By David Finn
One of the fun parts of being the health IT officer for one of the world’s largest information security software vendors is getting to talk to a lot of people working in health IT (HIT). Talking about HIT is a lot easier than actually having to do it every day. I know that because while I don’t sleep in my own bed as often as I used to, I do sleep better. No pager, no middle of the night calls, no unscheduled downtimes, go-lives and upgrades, no Meaningful Use or breaches to worry about.
Most of what I get to talk to people about is data protection – that’s how I say “information security in its broadest sense” now. I say that because it really is about much more than security now; it has to be about confidentiality, integrity and availability. And it isn’t just in your data center or on your network or even on your devices anymore. It’s about keeping data safe anytime, anywhere, and on any device (the organization’s or not).
Here’s what’s happening: in the past four years, healthcare has undergone tremendous change. But so has the information technology industry. We now have these two huge industries that are both undergoing fundamental changes in their business and delivery models. For people working in healthcare IT, it is kind of like an earthquake followed by a tsunami. We know how that can work out if you are not prepared and haven’t laid the foundation properly.
In addition to EHR, HIE, ACO and changing reimbursements, we’ve complicated IT in our efforts to make accessing information easier for end users and cheaper for management. And if we don’t make it easier, they’ll do it themselves thanks to cloud and mobile technologies and the consumerization of technology. We need to be careful not to move beyond our capability to manage, control and secure the data – to protect it.
What we haven’t done yet, though, is change the way we think about the data. Securing a device or a network isn’t enough anymore. You have to understand where the data is, who is using it and how. You must understand how the data comes into, flows through and around your organization and where and to whom it is going when it leaves your network. We’ve been talking about security since HIPAA became effective in 2003 (for privacy) and 2005 (for security). And yet almost 400 major breaches have been reported to federal authorities since the HIPAA breach notification rule took effect in 2009 – upwards of 20 million records! It really isn’t that hard. It does take some budget and staff, and I know that can be difficult given the state of both healthcare and the economy right now.
More than money, though, it takes prioritization and focus. We get very focused on Meaningful Use and outcomes and analytics and cost reduction around the EHR and clinical data. But let’s start at the very beginning . . . the data. How meaningful or useful is the data to you if the patient leaves your organization because their data has been breached? How good will the analytics be if quality and reliability of the data is suspect? How good is it for the caregivers if the system goes down for hours every month while they have patients in their exam room?
Data protection – or whatever you want to call it – often gets dumped into IT as a technology issue. That is naïve. The need for confidentiality, integrity and availability is more and more a patient care issue – and in some cases a patient safety issue. Patients trust you with their lives, and that data is part of their life. It is a snapshot, clinically, of them. They expect the caregiver to take care of that data as well as they take care of their patients. And IT cannot think of themselves as just the technology group in the hospital. IT is part of the care team – the patient data has to be there when a hands-on caregiver needs it. Any time. Any place. Any device. It has to be secure, available and accessible to the RIGHT person and it has to be reliable.
It is time to stop talking about data protection and do it. We don’t do it very well in this country, personally or professionally. Our window of opportunity is closing. We must get the IT right in order for healthcare to make the changes it is struggling to make – some by edict, some as part of evolutionary change. After all, we hope to improve patient care, improve quality and outcomes and reduce the overall costs. It all starts with the data: how we think about it and how we protect it.
David Finn, CISA, CISM, CRISC is the health information technology officer for Symantec. Prior to this role he was the chief information officer and vice president of information services for Texas Children’s Hospital. firstname.lastname@example.org