We recently interviewed Edward Schwartz, chief security officer for IT security firm NetWitness (recently acquired by RSA) to get his thoughts on the move to electronic medical records and the impact on the security and privacy of those records. During his extensive career, Schwartz has served in various executive positions for a number of security vendors including CTO of ManTech Security Technologies Corp, SVP of operations of Guardent Inc. and EVP of operations for Predictive Systems. Schwartz also worked as CISO at Nationwide Insurance. CSOonline: How complex are the security challenges facing the health care industry today?
Schwartz: When you think about it, health care is a much more complex process than payments. There are different entities involved in the process: the payers, the providers, labs, administrators, and consumers. Some of the providers are very, very large entities and they could potentially get the attention of the regulators. There are certainly opportunities for consumers to file breach complaints. They could take private action and have some recourse. But what do you do about the mid-tier and smaller providers? They have very little incentive to do security from a regulatory perspective, at least in most places today. And, frankly, where they are adding security to any degree that is useful is going to introduce additional expense to a model that's already ridden with so much expense as it is. I don't see an easy fix to this. And, for consumers, unfortunately the nature of the breach is different. Once your personal health information is made public, you may not be able to get your privacy back.
When it comes to specific security expertise, do you think it makes sense in the healthcare industry for them to outsource traditional security services?