Health Data Protection and Requirements to Share Information

Super Moon Impacts Health Data Protection . . . well, maybe.

David Finn, Health IT Officer at Symantec
LinkedIn Profile

I do a lot of talking about Health IT. And mostly about security, privacy and compliance. I get to talk to providers, to other technology and software vendors – – many that service the healthcare industry, some exclusively. We talk, we have a great discussion about what needs to happen and how some of these things may come to pass. Months later, sometimes a year or more later – – I’ll meet up with these people and ask how things have been going since we last talked. And most of the time things aren’t going as planned. At best, the plan has started but it is going slow, hard to get money and/or staff, other priorities keep pushing it down the list. At worst, nothing has changed – – they haven’t been able to convince their leadership that this is as important as they think it is.

Here is the good news: I’ve started to see that beginning to change. I’m starting to hear things like “compliance is not security”. And that is the sad truth. You can be in compliance with all the rules and still have some pretty serious privacy breaches and, as we see on HHS’s Wall of Shame”, lots of data loss.

So, what is going on? Security isn’t “clinical”. Privacy isn’t a “strategic function” for most hospital CIOs. Why is healthcare more interested in security and privacy and why does the IT security community suddenly seem so focused on healthcare? Did it have anything to do with the Super Moon? Did the impact of the audits and penalties finally kick in and healthcare is going to get serious about the protection of data – – confidentiality, integrity and availability. Maybe everyone finally has the EHR in and has attested to Meaningful Use and is going to use the delays in ICD-10 and Stage 2 Meaningful Use to do all the “security stuff” now? Or perhaps healthcare has figured out that it really is about the data and you can’t really protect the data if you don’t understand it – – have the data about the data. How can you protect it if you don’t know where it is, who is using it, where it comes from and where it goes?

I wish I had an answer but what I’ve found in many years of looking for a variety of answers is that it is almost never one thing. The delays will help providers or at least take some of the pressure off. Although the Supreme Court ruling on ACA and the Presidential election will add more uncertainty to the mix, one thing we know won’t change is the need to protect data. We also know the need to share it is going to increase, the need to keep the data available and accessible to the right people at any time on any device. And I think that is part of what’s happening. It is kind of a “perfect storm”. Healthcare has to do what security, privacy and compliance has always been about doing.

The EHR drove a lot of this – – just having all that data in one place. Then meaningful use pushed beyond having it to having to share it. The slow march in healthcare toward virtualization – – server, storage, desktop helped make cloud more acceptable. And then mobile, perhaps you’ve heard something about mobility, mHealth, and consumerization. We even have mHIMSS! Users, who can always go faster than a corporate IT department – – they have less to worry about – – figured out that it isn’t about IT, it is about the data.

IT departments are starting to understand and respond to that need. Unfortunately, they still feel the burden of responsibility for protecting the data (and the users) despite the long list of other To Do’s and the limited budget and staffing they get. Protection is not about point solutions – – it is about a strategy and a risk-based approach to protection.

The idea of relying on risk analysis in order to make important decisions is not new to the medical community. When deciding whether to perform invasive procedures or difficult therapies, clinicians always consider the implications and trade-offs to the patient. You have to assess the Return on Investment or the ability to attract specialists or expanded diagnostic capabilities when looking at expanding your facility or purchasing an expensive piece of diagnostic equipment. This is a kind of risk analysis.

Today, an enormous amount of information is captured, stored and viewed in electronic form. This includes EMRs, immunization and other registries to large national databases. We expect digital patient information to be accessible, dependable and protected from abuse or improper access. This trend toward digital data and the requirements to share it will only grow.

The risks to the data have become greater, too. Exchange of clinical information has been growing and is now mandated. The threat landscape has also been transformed as more information is collected and stored in the offices and computers of healthcare providers. What providers need is an approach to risk that allows medical organizations to identify risks to that information, prioritize those risks and take the actions required to manage them and control risks. Now, clearly, is the time to start that.