While the HIMSS Privacy and Security Forum last week in Boston featured a diverse group of healthcare professionals from payers and providers of all sizes, there was one common theme that everyone agreed on.
As Jeff Coughlin, Senior Director of Federal & State Affairs at HIMSS, put it: “IT’s role remains fundamental to a high-functioning healthcare system” in an era when “Americans [are] increasingly engaged in health and technology.”
At the end of my three days learning more about healthcare’s privacy and security challenges, I left with five clear takeaways which I believe will underpin the success of data-driven healthcare organizations in the years to come.
Healthcare organizations must move beyond compliance-based security to a maturity-based model. This means rather than checking boxes (like “we’re encrypted”), payers and providers need to continually measure their security efforts and ask – Is it working? Is it providing the protection we expected? Is it providing the protection patients expect?
Healthcare IT should be focused on fostering open, responsible data sharing with a high regard for participant privacy. Security is simply a way to protect personal data within business processes, but privacy can only be achieved in conjunction with best practices and data protection policies that are consistently enforced across every system, enterprise wide.
Investments in security must be a business decision, not a technology decision. Within an organization, ask – Where is the most value derived from data? Where is data most vulnerable and the most liability created? – Then invest in protecting those areas first.
The security model has fundamentally changed as borders have virtually disappeared. With digital disruption, there will always be a point of entry, and these vulnerabilities are only growing as more and more devices connect through the Internet of Things. Applying security to sensitive data itself can ensure it is protected through its entire lifecycle – regardless of where it travels, rests, and is used.
Disruptions in care from false information are much more damaging than actually taking down a system. Healthcare organizations must ensure security and access controls are enforced consistently across the entire enterprise in order to maintain trust in their systems and their data.