Two weeks ago, the Wall Street Journal’s recommended weekend reading list included an opus by Paul Ford published on Bloomberg. You can find it here: http://www.bloomberg.com/graphics/2015-paul-ford-what-is-code/ warning – it’s not a short read.
Anyone working in health care who is not in IT should read this article, and anyone who works in the health care compliance, legal or governance spaces needs to read this article, in my opinion. Here’s why:
– Our technology runs largely on old code. Most information systems that power health care transactions are not running in the new, “sexy” languages, like Ruby. This makes it harder to find new coders who are proficient in the languages that need to be maintained. Older code langauges are also harder to work with to create what users want, leading to systems being used today in ways for which they were not intended or optimized to perform.
– Our industry has strict requirements for use of encryption and data security, but the tools we have to assure those requirements are imperfect. The code libraries that execute the encryption have been contributed to by many coders over time, and there could be a / or } in the wrong place buried at the very heart of the code creating a security flaw, but because of programs layered on top of each other no one has noticed.
– Healthcare has to use technology to collect patient information, maintain that information, and share it with those who need it (including doctors, nurses, quality reviewers, insurance companies, to name a few), while keeping it encrypted and logging user access. A stolen patient record is said to be worth anywhere from $50-70 on the black market (h/t to The Advisory Board Company for including that in a Daily Briefing email recently).
It’s important to remember that while HIPAA regulations require security audits and that encryption is used, there is no specific language setting a minimum standard for encryption. In part, I suspect this is because standards evolve so fast, today’s best practice “brick wall” equivalent is tomorrow’s “decorative white picket fence that won’t actually keep a bunny out of your vegetable garden”. That’s no justification for poor security or encryption efforts.
My key take-away is to expect technology to continue to change. In healthcare leaders must balance making technology easier for nurses and doctors to use for patient care, and security of the technology. At the end of the day, your technology is worse than worthless if not encrypted.