Truth be told; data security is commonly misunderstood and neglected by healthcare companies.
Healthcare industry providers and vendors collect, store and transmit our personal health information (PHI), which includes a variety of critical, personal data nuggets such as treatment codes, billing details, insurance identifiers, financial details and such.
PHI is particularly prized by data thieves precisely because it is so chock full of useful pieces. It also offers long shelf life compared to other forms of purloined data, such as credit card numbers. That’s why healthcare companies have climbed to the top of hacker-target lists.
For this and other good reasons, Federal law requires healthcare providers and vendors to inventory their respective data risks and implement measures to eliminate or at least minimize them.
The law doesn’t prescribe specific security measures. It just requires attention to the problem.
That isn’t a lot to ask, when you think about it. If you’re going to process critical, personal info, you owe it to your clientele to have a data-security plan that doesn’t begin and end with anti-virus software. Unfortunately, many healthcare providers and related companies just don’t.
They don’t partly because executives misunderstand how PHI is imperiled. They think of it as a technical problem best assigned to IT when it’s actually something much different. Data security requires organizational measures in combination with technology. IT solutions alone won’t do the job.
This interview makes the essential point. Data security is a business risk, not an IT problem, and executive managers should take responsibility for it ahead of IT managers.
As some healthcare-related company executives recognize the true nature of data risk, and the true magnitude of actual losses associated with it, a sense of self-preservation will motivate them to take corrective measures.
Others will continue to skate by in status quo. Hackers, data thieves and federal regulators will take their toll on the rest.