, and has not bothered to put those security components into place that would protect the privacy of that information," Kibbe says. "They are trying to play catch-up now, very desperately."
Kibbe recently testified before the Senate Committee on Health, Education, Labor and Pensions about the state of secure information exchange. DirectTrust is the nonprofit governance organization for the Direct exchange technology.
In the interview, he urges organizations to take privacy and security seriously--and beyond their own enterprise.
With so much health information in the cloud, "you can put moats around your own resources, your own servers, but you have to think about everybody else's servers at the same time," he says. With so much patient information in huge repositories, they're a huge target for hackers.
In a HIMSS survey of 75 health information organizations in 27 states unveiled in June, just over half agreed that the cost of using Direct was worth the benefit of health information exchange.
The top three benefits of using Direct were faster information access, less paper and more accurate and complete patient information. The challenges included the high cost, changing workflows and the fact that other providers aren't always on the platform.
In February, several organizations asked the Office for Civil Rights to clarify that it's OK for providers to share electronic health record data with patients via Direct Messaging, which some providers had been failing to provide.
To learn more:
- here's the HealthcareInfoSecurity interview