Privacy and Security
David Finn, Health IT Officer at Symantec
Twitter: @DavidSFinn
LinkedIn Profile
One of the great things about being the Health IT Officer at a big security firm is that no one really knows what you do. I get to slip quietly back and forth between customers who are dealing with the reality, to sales teams, or to product teams and to marketers, to Symantec partners (both real and imagined), to software and hardware vendors and to industry associations. It gives you a bigger view of what is going on. And it is impossible to think of the bigger picture in Health IT without thinking of HIMSS Annual Conference. And it is never bigger than when it is in Orlando!
Recently I got some information from HIMSS regarding the upcoming HIMSS14 and topics that attendees will be focused on. They had a great infographic that included a section showing what topics people would be looking for at HIMSS. All the usual suspects were there: MU, ICD-10, Analytics, HIE, mHealth, Interoperability, EHR, Privacy and Security . . .
That list, however, was embedded in a larger infographic that was really aimed at Corporate marketers entitled: “At HIMSS 2014: How Important is Social Media”. And that brings us to mobility, Patient Engagement, social media and, of course, security and privacy.
I have to start out by admitting that I eschewed Facebook for a decade, and I only opened a Twitter account last year after much prodding. On the other hand, I’ve used my doctor’s patient portal for several years now. And when my mother was treated for cancer over 2 years ago at a major cancer center, I was able to use their award winning portal to not only manage my mother’s visits and ancillary department schedules but to find a network of similar patients who’d had the same diagnosis and treatments that she could email and talk with – – all remotely.
In a nutshell, social media isn’t going away. It has real value and not using it – – personally or professionally – – especially in healthcare, is not a choice. That said, while we all recognize that social media has arrived and there is no turning back, it has arrived with a lot of risks. I know of more than one case where a hospital’s own site was regaled with some unpleasant pictures from “ungrateful” patients. At least one case led to a court order against the patient. And then you have the wild and crazy ED staffs that posted some, shall we say “work photos”, on the organization’s own Facebook sites.
Social media is dangerous precisely because it is social. Social, by definition, relates to interaction between people and people interacting means information is being shared. Now, is that just me or does that start to sound like patient engagement? In some cases this information is just private and confidential and shouldn’t be shared without the appropriate authorization. But sometimes . . .
People are not the only risk, though. Social media is ripe for technological abuse by hackers and other disreputable users. As millions of individuals post links, content, pictures and more, it has become impossible for site owners to keep track of what is legitimate and what is malicious. On top of that, users access these sites via corporate computers, home PCs and personal mobile devices – – laptops, tablets, smartphones – – that may lack protection or have unsecured versions of browsers.
While we are talking about lacking protection . . . no one will be surfing the web from your anesthesia machine but you may be allowing patients to use your devices while they are in-house and they will want access to more than the cafeteria menu. And the medical devices, don’t forget, are now Internet-connected and do have patient information on them, too.
And when you have “social media” and “mobile” together, well, you must be in the cloud. And how can something as soft and fluffy as a cloud possibly be safe and secure? I wish we had put all that stuff in a data center somewhere rather than a cloud . . .
And then there is the rest of the list: HIE, Interoperability, EHR and so on. We know analytics has special privacy and security issues – – particularly in healthcare. Meaningful Use – – Patient Engagement aside – – still requires the HIPAA Risk Assessment at every Stage. I know at least one customer using their Data Loss Prevention tool to hunt down “rogue” ICD-9 codes and assure that when the centralized systems convert all their physicians, researchers, students and others who may use ICD-9 in some way are all brought up on ICD-10 together. Now, there’s a novel thought – – a “security” tool being used to help the business!
In fact, as I look across all the topics what is important is Privacy and Security. They are important across all the topics. One thing I’ve learned in the provider space and at a security firm is that adding security/privacy to any system or process after the fact is: 1) always more expensive, and; 2) never as good as doing it right from the beginning. So, no matter what topic you are looking for at HIMSS14, put privacy, security and compliance at the top of your list. Trying to fix it later is not a good idea. See you (and 50,000 of your closest friends) in Orlando!