Not a week goes by without hearing about a data breach in the healthcare industry, it seems. Well-publicized cracks in our healthcare security don’t do much for public confidence in EHRs and other health IT. Appropriately and tightly securing data isn’t necessarily difficult, but there are so many moving parts and considerations that it’s easy to miss something that can make data vulnerable.
Organizations must take a “no excuses” approach to healthcare data security. By “no excuses,” I mean you should accept no excuses for creating solid security procedures designed to ensure that breaches never happen in the first place.
It’s not just the fines that you have to fear. The influx of “big data” is stressing your systems every day; and someday providers will need to seriously consider cloud-based storage as a solution to data management problems. If the cloud is in healthcare’s future, you have to ensure that your organization has the ability to secure your own data when it’s always under your purview. The familiar stories of stolen laptops and putting a server online prematurely clearly demonstrate that the industry isn’t quite ready for cloud-based healthcare data management.
Anatomy of a Crash
I am a big fan of the National Geographic show “Anatomy of a Crash.” The show proves that it’s never just one thing that leads a bridge to collapse or a plane to fall from the sky. It’s a series of small, seemingly inconsequential decisions or actions.
Many years ago I asked my dad — a pilot — what made airplane engines so reliable. After all, you hardly ever hear about plane crashes due to engine failure. If my car’s engine goes out, I just pull onto the side of the road; with an airplane, I don't have that luxury. My dad’s response? “It’s simple: weight, redundancy and usage.” Airplanes are built with better quality metals. There is redundancy within the system, not only multiple engines but multiple fail-safes within the engine. And airplane engines are used fully each time, unlike a car engine that is run hot and cold. Running hot and cold puts additional stress on the lower quality metals used in car engines, causing more breakdowns.
[Related: Mitigating PHI danger in the cloud.]
What can the healthcare industry learn from avionics? Plenty. You have to build redundancy into your systems so that one seemingly inconsequential decision doesn’t expose hundreds of thousands of medical records. When healthcare data gets breached, the damage is already done — you can't just “pull over to the side of the road.” To avoid breaches, you need to ensure that your engine (i.e., data systems) is protected with the best available technologies. You build redundancy in the system to ensure one person or technology isn't able to expose the system. And finally, you have to use the system — the data protection processes that are in place.
People, Process, Technology and Culture
A great way to think about this is the familiar people, process, culture and technology meme.
- People: You have to have people who understand not only your security requirements but also the implications of the requirements in order for them to institute the right policies.
- Processes: Done well, processes can be excellent safeguards. However, organizations should avoid the temptation to overdo it. Security processes should be clear and well documented, with additional steps built in when there is a potential exposure risk to protected health information (PHI).
- Technology: – It can't solve everything, but technology can help put safeguards in place to ensure that it's harder to have a breach.
- Culture: Finally, your organization should have a culture of respect, not fear, of the data that you safeguard.