Implementing Privacy, Security, and Compliance in Healthcare

I Brake for Snakes But Not Zombies

David Finn, Health IT Officer at Symantec
LinkedIn Profile

Texas certainly has its share of colorful bumper stickers. They range from the word “Secede” against a Texas state flag (a notion our governor supported on a very short term basis a year or two ago) to “My state is bigger than your state” with a silhouette of the state (which works everywhere except Alaska) to the old iconic “Don’t Mess with Texas” which actually started as a statewide advertising campaign in 1986 and became (at least to Texans) a cultural phenomenon.

After this weekend, I have a new favorite. Although it may not be Texas-specific, that is where I saw it first. It reads simply: “I Brake for Snakes But Not Zombies”. Now, you may think that takes some explaining. You can go to the brake for snakes bumper sticker if you want some “official” explanation…but I have a better one.

I knew immediately when I saw it that it was clearly about implementing privacy, security and compliance in the healthcare space. No, zombies did not eat my brain (remember I won’t brake for them). It is really quite simple. Here goes . . .

I was the Privacy and Security Officer at an IDN when HIPAA became law – – first compliance date for Privacy in 2003, through Security in 2005 and beyond. I’m not naïve enough to tell you that implementing a meaningful (no pun intended) privacy and security program in the provider space doesn’t get into corporate politics. It typically does – – just because it takes money and people and organizational commitment. Whenever projects compete for these resources, they tend to get political. Not to mention the clinicians who will feel disrupted because, well, security is not convenient.

Where there are politics, there are snakes. And I don’t use the word judgmentally, here. The bottom line is that when things compete, there is a winner and a loser and someone who has “committed” to you may be forced to change their mind (and support). They may really believe in security and privacy and compliance – – but limited resources can turn people into snakes, intentional or circumstantial.

You must “brake” for the snakes. You need them. Presumably, these are people who can help you move things along. They control money or people you need or somehow influence the corporate commitments and messaging. If they are not on board with the project – – whatever it is – – you are going to have to slow down and figure out how to get them in the car or on the bus or on the train, whatever analog you are using. (When I rolled out an EHR several years back and we were looking for the cute tag line for the project one of our physicians actually suggested “Ride or Die!” with a picture of a bullet train with the EHR’s project name on the side. I kind of liked it but knew it wasn’t going to win supporters.)

The support of these people or groups or departments is too critical – – remember that security and compliance are not adjuncts to the business anymore. In healthcare, they are part of the strategic imperative. There will be trade-offs; maybe you can’t go as fast as you want but a phased project with good change management is better than doing nothing. So, as they say, (or should) “chunk” the project and get the support/resources you need for each chunk.

Which brings us to the zombies. Unlike snakes, the zombies really can’t help you – – the best they can do is get out of the way. But, hey, they are zombies and may not even be able to figure that out or be able to get out of the way if they did figure it out. It can be hard to move quickly when body parts are falling off of you – – so I’m told. They should be sped around or (only as a last resort) just run over. The zombies are the people who will never understand why security is their job or why you have to change anything in order to be compliant. You may or may not ever convince them but the time you’d spend slowing down for them would be much better spent working with a few key snakes.

So, remember to brake for the snakes but not the zombies. And you don’t even have to have bumper stickers printed – – they all ready to go you just need to place the order.