Information security in health care – four critical errors
As the first Information Security Manager at a fairly large financial institution, I lived by trial and error for a while. Admittedly, I made mistakes along the way, but the good thing is I learned from them and most of the time put what I learned to use.
Working with managers at various types of organizations, such as health care providers, has also been a learning experience. I have learned that we are all human and are prone to seeing and reacting to new laws, major incidents, trends, etc. However, that is what I refer to as reactive Information Security Management. Realistically, that is the biggest problem with how information security has been deployed since we were charged with this task. It is how the vendors deploy solutions, and it is how senior management communicates concerns to information security management. “This solution will help you to address the latest phishing threats.” “How are we making sure that the congressman’s medical condition won’t show up in the newspapers, like it did at the hospital on the other side of town?”
The errors below are some critical mistakes that are made when dealing with information security in health care institutions. All of them are either directly or indirectly related to being reactive rather than having a proactive Information Security Risk Management program in place. After all, Information Security is about defining the critical information generated, assessing the risks to that information, and mitigating the risks by implementing controls and solutions that are consistent with the mission and objectives of the organization.
1. Presuming that HIPAA Compliance is Security – Legislators are concerned about their constituents, because that is who elects them. HIPAA was enacted as a reaction to security breaches of health care information about consumers. It is important to protect private health care information. Privacy is a major concern of security, but it is not the only concern.
Healthcare providers have created positions for Privacy Officers, strictly to comply with HIPAA. Some of those same organizations don’t even have a full time Information Security Officer. The three major concerns of information security are the confidentiality, integrity, and availability of information. Privacy is a part of confidentiality. The most critical security concern of health care organizations is the integrity and availability of information, rather than the privacy. Doctors and nurses require accurate information at all times to provide adequate care for patients.
By deploying disproportionate resources to protect privacy as opposed to the other security concerns, we are ineffectively managing resources.
2. Basing Security on the Systems Rather than the Critical Information – This mistake is one that I made initially when managing my security program. I developed policies but was ineffective at educating users.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
risk management
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
