Time to become a security advocate


Folks, please note, you're not going to open up FierceHealthIT and find that I'm arguing for hospitals to spend less time on HIPAA. While it's easy to argue the details in how it's implemented, I think that HIPAA compliance is a good thing for the industry. For one thing, if people don't trust that their data is safe even in their own provider's offices, health data exchanges are pretty much doomed.

That being said, the study summarized in today's issue makes an interesting point. In the study, researchers found that hospitals were spending so much time making sure that they were compliant with HIPAA privacy mandates, they were losing site of other key security risks.

If you're an HIT manager, it's entirely appropriate that you also spend part of your time making sure your systems can ensure that patient records are only being accessed by appropriate parties.

At the same time, I'm sure you spend a meaningful part of your professional life worrying about malicious intruders, lost laptops with unencrypted data and other potential security disasters. But with the huge burden that privacy compliance imposes on hospital executives, you might not.

The truth is, security is one of those painful issues that only seems important to non-specialists once a disaster happens. When a bridge collapses, everyone wants to increase infrastructure funding. And when a health data system break-in happens? By God, go ahead and buy the latest and greatest security suite, Mr./Ms. HIT manager!

The problem is, as you folks know, it's really imprudent to wait until something bad happens to shore up your security infrastructure. Once a break-in happens, your organization could face consequences for years to come. Not only that, since security threats evolve daily, you can't just patch it and forget it the way you could a collapsed beam or broken pipe--so it's critical to think about security systematically. My impression is that hospital CEOs, in a word, don't.

So, HIT pros, I think it's time for you to engage in some serious and systematic research on the problem. By all means, print articles like the one I cited below. Gather statistics on the pervasiveness of HIT threats. And gather a few security nightmare scenarios in your pocket--what could happen to your facility if you're unlucky, and what it would cost. The truth is, if you don't advocate for tough security, it seems nobody will. - Anne