I’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves. We’re slowly and steadily moving from “HIPAA Compliance” silliness into a more mature and disciplined professional focus on risk management, continuous risk monitoring, and actual security tasks concentrating on real technical vulnerabilities and proper training of users (instead of just “security theater”). I believe that security, like quality, is an emergent property of the system and its interaction with users and not something you can buy and bolt on. I’m both excited and pleased to see a number of healthcare focused cybersecurity experts, like Kamal Govindaswamy from RisknCompliance Consulting Group, preaching similar proactive and holistic guidance around compliance and security. I asked Kamal a simple question – if cybersecurity is an emergent property of a system, who should be held responsible/accountable for it? Here’s what Kamal said, and it’s sage advice worth following:

Information Security in general has historically been seen as something that the organization’s CISO (or equivalent) is responsible for. In reality, the Information Security department often doesn’t have the resources or the ability (regardless of resources) to be the owners or be ultimately “accountable” or “responsible” for information security. In almost all cases, the CISO can and must be the advisor to business and technology leaders or management in the organization. He could also operate/manage/oversee certain behind-the-scenes security specific technologies.

If your CISO doesn’t “own” Information Security in your organization, who should?

At the end of the day, everyone has a role to play in Information Security. However, I think the HealthIT managers and leaders in particular are critical to making security programs effective in healthcare organizations today.

Let me explain…

Of all the problems we have with security these days,  I think the biggest stumbling block often has to do with not having an accurate inventory of the data we need to protect and defining ownership and accountability for protection. This problem is certainly not unique to Healthcare. No amount of technology investments or sophistication can solve this problem as it is a people and process problem more than anything else.

Healthcare is unfortunately in a unenviable position in this regard. Before the Meaningful Use program that has led to rapid adoption of EHRs over the last five years, many healthcare organizations didn’t necessarily have standard methods or technologies for collecting, processing or storing data. As a result, you will often see PHI or other sensitive information in all kinds of places that no one knows about any longer, let alone “own” them –  Network file shares,  emails, a legacy application or database that is no longer used  etc. The fact that HealthIT in general has been overstretched over the last five years with implementation of EHRs or other programs hasn’t helped matters either.

In my opinion and experience, the average Healthcare organization is nowhere close to solving the crux of the problem with security programs – which is to ensure ownership, accountability and real effectiveness …read more