Talk to a Security Expert Now: (800) 721-9177

Healthcare IT Security – The “Not So Big Easy”

HIMSS, the healthcare industry’s standard bearer for the promotion of information technology (IT), held its 13th annual conference in New Orleans last month. Nearly 35,000 people attended the event including former president Bill Clinton, fellow politicos James Carville and Karl Rove, and bow-tied Dr. Farzad Mostashari, HHS’s National Coordinator for Health Information Technology.

Interoperability and exchange were the hot topics of the week, further jazzed by the recently announced CommonWell Health Alliance – a 6-party partnership between Cerner, McKesson, Allscripts, athenahealth, Greenway Medical Technologies and RelayHealth. Notably absent from the Gang of 6 is Epic, the undisputed EHR market heavyweight. Depending on who you ask, Epic was either not invited to join CommonWell or chose not to participate. Epic’s CEO, Judy Faulkner, said that the alliance is less about interoperability and more about competition. “It appears on the surface to be used as a competitive weapon and that’s just wrong. It’s wrong for the country.”? When asked to referee, ONC’s Dr. Mostashari said he didn’t want to get into a “he-said, she-said.” The dust-up made the Karl Rove – James Carville debate look tame by comparison.

While interoperability and exchange are important topics, I would have liked to see more focus on PHI privacy and security. At the HIMSS Update on the federal government’s Health Information Privacy Enforcement and Audit Program, David Holtzman of OCR reported some surprise that 60% of the findings from the115 pilot program audits related to security issues. It really shouldn’t be that surprising given that 556 breaches affecting 21.7 million individuals have been reported over the past 3 years.

As we’ve said many times, compliance is necessary but not sufficient. The abysmal track record in PHI breaches is a direct result of a lack of focus on effective IT security measures and a dearth of qualified security experts in the industry. OCR’s audit program created more anxiety than action. As a result, compliance consultants wrote white papers, conducted webinars, and even led HIMSS sessions on “How to Prepare for an OCR Audit.”? We don’t blame them – it is what they know. But for real world, practical advice on combating IT security threats, I cordially invite you to Redspin’s upcoming webinar.

A few months ago, IDC identified the major challenges facing HIE vendors. High on the list were “privacy and security risks that worry providers as more patient information is transferred from paper charts to electronic health records and made accessible both inside and outside the organization via HIEs and mobile devices.” Achieving EHR interoperability and facilitating exchange though HIEs, alliances, or both, will introduce even more risk of breach. We need to get our EHR houses in order first. Unlike the financial industry, healthcare does not have a uniform transaction model. The industry is at best a multi-tenant model with diverse information needs, at worst a multi-headed hydra. Overlay varying levels of privacy and confidentiality; make the whole system interoperable and interconnected and the task gets even infinitesimally harder.

At HIMSS14, forget Rove-Carville. Let’s have a debate about CommonWell Health Alliance’s comprehensive security strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *