The Cost Of Healthcare Data Access

Does every healthcare department really need around-the-clock access to every file or image, or could security be tightened?

Jutta Williams, Corporate Information Assurance Officer and Chief Compliance Officer, Health First

December 29, 2014

3 Min Read
(Image: <a href=""target="new">Kin Lane, Flickr</a>)

I recently painted a pretty bleak picture of healthcare security, describing the threat IT professionals face when they are responsible for data that is ripe for stealing and selling on the black market. I'm updating my LinkedIn profile to remove all data-related projects as we speak.

But the risk extends well beyond IT. From CIOs, CISOs, and IT VPs to researchers, the finance department, IT systems administrators, brokers, benefit administrators, physician credentialing experts, and HR background checkers -- any of these healthcare professionals could be at risk, too. We all have evolved in our jobs to have access to incredible amounts of valuable data to crunch and find process improvements. It's a tough economy, and data access is crucial to lean initiatives.

How to keep this data -- and the people who handle it -- safe? We need to look at things from a different perspective. Has our emphasis on anytime, anywhere access and distributed data analysis resulted in a physical security threat to our workforce? Are there business functions where the risks outweigh the benefits and we could roll back a bit?

[Does your business follow least-privilege practices? Read 2014: The Year of Privilege Vulnerabilities.]

National security industries have secrets to keep and, with a few notable exceptions, have done a pretty good job of making sure large-scale breaches of their data don't occur. These breaches mostly involve insiders, though -- a different discussion. These industries also don't provide remote access from the Internet to their secure networks. They require that data analysis and access activities occur onsite.

They classify and categorize data that can be shared on their public networks, and they do not allow certain classifications of data (i.e., secret or top secret) to be placed on that network. They maintain an air gap between the types of data that would cause some harm if breached and data that could cause great harm. They require two-person controls for many administrative functions, so that it takes collusion to compromise sensitive information.

Reading this might already be alarming some business leaders out there. Some clinicians might argue that better shielded data could hurt patients. But wait, hear me out. I'm not proposing a SIPRNet for healthcare. I'm suggesting that first we must assess whether the efficiency of anywhere, anytime access to data is worth the risk of harm to our organizations and even to us personally, should armed assailants target us. Curbing remote access to data that isn't needed remotely is a great first step.

Second, I'd like to call for new information delivery technologies capable of differentiating between internal and external access, and behaving accordingly so that large quantities of data can't be accessed from outside our protected networks.

It might mean CFOs have to wait until business hours to request a revenue summary from analysts. But let's still create tools that make a single x-ray at a time accessible to on-call radiologists, so they can diagnose from home a patient waiting in emergency.

Regardless of what future technology looks like, I challenge all of us to consider how much we really need anywhere, anytime data access. Before password mugging becomes a plague, let's agree it's important to invest some thought -- and maybe a formal business review -- of current remote data access policies that create opportunities for criminals.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

Read more about:


About the Author(s)

Jutta Williams

Corporate Information Assurance Officer and Chief Compliance Officer, Health First

On September 15, 2014, Jutta Williams joined Health First as the organization's first Corporate Information Assurance Officer (CIAO) and accepted the interim role of Chief Compliance Officer (CCO) on December 1, 2014. Ms. Williams most recently served as the Director, Corporate Compliance and Chief Privacy Officer at Intermountain Healthcare, a not for profit Integrated Delivery Network (IDN) based in Salt Lake City, Utah.

Ms. Williams is a frequent speaker at national conferences, covering topics on compliance program governance, HIPAA security and privacy, healthcare information transformation and third-party information sharing risk. She has been selected to represent the provider community point of view on regulatory compliance hearings conducted by the Department of Health and Human Services, and has frequently presented to state and federal legislators on the topics of information protection and the impact of regulatory change.

Before joining Intermountain, Ms. Williams worked as a governance, risk and compliance program development consultant at Deloitte and Touche, where she helped large and small organizations in a number of industries meet their regulatory obligations and build strong security and data protection programs.

Prior to her commercial work, Ms. Williams also served for nearly 10 years with a number of federal entities in a variety of technical and leadership capacities. She graduated with highest distinction from Carnegie Mellon University earning a Master's of Science in Information Security Policy and Management, a program that focused on both the business and technology aspects of information protection and which regularly ranks as the top such program nationally.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights