Security in Health Care, It Ain’t Just An IT Thing.
When one thinks about security, what typically comes to mind is an image of a hacker sitting in a dark room in front of a bunch monitors furiously plugging away at the keyboard and gaining access to any system they want. While mitigating the risk of unauthorized access is definitely important to security, it is only a small part of it. What’s of equal importance is that your organization is aware of the fact that security goes beyond the technical and is the responsibility of everyone, not just IT. Failure to recognize this by any single individual can result in dramatic consequences for individuals and the entire organization.
Security is broken into three parts and each part is represented by a letter in the acronym CIA: confidentiality, integrity and availability. I could spend time listing out all of the technical safeguards put in place to mitigate risk from an IT perspective, but in this article I thought it might be best to give non-technical examples of each area to help explain their significance.
Confidentiality basically means to keep something private or secret. As an example, remember that embarrassing photo that you took of yourself at last year’s Christmas party? You know the one I’m talking about. It’s the one you took of yourself standing next to the cardboard cutout of Santa Claus and you were making the ubiquitous “Duck Face”. You and Santa never looked better. You want to delete it but it’s so funny you stash it away and break it out whenever you need a good laugh. Let me ask you this, what would happen if that picture of you got posted next to the coffee maker at work? You’d be the laughingstock of the office. In this same way patient information – clearly no joking matter – needs to stay private. Openly discussing someone’s condition or leaving a medical record out in the open for all to see is a breach in confidentiality and the consequences of that breach go beyond being laughed at. The legal consequences alone could send an individual or individuals to jail, bring down an entire organization, or both.
Integrity in a very basic sense means accurate or true. Let’s go back to that embarrassing photo of you and Santa. Let’s just say you never took that photo. Last year’s Christmas party, as far as you remember, was a pretty good time. There was no cardboard cutout of Santa and you NEVER make the ubiquitous “Duck Face”. As a matter of fact, you never post pictures of yourself making the “Duck Face” on any of the major social media outlets. It’s early Tuesday morning, you’re bleary eyed and mentally going through the day’s game plan for work. You stayed up late Monday and watched your favorite team eke out a narrow victory on MNF and you could use a strong cup of coffee. You stroll into the kitchen and you’re shocked to see an embarrassing photo of you standing next to a cardboard cutout of Santa making what looks like the Duck Face at last year’s Christmas party! How did this happen? It isn’t possible. First, you’re way thinner than the “you” in the photo and your head doesn’t look like it’s on the right way. This definitely isn’t you but everyone in the office is commenting on it and no matter what you say no one believes you. Everywhere you go in the office people are making the duck face at you. As embarrassing as this sounds, take this example and apply it to a patient’s record. What happens when patient’s information isn’t accurate or true? A misdiagnosis based on an altered image file, a medication amount with an extra digit, or a discharge instruction sheet that didn’t quite print out the right way? Inaccurate information could result in irreparable harm or even death, not a funny matter and obviously an issue for any organization.
Availability, simply put, means always accessible. Going back to the confidentiality example, let’s say it’s been a real rough week at work. You got beat up by customers, coworkers and the boss. And what’s made things worse was the Director of Marketing had been pressing you hard to finish that article for the company’s blog. It’s Friday, the week is over and you sure could use a good laugh right now. You know what will cheer you up, that picture of you and Santa from last year’s Christmas party. You’re standing next to Santa and you’re making the “Duck Face”, what a hoot. You keep it stashed away on your phone, so you go to pull it up, but the battery on your phone is dead and you’re not getting that laugh until you find your adapter and charge your phone. Darn it! I guess you’ll have to hold off for now and wait until you get home. Now apply that to patient information and the consequences of not having it when it is needed. When a clinician is in the middle of a procedure and the information she needs to deliver care suddenly disappears or becomes unavailable, it puts both the patient and the clinician at risk. Again, these can have serious consequences for both individuals and organizations.
Remember, security encompasses all parts of a health care organization and isn’t just the responsibility of the IT department. Know your role and what you can do to not only help protect yourself but your organization and the patients who have come to rely on you for first rate care.
Thom Daley is a Senior Technical Principal in PPI’s Technical Consulting Services and a member of the PPI Office of the CTO. Although he insists he has never been actually abducted by aliens, we aren’t really sure.