Hospital CISO: Balancing security of, access to patient data my toughest task

The ability to protect patient data while simultaneously ensuring that clinicians can use that data to provide adequate care requires a tremendous ability to balance priorities.

The task is so difficult that Gaylon Stockman, chief information security officer at Providence, Rhode Island-based Lifespan, called it his toughest in a recent interview with Becker's Hospital CIO.

Stockman pointed to stricter privacy requirements in the healthcare industry as one reason for that assessment. In its most recent iteration, HIPAA requires providers to mind their security Ps and Qs, or face potentially significant fines. Part of that process involves preparing for audits that, according to the U.S. Department of Health and Human Services' Office for Civil Rights, will be narrower in 2015 than ever before.

Jerome Meites, OCR chief regional counsel for the Chicago area, predicted a spike in HIPAA fines for healthcare organizations in the next year.

"Knowing what's in the pipeline, I suspect that [the number of violations over the past year] will be low compared to what's coming up," Meites said at a recent American Bar Association conference.

Stockman also pointed to the increased use of mobile tools to access patient data as a reason why finding such a balance has become more difficult.

"The threat landscape is constantly changing and it's a new day, every day," Stockman told Becker's.

Stockman isn't the only health IT executive to express such an opinion. Shortly after the HIPAA Omnibus Rule was announced in January 2013, Todd Richardson, vice president and CIO of Wausau, Wisconsin-based nonprofit health system Aspirus Inc., told FierceHealthIT that between efforts like Meaningful Use and regulations like HIPAA, the federal government is sending mixed messages about data in healthcare.

"On one hand, we have 'protect, protect, protect,' and on the other hand we have 'share, share, share,'" Richardson said. "While the balance is 'protect and share,' the devil is always in the details. The reality is that all of the information is not under the tight control of the covered entity. I find a little bit of irony in the reality of today's new paradigm, where we have so many people posting so much personal information on Facebook and tweeting about their every move and their latest lab result, yet the government is pushing privacy requirements further."

To learn more:
- here's the Becker's post