Monday, November 12, 2012

Protect, Protect, Protect. Now Share

Later this week, I'm joining a healthsystemCIO.com webinar about security and health information exchange.

A theme I discuss frequently in my keynotes and lectures is the current regulatory challenge which suggests we should engage patients/families,  share data for care coordination in accountable care organizations, and use registries to analyze population health/public health all while keeping the data security and respecting patient privacy preferences.   It's a tall order.

As I've posted previously, BIDMC hired Deloitte to perform a security assessment of our policies and technologies.   Going through the assessment has given me a great opportunity to review the security standard practices in the healthcare industry and the best practices across all industries.

We've reviewed emerging techniques in Data Loss Prevention (DLP),  Governance/Risk/Compliance (GRC) tools, Enterprise audit log analysis tools, Learning Management Systems, and Network Access Control.

BIDMC has implemented or is implementing most of these.

At the same time, we're passionate about healthcare information exchange technologies for provider/provider summaries and patient/provider communications (portals, automated blue button, and state hie connections to patients).

Here are the slides I'll use in the webinar, illustrating that it possible to secure the enterprise and at the same time use Direct-enabled, certificate protected, health information exchange with patients, providers, and payers.

The most secure library in the world would not check out any books - it would be a secure but useless library.   We must protect privacy and at the some time share information.   It is possible to achieve a balance that does both.

I look forward to the webinar.

1 comment:

Medical Quack said...

Last week I attended a iHT2 conference here in Los Angeles and was only able to make part of the presentations, but security was one I sat in on and asked the million dollar question, what about 3rd parties:) All kinds of people chimed in on that one as there's really no complete solution other than to know your 3rd parties as best you can and to me it seems like most of the breaches making the news today seem to lead back to one of them with their security issues.

Maybe it's just me but it seems that there's not as many hospital issues as there are those arising from the 3rd parties and they are not going away any time soon either as so much of what they do can't be done in house.

By the way a couple weeks ago I said both the House and Senate should take you up on your offer to explain the stimulus incentives for EHRS...

It's getting so complex out there that even when you do have someone caught for stealing data or breaching how do you get a jury of peers, do you send them to Code Academy for a few weeks before a trial so they can understand and a jury of peers is used .

I keep telling all "the short order code kitchen burned down a few years ago" and we still get there but with data no longer in silos and being shared, queried and so forth, it takes a little longer in the creation of data structures and security processes.

Back in the early days it was easier as all was being built from the ground up so when you have zero to begin with and a nice data product as the end without any real web integration to speak of, it moved pretty fast and I think some still think it works that way:)