Taking Healthcare IT Seriously Demands Culture Changes
Healthcare is moving cautiously into cloud computing, virtualization, BYOD and other IT innovations. And there's good reason for the caution. Until an organization's IT leaders take meaningful steps to change what's typically seen as a lackadaisical privacy and security culture, the risk of patient-information loss remains high and costly.
Wed, December 19, 2012
CIO — BOSTON—The growing use of electronic personal health information has largely changed the healthcare industry for the better, but ePHI has had one downside, says Mac McMillan, CEO of the consultancy CynergisTek. Since patient data is now electronic, security has become the sole purview of IT departments.
McMillan adds, this has made it difficult for many healthcare organizations to establish a culture of privacy and security for many reasons:
- Security is rarely discussed at hospital board meetings, even though every facility has security problems.
- The chief information security officer (CISO) is often buried in the organizational chart, several steps from the CEO.
- Fewer than 50 percent of healthcare IT security professionals have either the credentials or the experience necessary to put together a budget.
- The amount of the IT budget devoted to security is often less than 1 percent at healthcare organizations, compared to 6 to 12 percent in other regulated industries.
More than anything, McMillan says, healthcare's security culture leaves a lot to be desired because leaders don't take security seriously and employees simply follow that example.
BYOD in Healthcare Must Balance Productivity, Mobile Security
McMillan spoke at last week's Privacy & Security Forum. The event focused on several existing and emerging areas of concern for healthcare CIOs.
Mobile security ranks highly among those challenges. Physicians and administrators alike readily embrace the bring-your-own-device (BYOD) phenomenon, as their personal devices easily trump the legacy, wired clients at many hospitals. While institutional responses vary, most CIOs admit that the productivity gains, realized in actions as simple as a physician answering email while waiting in the cafeteria line, provide a nice return on the BYOD investment.
Maine's Franklin Community Health Network, for example, embraced BYOD in large part because it could not afford to buy mobile devices for employees, CIO Ralph Johnson says.
The facility's BYOD policy covers any device that can log onto the guest network—which is not the same network that the folks in the waiting room use—but limits users to email, calendar and portal applications. Users must give IT remote wipe and encryption permissions, and no ePHI can be stored locally, Johnson says.