The reason why these organizations see a dearth of Security and Privacy standards in healthcare is clear, because there are so many failures. Open up the news feed and you will surely find yet another healthcare information breach. The Privacy Advocates are highly frustrated that patients are not getting Privacy. The FDA is being pressured to address cybersecurity. Even mild mannered healthcare leadership are frustrated:
Deven McGraw @HealthPrivacy 3 Oct 2013 Unencrypted laptop stolen, leads to #HIPAA breach http://ow.ly/psn5S Wow, what a shock (not). Encrypt your damn data, health care!These are real problem, but they are not because we lack standards. These events are hurting the healthcare industry. These events are no good for anyone. When Healthcare is not secure - trust suffers. They are happening because we are not implementing the standards that exist. Even the FDA recognizes this fact.
I am not trying to say that there is no standards development needed. I am very actively working on multiple efforts to develop standards.
Do the basic securityWhat I am trying to point out is that the basics of cybersecurity are readily available and appropriate. Healthcare is NOT SPECIAL. Healthcare needs to simply implement the basic stuff. General purpose portable devices (Cellular phones, Laptops, Tablets, USB-sticks) are top priority yet also plenty of technology readily available. Like all businesses, recognize that some equipment will need extra enclave protection. Like all businesses, recognize that data is like water and wants to leak out of a container, so you need to watch for it, review the audit logs.
Note the links below will not work while our USA government is shutdown... SAD!
- SP 800-146 Cloud Computing Synopsis and Recommendations. does a really good job of outlining not just the technology, but also the operational and policy issues. They have touched on issues I had never thought of. They do a really good job of explaining responsibilities between the cloud subscriber and the cloud provider. I highly recommend that people use this guide.
- SP 800-124 Guidelines on Cell Phone and PDA Security
- SP 800-111 Guide to Storage Encryption Technologies for End User Devices
- SP 800-53 - Catalog of Security and Privacy controls - technical, operational, physical, and management
- SP 800-30 - Security Risk Assessment
- SP 800-144 - Guidelines on Security and Privacy in Public Cloud Computing
- IR-7497 - Security Architecture Design Process for Health Information Exchanges (HIEs)
- The rest of the NIST 800 Special Publications
- IEC 80001 - Risk Assessment to be used when putting a Medical Device onto a Network
Healthcare is special in the complexity of policiesWhat typically frustrates healthcare is Policy, not technology. Too often someone presents a problem that they think is a technical problem, but is actually rooted in a policy problem. As a systems engineer, I look at any presented problem looking for the root cause. If you don't find the root cause, then you will be just putting a patch over a systemic problem. The problem will reappear.
Healthcare policies are complex, there is no way around this. This is especially true in the USA, but also true even in a highly organized and contained country. First there is the fact that healthcare information is potentially very sensitive, highly personal, potentially valuable, and not revokeable. This is totally different than the Banking industry, especially because in the banking industry data loss can be revoked and insured for. When banking information is lost, the credit card numbers are revoked, a fraud alert is registered, and damages are kept to a defined value. This is simply not possible in healthcare.
The bigger problem healthcare has is that it is has grown up "as needed", meaning there are many healthcare providers from an individual to a multi-national organization; various disciplines; and a scale of features. Many layers of practice: home-health, walk-in, general practice, specialty, out-patient, clinics, hospice, and other. We patients move around all the time and go shopping for the best treatment when we have a special need. Fortunately for healthcare doctors are amazing inference engines and thus can do a fantastic job without knowledge of your past data.