I love strategy games. I think this passion comes from the idea that you have to think both offensively and defensively at the same time. You have to create a battle plan that makes you a formidable force offensively while still protecting all of the towns people defensively when you are attacked. You’ll notice that I said “when” and not “if ” you are attacked. In real time strategy games it is only a matter of time before your opponent sends his armada out in an attempt to decimate your happy little settlement. If you have put all of your focus on defense, you may survive the initial wave or two, but eventually your resources will begin to run out and you won’t have enough to mount a counter assault and you will lose. If you put all of your focus on offense, you leave your settlement unprotected. You may win the battle, but the damage to your settlement will still be costly. You need that fine balance of offense and defense.
What does this have to do with health care? Right now, health care providers, insurers, and business associates are fighting a battle between ‘new and upcoming’ technology and safeguarding the technology that they already have. They have pressure from federal regulations to update, change, or implement new technology or receive less money from the government for services that they render to patients with government insurances (Meaningful Use). They have complicated and at times vague regulations like HIPAA and HITECH that were meant to create a set of standards for safe guarding patient data, but the vagueness and complexity makes it very difficult to know if you are in compliance with these regulations without involving your legal team. I will point out that compliance does not mean you have proper security implemented.
So let’s recap quickly. On one side you have regulations stating how data should be protected. On the other side you have regulations stating that you have to upgrade all of your systems or get less money. Then on top of all of this everyone is pushing social media, BYOD (bring your own device), and massive connectivity when it comes to your health information through the use of a PHR (public health record). The old idiom of no one is noticing the “elephant in the room” is quite applicable here.
According to Symantec’s Internet Security Threat Report, Volume 17, of all of the breaches in 2011, health care accounted for the most breaches at 43%. The thing to note is that these were only those that were reported. As this is an opinion piece, I’m just going to say that 1 in every 2 breaches were health care related. The “elephant in the room” is that health care providers, insurers, and business associates can barely protect the information they have now, what makes everyone believe that expanding the electronic usage is going to improve data protection without a complete refocus for the industry? The issue isn’t the technology. It isn’t even the BYOD or the regulations. The issue is education and physician and administrative buy-in.
With breaches like the State of Alaska Department of State and Social Services, South Shore Hospital, and any of the other 435 breaches reported it shows that health care will continue to lose the data protection battle unless we refocus our efforts on education and getting people to ‘want’ to safeguard the data. With regulators pushing more rules and regulations on health care providers, insurers, and business associates, the only thing we get is everyone spinning their wheels to meet “compliance” without actually any focus on the end battle. Health care resources are so focused on implementing all of the new technology to meet Meaningful Use, HIPAA, and HITECH, that they are miss out on the common sense security and training.
Now, I know some of you will debate with me that the whole point of HIPAA, HITECH, Meaningful Use, and all of the other regulations is to resolve this very issue. Well, HIPAA has been around since 1996. HITECH is still in the interim ruling, and Meaningful Use Stage 2 has been pushed back because people are not ready technology wise. All the while, we are losing the battle we are supposedly trying to win with all of these regulations. It also doesn’t help when we lose control of the data with it being on so many portable devices that we can’t effectively lock down.
Until the physicians, administration, and staff buy-in to security and they all ‘want’ to be a part of the security defense team, it doesn’t matter how many regulations you have, how much new tech you purchase, or how “complaint” you are; in the end, you are still as vulnerable because your staff leaves the gate open and your enemy walks right in. The focus needs to be on the human element, not the technology. Until this is done, health care will consistently lose the data protection battle as we focus our resources in areas that either cause more vulnerabilities or only provide the illusion of security through compliance.