Taking information security seriously
As a healthcare analytics professional, I work with the private health information of people every day. Typically, when used for driving performance dashboards, developing predictive models, and supporting quality and performance improvement efforts, this information is entirely stripped of identifiable information. On occasion, I work with data that is NOT anonymized, usually for purposes of critical incident occurrence reviews, or other special circumstances where it is necessary to know to which patient the data refers. Of course, whenever any information that contains even the possibility of being linked to an individual, I ensure that the data file is securely encrypted prior to transferring or transporting the file. Professionals who work with any form of healthcare information must, and typically do, make the utmost effort to protect the privacy of patients.
But sometimes our current best efforts are not enough. A recent article in the Washington Post entitled “Health-care sector vulnerable to hackers” describes the current state of information security in healthcare. To be fair, not all systems, and not all institutions, are as vulnerable as others. But the article discusses what many of us working with healthcare information already suspect or know – that many of the information systems with which we work have major security flaws that can be, and have been, exploited. These breaches then result in disclosure of some of people’s most private information – that which pertains to their health. An expert was quoted in the article as saying, “There are basic, basic, Security 101 vulnerabilities we identified…I’m concerned that at some point the hackers are really going to begin exploiting them. And that’s going to be a scary day.”
Information security needs to be a team effort
Information security needs to be multi-layered. Obviously, the efforts of conscientious analysts who use anonymized data and securely encrypt any information that needs to be transferred (physically or electronically) seem almost moot when nefarious individuals can bypass insufficient security precautions and exploit vulnerabilities in the systems we use to access and store private data. This is why analysts and technical specialists from healthcare organizations, IT departments, and system vendors must work diligently together to ensure the privacy and security of the information with which we work.