What does the Jefferson Memorial have in common with Privacy and Security in the Age of Meaningful Use?
David Finn, Health IT Officer at Symantec
At the Jefferson Memorial you find a lot of Jefferson’s writings – – as opposed to Lincoln’s, for example (one thing that makes sense in Washington, DC). One of them says this: “I am not an advocate for frequent changes in laws and constitutions, but laws and institutions must go hand in hand with the progress of the human mind.”
One of my very first IT assignments was to write the coding standards for a major university – – we did all our own development at that time and were about to completely re-do all major systems (billing, collections, records and registration, scheduling, grading – – everything). My writing experience had previously been journalistic or for the theatre. So, I started asking people who had more experience. First stop was a very senior manager who pointed to two shelves full of three inch, three ring binders on his bookshelf. “Here’s a good example,” he said, “of how NOT to write programming standards.” It was his first project at a major aerospace manufacturer. “It needs to be less than 50 pages or it will never be read or used.” The human mind, complex as it is, likes to keep things simple and clear. Complexity muddies the waters, if you will, and tends to lead to people to ignore the complexity.
Some years later I found myself the “HIPAA guy” and had to develop the policies and procedures related to privacy and security in a modern ID. I went to the organization’s keeper of all things “P & P”. I was advised that I should write policy, procedures (I added technical standards) and that policy should very rarely change but that procedures will likely change as processes, people, technology, laws and clinical and business practice change. The technical standards would have to change as technology changes both at the IDS and in the broader world changed. Policy was vision, strategy – – it needed to be flexible enough to withstand “routine” change but strong enough to make clear what our direction and intentions were – – even as other things changed.
“The fundamentals of cyber security – I call it the physics of security – don’t change over time,” National Institute of Standards and Technology Senior Fellow Ron Ross says. “How we apply those controls … is a little bit different, but the same fundamentals.”
The need to protect data hasn’t changed but what we protect it from has – – and where it lives, how it is accessed, and who can get to it. And the requirements to protect it come with real penalties now. The biggest change we need to make though is in the human mind. This isn’t about IT anymore; this is about an age where personal data is an Internet commodity, where Facebook is linked directly to Smartphone -cameras. This is about a critical (and legal) need to share clinical data and laws that require you keep it out of the wrong hands.
Yes, we need to update procedures, we need new and more training, we need new tools to track, manage, protect data in new ways and places and we need leadership – above IT – to understand. Or the next person to go to jail won’t be some poor clerk faxing face sheets to a plaintiff’s attorney but the CEO of a major system that wouldn’t fund hard drive encryption.