For several months, the VA has been under intense scrutiny as it struggles to close the massive holes in its security infrastructure. In recent times the agency has gotten a great deal of heat from stakeholders, including Congressional committees that oversee its work.
From reading tales of the VA's problems, one might think it's got a uniquely difficult problem to address. In reality, though, the vulnerabilities it faces aren't much different than the ones which have led to breaches elsewhere. These include maintaining large pools of unencrypted medical data, poor control of laptops loaded with such data, and an inability to track which users have data access.
Given how common health IT breaches are these days, I'd argue that it's time to implement a set of health IT security standards uniformly across the industry, perhaps even establishing them as part of The Joint Commission's hospital surveys. These standards, which would call for both technology and internal process changes, could take HIPAA requirements as a jumping off point.
Please note that I'm not suggesting that hospital and health system IT managers don't know their stuff when it comes to security. Still, a healthcare-specific security framework would give health IT managers something to focus on when they're reviewing their existing security plans. And that can't be a bad thing.
Just as importantly, such standards would give IT managers something to use as a consensus-building tool. While it can be hard for IT to pitch security investments to non-technical decision makers, having external standards to comply with is easier to sell.
I know that the industry already has countless rules to adhere to already. But given how important it is to lower the number of intrusions, it's worth establishing standards everyone can accept. Adopting new standards might lead to more work at first, but in the end, implementing them would make life easier for all concerned. - Anne