IT security is no cakewalk to begin with, but healthcare IT security is by far the most difficult. They have compliances and standards to meet, HIPAA for example, like all other sectors; but it’s the transfer, storage, and access of information that is most difficult to control and monitor.
In the financial sector everything revolves around transactions. The financial transaction model is very simple and has been around for hundreds of years. There is money in account A (let’s say it’s my account), there is money in account B (your account), or there is money in the holding companies account, there is no gray area as to who has the money. This entire process has been standardized, regulated and tweaked over time, but is essentially that simple and straightforward. Not to discredit the work of those security specialists, but the dynamics of that business are much more cut and dry.
Now take a look at security from healthcare’s perspective. There are many aspects to look at in this space, but to keep it short we will look at it from a medical records and healthcare insurance perspective. Unlike the financial sector, which has a straightforward transaction model, there is no standardization or uniformity when it comes to interactions involving patient records or healthcare insurance information. It’s very difficult for security specialists to predict how this information will flow regularly and how the information will be used. So many different parties are involved that it can be very difficult to keep track of all the data and who interacts with it, on top of that you have compliances to maintain.
IT healthcare budgets are starting to see a rise over the next few years, but overall they tend to be smaller than ones from other sectors. The financial sector spends more than any other towards these services, so they have more than enough resources. Healthcare does not get nearly the amount of funding, so they are stuck with a more convoluted process but less resources and funding to meet their needs.
This is where the IT department needs to get crafty in finding simple but effective solutions that fit within their budgets. Encryption software that protects data on all mobile and non-mobile devices (we have seen this isn’t widely done) should be at the top. Also, having strong end-point security is a must. Containment of off-network data / data at rest (failed and replaced hard drives, data tapes, flash drives, CD’s, optical discs, etc) and their secure on-site destruction. This protects data that is in storage, in motion, and at rest, and can be handled and maintained relatively easily. Hats off to those individuals who strive to protect our personal data under the most difficult of circumstances.