Not sure if this is news to people regularly involved in IT, but securing the increasing amounts of electronic health information will be a major issue as organizations move to adopt electronic health records (EHRs). The scary thing is that the perception is that health care organizations are behind the current best practices (yet again) as highlighted by a Computerworld (Security) article titled “As health data goes digital, security risks grow“.
The need for enhanced and vigilant security isn’t much of an insight. Rather, the article presents some interesting opinions and findings as to where the industry is and how much more needs to be done as the US hurtles toward a government mandated 2015 deadline to use electronic health records (part 2 of the article is available here) As an aside, I agree with the author (Lucas Mearian) that this seemingly artificial 2015 is potentially a disaster in the making and (in my opinion) will likely lead to a number of scandals and failures. Getting back to the main point (security), I was actually shocked to read:
According to a recent report by IDC’s Health Industry Insights division, health care providers believe it will take a major security scandal to compel organizations to take security seriously.
A major health care data breach is inevitable, said Dr. William Braithwaite. He wrote portions of the Health Insurance Portability and Accountability Act of 1995 (HIPAA) and has since contributed to federal health care regulation.
It’s going to take “a major security scandal to compel organizations to take security seriously“? Wow. I don’t mean to give credence to the power hungry folks who try to block access to patient information by the patient, but there needs to be more focus on security. As the article points out, exchange of health care information is a complicated (if not complex) series of transactions. In fact, since it is so complicated, there should be published standards specifying the requirements. From my understanding of security, encryption is just the first step of a security model. I would hope that security standards and models would be developed and available for comment and review before everyone rushes to implement EHRs and other forms of electronic systems.
Is it time for health care vendors, organizations, and other vested parties to be participating in security/hacker conferences like CanSecWest or BlackHat? At the very least, organizations need to be aware of the latest developments in security threats given the “real-time” nature of the threats to our health information.