Are health care organizations in general slow about implementing information security controls?
An external associate asked me why, in spite of regulations such as HIPAA, health care organizations appear to be very hesitate to implement strong technical security controls. This associate noted that when HIPAA first went into effect, health care organizations adopted a "wait and see" posture and, even with the recent audit of Piedmont Hospital in Atlanta, Georgia, they appear to be continuing this stance.
What are the drivers for this apparent behavior?
Good Answers (2)
James S
Futurism and strategic development at its sharpest. Understanding the future to create advantage today
Best Answers in: Organizational Development (9), Using LinkedIn (8), Government Policy (5), Internationalization and Localization (4), Personnel Policies (3), Offshoring and Outsourcing (3), Change Management (3), Treaties, Agreements and Organizations (2), Criminal Law (2), Business Development (2), Corporate Governance (2), Manufacturing (2), Distribution (2), Career Management (2), Ethics (2), Business Plans (2), Starting Up (2), Information Security (2), Regulation and Compliance (1), Education and Schools (1), Mentoring (1), Venture Capital and Private Equity (1), Economics (1), Risk Management (1), Staffing and Recruiting (1), Exporting/Importing (1), International Law (1), Advertising (1), Public Relations (1), Sales Techniques (1), Labor Relations (1), Planning (1), Derivatives Markets (1), Quality Management and Standards (1), Personal Real Estate (1), Professional Networking (1), Energy and Development (1), Blogging (1), Enterprise Software (1)
Joe,
From experience, healthcare organisations ARE slow to implement information security measures mainly because few actually know what they have. When they do get around to such security measures, they usually go completely overboard so functionality and reasonable access becomes a problem even for people inside the organisation.
This strikes to the heart of information and the perception of value / use.
Regardless of what an organisation does, information will be the lifeblood of that organisation. See the WKID pyramid of knowledge management on the web page below.
There are many types of organisations who are poor at handling information and knowledge. For healthcare companies, the issue is often disjointed and scattered data. What they need more than anything is an overall strategy for MOI to deliver a coherent view of analysis based intelligence.
What this means is that healthcare companies have information scattered all over the place - and do not know what they have. This therefore is a major security risk. What they need to do is pull it together for analysis purposes ... and provide reasonable security so functionality is not overly compromised.
The benefits of this approach are:
reduced security risk
reduced statuatory risk
reduced cost
a "single version of the truth"
a greater insight into customer / patient behaviour / trends
greater market penetration.
Hope this helps.
Regards
James.
Links:
Sheilah E
Owner, ★SME Management:.......... Business Management and Accounting Consultant
Best Answers in: Using LinkedIn (884), Professional Networking (39), Staffing and Recruiting (30), Accounting (20), Government Policy (18), Job Search (17), Career Management (15), Ethics (15), Business Development (14), Customer Service (12), Mentoring (12), Education and Schools (10), Computers and Software (10), Property Law (9), Organizational Development (9), Small Business (9), Personnel Policies (8), Criminal Law (8), Advertising (8), Internet Marketing (8), Labor Relations (7), Non-profit Management (7), Starting Up (6), Blogging (6), Purchasing (5), Government Services (5), Compensation and Benefits (5), Tax Law (5), Lead Generation (5), Planning (5), Manufacturing (5), Quality Management and Standards (5), Web Development (5), Corporate Law (4), Direct Marketing (4), Writing and Editing (4), Corporate Governance (4), Change Management (4), Communication and Public Speaking (4), Professional Organizations (4), Software Development (4), Facilities Management (3), Regulation and Compliance (3), Travel Tools (3), Freelancing and Contracting (3), Auditing (3), Venture Capital and Private Equity (3), Economics (3), International Law (3), Internationalization and Localization (3), Treaties, Agreements and Organizations (3), Market Research and Definition (3), Business Plans (3), Information Security (3), Business Dining and Entertainment (2), Resume Writing (2), Government Contracts (2), Employment and Labor Law (2), Customer Relationship Management (2), Sales Techniques (2), Business Analytics (2), Derivatives Markets (2), Inventory Management (2), Project Management (2), Supply Chain Management (2), Individual Insurance (2), Personal Taxes (2), Personal Real Estate (2), Product Design (2), Pricing (2), Incorporation (2), E-Commerce (2), Enterprise Software (2), Computer Networking (2), Telecommunications (2), Wireless (2), Air Travel (1), Certification and Licenses (1), Occupational Training (1), Conference Planning (1), Budgeting (1), Corporate Debt (1), Financial Regulation (1), Risk Management (1), Exporting/Importing (1), Offshoring and Outsourcing (1), Customs, Tariffs and Taxes (1), Contracts (1), Finance and Securities Law (1), Viral Marketing (1), Graphic Design (1), Public Relations (1), Hedge Funds (1), Non-profit Fundraising (1), Philanthropy (1), Personal Debt Management (1), Retirement and Estate Planning (1), Wealth Management (1), Branding (1), Positioning (1), Energy and Development (1), Biotech (1), Information Storage (1)
I think some are slow to comply because they have no idea what the law is even about. Doctors often reply on staff to make sure they are in compliance and are told everything is fine. Foolishly they believe this. You are also dealing with people who behave in certain ways out of habit. They figure they got by all this time no one will know.
I think the biggest issue right now is the law change that occured in 2005 that allows "entities" ie hospitals, clinic and insurers to be held liable, but not the staff. So if the doctors nurse or a clerk in a hospital decides to sell a paitient list nothing happens to them, but the entity is held responsible.
Sheilah
Links:
More Answers (4)
Javed I
Chief Security Officer at zSquad (http://www.zsquad.com), a Boston-based Information Security Consulting Company
Best Answers in: Information Security (43), Corporate Governance (2), Web Development (2), Risk Management (1), Corporate Law (1), Advertising (1), Quality Management and Standards (1), Career Management (1), Professional Networking (1), E-Commerce (1), Using LinkedIn (1)
We conduct HIPAA audits, and based on our experience in the greater Boston area, I would say No. Any delay you see may be a combination of natural procrastination and lack of budget.
Enterprises implement security for 3 reasons: Reputation, Regulation, and Revenue. For financial services, all 3 are very important. But for healtchare, Reputation and Revenue are pretty much constant: if there is a security breach, the patients are not all going to go somewhere else. So the only driver is Regulation.
There is a 4th driver as well: a well-publicized breach (e.g. TJX) but that is rare.
Like any other company, healthcares will first spend budget on what is NEEDED. Unfortunately, security is often viewed as a "nice to have" and I think that mindset explains the delay (in healthcare and other sectors)
Eric W. C
Network & Internet Security Account Executive at Enterprise Consulting Group
Generally, Healthcare institutions are heavily compartmentalized, in other words "the hand often does work with the arm” and vice versa. Unfortunately, most issues these days has to do with "ownership" of managing technologies within most large organizations & the culture of how projects are budgeted and ultimately decided on. This can be a very interesting battle between Management, Networking, and Security teams.
It would be great to stop daily work activities and get everyone in in a room together and figure why decisions take so long (this can be done by putting together yet another committee). However, this is very unreasonable, unrealistic & time consuming.
What I have seen larger healthcare institutions start to do is to take a look a HIPAA compliancy with set of controls, and 'tools' to those controls. This seems to start at Policy Development and Enforcement (which usually has already been done), then carries down to the groups who manages those tools, then to the people that sign off on the acceptable usage policies that govern the network.
This gets back to what the original question: Are health care organizations in general slow about implementing information security controls? The answer is yes. Due to the proper controls that address HIPAA connect all these political I.T. Silos together. Once “ownership” can be established between the groups in these larger organizations, they might be able to decide on how they can become quicker to comply with the ever-changing [often vague] world of healthcare compliancy. It is going to take the collective of the organization to figure out the purchasing drivers and ultimately the technologies to help protect and enforce an organization, well in advance of the needs at hand.
One technical challenge when implementing security controls in health care organizations is that the authorization process needs to be able to handle exceptions.
Example:
If you have cancer and is getting radiation treatment at a hospital the radiology departments obviously needs access to your data. Under normal circumstances the nurses at the geriatric department would not need access.
Unfortunately there are plenty of situations where this isn't true. Lets assume that you are supposed to visit a doctor whose office is located in another part of the building and you get lost. While trying to find your way back you end up in the geriatric department, slip and hurt your head badly in the fall. In this situation it would be useful, or perhaps even life saving, for the nurses at the geriatric clinic to be able to check your blood type.
Certainly HIPAA is at the forefront of this slowness-and training of it is slow because it is mostly misunderstood
the privacy and Fair Records Review Act and other regulations exist as well
and unless this issue comes to be head-it will not move-stay as is-and the movement is also slow because of fear of lawsuits
by the way-anyone who has /or sells health insurance is also affected by HIPAA-
