Monday, October 7, 2013

Need more Security and Privacy Standards in Healthcare

There are new standards organizations taking on the apparent dearth of Security and Privacy standards in healthcare. Center for Internet Security", or ITU-T SG17 "Security in applications space". Both of these are classically in the non-healthcare (non-any specific industry) standards business. Yet they somehow think they need to make special new efforts for healthcare. They are not the only ones, I have interrupted many healthcare standards organizations, like HL7, with news that there are plenty of available and appropriate standards. Even IHE is looking at a bunch of Profile Proposals this year that are feeding on the fallacy that there is no way to enable patients to participate in an HIE.
Organizations like the "

The reason why these organizations see a dearth of Security and Privacy standards in healthcare is clear, because there are so many failures. Open up the news feed and you will surely find yet another healthcare information breach. The Privacy Advocates are highly frustrated that patients are not getting Privacy. The FDA is being pressured to address cybersecurity. Even mild mannered healthcare leadership are frustrated:
Deven McGraw ‏@HealthPrivacy 3 Oct 2013 Unencrypted laptop stolen, leads to #HIPAA breach Wow, what a shock (not). Encrypt your damn data, health care!
These are real problem, but they are not because we lack standards. These events are hurting the healthcare industry. These events are no good for anyone. When Healthcare is not secure - trust suffers. They are happening because we are not implementing the standards that exist. Even the FDA recognizes this fact.

I am not trying to say that there is no standards development needed. I am very actively working on multiple efforts to develop standards.

Do the basic security

What I am trying to point out is that the basics of cybersecurity are readily available and appropriate. Healthcare is NOT SPECIAL. Healthcare needs to simply implement the basic stuff. General purpose portable devices (Cellular phones, Laptops, Tablets, USB-sticks) are top priority yet also plenty of technology readily available. Like all businesses, recognize that some equipment will need extra enclave protection. Like all businesses, recognize that data is like water and wants to leak out of a container, so you need to watch for it, review the audit logs.

Note the links below will not work while our USA government is shutdown... SAD!
I have plenty more on my Topics page

Healthcare is special in the complexity of policies

What typically frustrates healthcare is Policy, not technology. Too often someone presents a problem that they think is a technical problem, but is actually rooted in a policy problem. As a systems engineer, I look at any presented problem looking for the root cause. If you don't find the root cause, then you will be just putting a patch over a systemic problem. The problem will reappear.

Healthcare policies are complex, there is no way around this. This is especially true in the USA, but also true even in a highly organized and contained country. First there is the fact that healthcare information is potentially very sensitive, highly personal, potentially valuable, and not revokeable. This is totally different than the Banking industry, especially because in the banking industry data loss can be revoked and insured for. When banking information is lost, the credit card numbers are revoked, a fraud alert is registered, and damages are kept to a defined value. This is simply not possible in healthcare.

The bigger problem healthcare has is that it is has grown up "as needed", meaning there are many healthcare providers from an individual to a multi-national organization; various disciplines; and a scale of features. Many layers of practice: home-health, walk-in, general practice, specialty, out-patient, clinics, hospice, and other. We patients move around all the time and go shopping for the best treatment when we have a special need. Fortunately for healthcare doctors are amazing inference engines and thus can do a fantastic job without knowledge of your past data.

What we need is "Policy Standards"

What we need is some boiler plate policies that handle 80% of the cases. We can then show how to assemble the current technical standards to meet those needs. We must recognize the 20% of cases that are missing out, and kick off tasks to resolve them. But the needs of the many out weigh the needs of the few.