If we go back to 1990 (back to the future), we remember that email, smart workstations , mobile devices, and the internet were not available and what we now refer to as protected health information (PHI) existed primarily in 3 locations (mainframes, backup tapes, and reports).
The technology explosion that began in the 90s increased the numbers of locations of PHI geometrically and, for the most part, information security controls have been implemented as a reaction to resulting threats and vulnerabilities (e.g. laptop encryption). And that is generally still the case today.
Healthcare is now recognized to be the #1 target for hackers and ransomware and there are two (2) main reasons that make up the root cause.
- Since 2009 there has been rapid deployment of electronic medical record systems due to the HITECH Act and the Meaningful Use rules. Hackers know that the main focus has been on deployments and that healthcare budgets for the most part did not have room for the resulting necessary controls for protecting against unauthorized access to electronic protected health information.
- Over the past decade and more, HIPAA covered entities and business associates have not properly resourced both human and $$ resources necessary for a functional information security risk management program. That is why we have seen healthcare Information Technology (IT) Directors of Operations also being designated as the Information Security Officer. There are not enough hours in the day to do both, and operations always comes first.
Going forward, and learning from the past, it seems clear to us that information security must be a proactive enabler of technology, a foundation for new technology rather than a reactive fire drill to mitigate an incident. Of course this is easier said than done, but certainly a good conversation for the C-Suite when justifying proper funding and human resources for information security.
Until then, the hackers are lurking like vultures and it will only get worse. We have all heard – “It isn’t a matter of if, but rather, a matter of when”.
Gerry Blass is the President & CEO of ComplyAssistant. Gerry has over 35 years of experience in healthcare IT and compliance. ComplyAssistant provides IT and compliance consulting services and healthcare compliance software, also called ComplyAssistant. The software is a compliance management cloud portal that provides guidance, organization, collaboration alerts, and notifications for more effective management and documentation of healthcare compliance activities.