healthsystemcio.com

healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.

  • About
    • Our Team
    • Advisory Panel
    • FAQs/Policies
    • Podcasts
    • Social Media
    • Contact
    • Privacy & Data Protection Policy
    • Terms of Service
  • Advertise
  • Partner Perspectives
  • Subscribe
  • Webinars
    • 2/7-3rd-Party Vendor Risk
    • 2/9-Leveraging AI to Lower Costs
    • 2/14-Communicating the Value of IT
    • On-Demand Webinar Library

  • About
    • Our Team
    • Advisory Panel
    • FAQs/Policies
    • Podcasts
    • Social Media
    • Contact
    • Privacy & Data Protection Policy
    • Terms of Service
  • Advertise
  • Partner Perspectives
  • Subscribe
  • Webinars
    • 2/7-3rd-Party Vendor Risk
    • 2/9-Leveraging AI to Lower Costs
    • 2/14-Communicating the Value of IT
    • On-Demand Webinar Library

Data Security – Pay Now or Pay (More) Later

04/28/2010 By Rich Temple Leave a Comment

Rich Temple, Senior Consultant, Beacon Partners

Rich Temple, Executive Consultant, Beacon Partners

As we enter the era of Meaningful Use, we are truly seeing an increased realization of the central role that IT plays in provider strategic planning.  Happily, we are also starting see recognition from many corners of healthcare organizations of the wisdom of making targeted, shrewd, IT investments as down payments on organizations’ futures.

And that is good news.  But some of the challenges that IT departments have historically encountered, when presenting business cases for IT systems in a constrained capital environment, still remain – though their “centers of gravity” may have shifted.  As capital may flow to procure certified systems that can lead an organization to Meaningful Use, capital likewise needs to flow in order to build appropriate security infrastructures around all the electronic patient data in those systems or the consequences of not funding this can be devastating and, sometimes, irreparable.

We hear on the news on a regular basis about how hackers have compromised various corporate systems and gotten their hands on sensitive financial data. Companies who have had their systems compromised suffer great financial losses in terms of the costs of credit monitoring, notifications and other incidental costs, but often suffer greater and harder-to-recover-from losses in terms of trust and goodwill.  There have been cases of companies that wound up having to go out of business as a direct result of even a relatively minor data breach.  To put some numbers around this, according to a study done in 2008 by the Ponemon Institute, a privacy and data-protection research group, and PGP, a data-encryption vendor, the average cost of a data breach to the organization responsible is $6.75 million, and the average cost per record for a data breach is $204.

Healthcare systems, being in the position of being repositories for some of the most sensitive data one can imagine about many, many human beings, have a unique obligation for both selfish and selfless reasons, to take all steps possible to hold patients’ electronic protected health information (ePHI) sacrosanct.  There are many ways to do this, and the new HITECH legislation puts a lot of teeth into the HIPAA rules that mandate providers to keep data secure.  Data breaches involving over 500 patients have to be reported to CMS and generally have to be reported to the major media outlet in the hospital’s operating market.  Think of the damage that a prominent media report can do about a data breach emanating from your facility.  It is profound and often irreversible.

Healthcare providers need to take all necessary steps to ensure that any ePHI data that is leaving or entering its facility be encrypted, so no one can casually hack into it and intercept it.  All laptops or thumb drives that might conceivably contain ePHI need to have encryption built into them, so that in the event those devices are lost or stolen, no critical ePHI can be compromised by the wrong people.  Even behind an institution’s firewall, there exists a threat of a “breach from within” by employees or contractors. Pains must be taken to protect “data at rest” residing on servers.

To visualize this at its most basic level, picture back-up tapes containing ePHI falling off the back of a truck on their way to an off-site storage facility and someone picking those tapes up and reading them.  As a leader in your organization, do you want to roll the dice and hope your institution isn’t permanently damaged as a result of a breach, or do you want to make the necessary investments now to protect your organization from this type of grave risk?

Share

Related Posts:

  • Data Security And The Maturity Gap
  • Data Security Without Alcatraz
  • Meditech 6.0 Diary Part 7 — Pay Now and Pay Later?
  • Privacy & Security Tiger Team Hunts Balance
  • You Get What You Pay For

Filed Under: Privacy/Security Tagged With: Blogs, data security, HIPAA, HITECH, Rich Temple

Share Your Thoughts Cancel reply

You must be logged in to post a comment.

To register, click here.

Content by Topic

Partner Sponsors

 


 

 

 

 

 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2023 HealthsystemCIO.com.