For me, healthcare security is personal

Recent stories paint a picture of turmoil for those responsible for data security in the healthcare industry. For me, this one is personal.

As a kid sick from Crohn's Disease in the 1970s and 80s, Children's Hospital in Boston was practically a second home for me. Somewhere in that institution's records vault is a picture of what I went through in explicit detail from age 8 through 21. Various other medical facilities have detailed records of an adulthood littered with back pain, eating disorders and psychotherapy to process the mental residue of all the above.

Some of you know I keep a personal blog about all these things, and I decided long ago to be as open about the struggles as possible. One person's openness can hopefully act as a roadmap for others dealing with similar sufferings.

With that said, you would think I'm not worried about who sees all my medical records. I'm open about it all anyway, right?

That may be so. But my experiences make me all too aware of what's at stake for countless other patients who do not choose to share all the gory details.

I've reported and written on a number of healthcare security problems in the last seven years. Doctors and nurses have been caught perusing the medical records of famous patients. HIPAA -- enacted to ensure the protection of patient information -- has had a positive impact, but compliance for too many institutions remains an uphill climb.

CSO correspondent George V. Hulme recently conducted a Q&A with Gunnar Peterson, managing principal at security consultancy Arctec Group, about the challenges the healthcare industry faces when it comes to data security.

His explanation of what he's seen gives me a genuine sympathy for those tasked with data security in this sector. He tells George, among other things:

I think that the health care industry has a number of challenges that make the security architect's job, the CSO's job -- in all cases except for one -- much more difficult than in financial services and most other industries. The one thing that's more difficult in financial services is that they have ongoing determined attacks through fraud and other types of financial attacks. That's been with banks long before there were computers. I would argue that almost every other aspect of security is more difficult in healthcare.

It starts with the transaction. One of the nice things that security architects have in the financial world is a very black and white transaction model. The money is in my account, or it's in your account, or it's in the holding company's account. There is no gray area about who's got the money at any given period of time, or where the risk is at any given time. Relatively speaking these transaction models are brutally simple, because lots of players have to sign up for them and there's lots of standardization. And people have been tweaking these models for a long time. When you start a job as a CISO at a financial services firm you are given a transaction model manual, and it's fairly straightforward.

If you compare that to medical records, to healthcare insurance, or other things in that space, there is almost no uniformity, no standardization in how many of these interactions work. On your very first day as a security architect at a healthcare company, or somebody dealing with medical records, you are going to get either no guidance on the transactions model or thousands of pages of Byzantine, non-uniform protocols, data formats, things that don't reconcile -- and then you are going to have to figure out a way to secure this. So, in financial services, you have a nicely layered lasagna and then you have an endless and endless amount of spaghetti with ten different kinds of sauce in the healthcare world.

It's a mess. But not an impossible mess. I know several CSOs and CISOs in the healthcare industry who are working the problem with every fiber of their being.

Some tell me about ongoing challenges that back up Peterson's points. But all have made some measure of progress, including Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services, who has been quite open about that institution's struggles to bounce back from HIPAA violations.

Solid data security in the healthcare sector is possible. Or, at least, that's what long-term patients like myself are praying for.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!


Copyright © 2011 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.