Patient safety in the healthcare industry has always been a priority. Mainly, that referred to physical safety, but with the changing landscape of technology, information security needs to also become a priority. Healthcare is repeatedly a prime target for cyber criminals looking for quick access to valuable data.
A recent article from HealthIT News claims that CEOs need to make information security (infosec) their number 2 priority. Why not number one? James Doulgeris, CEO of Osler Health believes “that responsibility belongs to the CIO or CTO. It should be their number 2 or number 1. The only time something like that hits a CEO’s top five is if the person responsible is not doing their job.” This culture is what needs to change in healthcare, because by the time it reaches the top, it’s too late. The breach has occurred, you have let down thousands of patients and you’re losing money.
Fear of a breach, and the potential consequences, will not be the driving force toward change. CEOs need to see this as a business move to shift the prioritizing of funds. Not enough of a hospital’s budget is dedicated toward security and that is a CEO issue. Infosec needs are constantly changing, so investing funds cannot be one and done. Structures, processes and procedures have to be in place and continuously monitored to create a secure environment.
“Security is important enough to be above everything else,” said David Chou, a veteran hospital executive who is currently VP and principal analyst at Constellation Research. But he knows the reality of that takes a culture change that must come from the top. “[It] means turning the culture upside down and thinking about security as aggressively as many hospitals focus on hand washing. That same effort has to be there for every employee.”
Richard Staynings, Chief Security Strategist with Security Associates and an HIMSS Cybersecurity Committee member, agreed that patient safety must be a top priority for CEOs. “Cybersecurity is, like it or not, a primary component of patient safety now.” Patient confidentiality goes out the window when a breach occurs, and everything can become public knowledge. This is the battle hospitals, clinics and every doctors’ office now face.
CEOs also need to recognize that investing in security now actually helps with innovation growth . Just as innovation growth is a multi-step process that will happen over time, so is infosec, and they need to be viewed as a combined entity. If you are designing a plan to increase technology within a hospital, then best practices would have you increase your security at the same time. CEOs need to see these as mutually inclusive instead of exclusive.
As many can attest, culture comes from the top. What a CEO sees as a priority, so will others in the company. That change needs to start with seeing that patient safety now includes information security.
Protect your data. Protect your practice. Protect your patients.