Has the healthcare sector finally reached a data security tipping point?
Dave Summitt, CISO of H. Lee Moffitt Cancer Center and Research Institute in Tampa, Fla., thinks so. And so do many of his peers.
There's a new security mindset taking hold. And it's about time.
In a recent video interview with me, Summitt said that seven years ago, when he shifted from the defense sector to healthcare, "I found ... there was a lack of security, a lack of hierarchical structure, a lack of documentation."
Since then, however, he says healthcare has made great strides in improving security, "overcoming the old mindset of security as a cost center" and now seeing it as part of the integrated, essential processes organizations must implement.
In several roundtables I moderated this year with CISOs and other security professionals in the healthcare sector, I heard about how CEOs and boards of directors are beginning to pay closer attention to data security issues. Executives and board members have read the headlines about the surge in ransomware attacks, the compromise of internet of things devices to fuel distributed-denial-of-service attacks and other data breach activity. And they're starting to see security as an investment that can help protect their brand.
The Long and Winding Road
For decades now, I've heard the phrase "healthcare is way behind other industries" uttered by countless "experts." First, it was applied to information technology implementation, and then, more recently, to data security.
Way back in the early 1990s, folks were talking about how electronic health records would soon be ubiquitous. But it wasn't until billions of incentive dollars poured in from the HITECH Act in 2009 that EHR implementation really took off.
Before the turn of the century, everyone was talking about "CHINS" - community health information networks - and how they'd revolutionize healthcare by making patient data readily available to caregivers. But CHINS quickly came and went. Today, health information exchanges designed for securely transmitting data to support timely treatment decisions are gaining some traction, but they're still not widely used.
Back in September 1997, the cover story of Health Data Management magazine, which I launched as founding editor, was titled: "Health Data Security: A New Priority."
Unfortunately, it has taken almost 20 years for that "priority" to become a reality.
Yes, healthcare still has a long, long way to go to improve data security. Yes, data breaches in the sector are still far too common. And yes, too may CISOs still struggle to win support for adequate data security budgets.
But we've come a long way. Dave Summit said it well: There's a new security mindset taking hold. And it's about time.