The Security Scrutinizer with Howard Anderson

Risk Management

Health Data Security: A Tipping Point Finally, Protecting Patient Data Is on List of Priorities
Health Data Security: A Tipping Point
Dave Summitt of H. Lee Moffitt Cancer Center

Has the healthcare sector finally reached a data security tipping point?

See Also: Defend Against Spear Phishing: Encouraging Developments Gaining Momentum

Dave Summitt, CISO of H. Lee Moffitt Cancer Center and Research Institute in Tampa, Fla., thinks so. And so do many of his peers.

There's a new security mindset taking hold. And it's about time. 

In a recent video interview with me, Summitt said that seven years ago, when he shifted from the defense sector to healthcare, "I found ... there was a lack of security, a lack of hierarchical structure, a lack of documentation."

Since then, however, he says healthcare has made great strides in improving security, "overcoming the old mindset of security as a cost center" and now seeing it as part of the integrated, essential processes organizations must implement.

In several roundtables I moderated this year with CISOs and other security professionals in the healthcare sector, I heard about how CEOs and boards of directors are beginning to pay closer attention to data security issues. Executives and board members have read the headlines about the surge in ransomware attacks, the compromise of internet of things devices to fuel distributed-denial-of-service attacks and other data breach activity. And they're starting to see security as an investment that can help protect their brand.

The Long and Winding Road

For decades now, I've heard the phrase "healthcare is way behind other industries" uttered by countless "experts." First, it was applied to information technology implementation, and then, more recently, to data security.

Way back in the early 1990s, folks were talking about how electronic health records would soon be ubiquitous. But it wasn't until billions of incentive dollars poured in from the HITECH Act in 2009 that EHR implementation really took off.

Before the turn of the century, everyone was talking about "CHINS" - community health information networks - and how they'd revolutionize healthcare by making patient data readily available to caregivers. But CHINS quickly came and went. Today, health information exchanges designed for securely transmitting data to support timely treatment decisions are gaining some traction, but they're still not widely used.

Back in September 1997, the cover story of Health Data Management magazine, which I launched as founding editor, was titled: "Health Data Security: A New Priority."

Unfortunately, it has taken almost 20 years for that "priority" to become a reality.

Yes, healthcare still has a long, long way to go to improve data security. Yes, data breaches in the sector are still far too common. And yes, too may CISOs still struggle to win support for adequate data security budgets.

But we've come a long way. Dave Summit said it well: There's a new security mindset taking hold. And it's about time.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network