The Cost Of Healthcare Data Access - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
09:06 AM
Jutta Williams
Jutta Williams

The Cost Of Healthcare Data Access

Does every healthcare department really need around-the-clock access to every file or image, or could security be tightened?

I recently painted a pretty bleak picture of healthcare security, describing the threat IT professionals face when they are responsible for data that is ripe for stealing and selling on the black market. I'm updating my LinkedIn profile to remove all data-related projects as we speak.

But the risk extends well beyond IT. From CIOs, CISOs, and IT VPs to researchers, the finance department, IT systems administrators, brokers, benefit administrators, physician credentialing experts, and HR background checkers -- any of these healthcare professionals could be at risk, too. We all have evolved in our jobs to have access to incredible amounts of valuable data to crunch and find process improvements. It's a tough economy, and data access is crucial to lean initiatives.

How to keep this data -- and the people who handle it -- safe? We need to look at things from a different perspective. Has our emphasis on anytime, anywhere access and distributed data analysis resulted in a physical security threat to our workforce? Are there business functions where the risks outweigh the benefits and we could roll back a bit?

[Does your business follow least-privilege practices? Read 2014: The Year of Privilege Vulnerabilities.]

National security industries have secrets to keep and, with a few notable exceptions, have done a pretty good job of making sure large-scale breaches of their data don't occur. These breaches mostly involve insiders, though -- a different discussion. These industries also don't provide remote access from the Internet to their secure networks. They require that data analysis and access activities occur onsite.

They classify and categorize data that can be shared on their public networks, and they do not allow certain classifications of data (i.e., secret or top secret) to be placed on that network. They maintain an air gap between the types of data that would cause some harm if breached and data that could cause great harm. They require two-person controls for many administrative functions, so that it takes collusion to compromise sensitive information.

(Image: Kin Lane, Flickr)

Reading this might already be alarming some business leaders out there. Some clinicians might argue that better shielded data could hurt patients. But wait, hear me out. I'm not proposing a SIPRNet for healthcare. I'm suggesting that first we must assess whether the efficiency of anywhere, anytime access to data is worth the risk of harm to our organizations and even to us personally, should armed assailants target us. Curbing remote access to data that isn't needed remotely is a great first step.

Second, I'd like to call for new information delivery technologies capable of differentiating between internal and external access, and behaving accordingly so that large quantities of data can't be accessed from outside our protected networks.

It might mean CFOs have to wait until business hours to request a revenue summary from analysts. But let's still create tools that make a single x-ray at a time accessible to on-call radiologists, so they can diagnose from home a patient waiting in emergency.

Regardless of what future technology looks like, I challenge all of us to consider how much we really need anywhere, anytime data access. Before password mugging becomes a plague, let's agree it's important to invest some thought -- and maybe a formal business review -- of current remote data access policies that create opportunities for criminals.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

On September 15, 2014, Jutta Williams joined Health First as the organization's first Corporate Information Assurance Officer (CIAO) and accepted the interim role of Chief Compliance Officer (CCO) on December 1, 2014. Ms. Williams most recently served as the Director, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/6/2015 | 3:04:42 PM
Importance of governance
Obviously security needs to remain at the core. But the real, bigger story here is the importance of building a solid strategy rich in data governance principles. According to a recent IDG SAS survey, a majority of organizations today lack a solid data management strategy. While this can be alarming when talking about personally identifyable information, it's important to remember we are still maturing as an industry.

Peter Fretty, IDG blogger working on behalf of SAS 
User Rank: Apprentice
1/2/2015 | 9:29:38 AM
Re: When greed is in charge consumers get the shaft
Short answer, strongly disagree with Jutta. 

The issue lies in how the functionality is being delivered.  Technology that opens up vulnerabilities to an enterprise's network, poorly authenticate users and/or extract data and place it on portable devices does cause real security and privacy threats to the enterprise, user and client/patient; no disagreement there. 

But what if you could use a mobility or remote access technology that poses no incremental risk and delivers you your full suite of digital resources when you were outside of the office?  This is not a hope; this technology is available - MobiKEY.

As CEO of the company that provides said secure mobility functionality (MobiKEY) to a number of DoD clients and Corporate America clients, I know the truth lies more with the fact that there are far too many IT leaders that work with OLD architectual approaches to new functionality requirements.  Further, acting on a secure mobility strategy should save the enterprise money - yes better security does not have to be a slippery slope to spending more money - and deliver flexibility to the workforce, breaking the chain to a desk.

Far too often IT leaders jump on a new functionality request without figuring out how first to deliver a secure implementation of the functionality.  The consequence of a rushed implementation is often not good.  There are far too many examples of what happens if the quick and ignorant approach is adopted.

Let's start with figuring out how to do it right versus saying no.

User Rank: Ninja
12/29/2014 | 4:54:29 PM
When greed is in charge consumers get the shaft
The writer makes very valid (and timely) points in her analysis.  24x7x365 access by any party for any reason to confidential patient data is a massive breach waiting to happen.   Home Depot may be the biggest breach (so far) but I'm afraid that we haven't seen anything yet.  The rapidity with which money is being tossed at healthcare startups and mobile apps is frightening.  Additinally, there doesn't seem to be any concern whatsoever about securing data.  Just a mad scramble to make a profit before the bubble bursts.
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll