Security in the spotlight at HIMSS15
Recent breaches have pushed security to the top of many HIT executives' to-do lists and one company taking an aggressive approach in this critical area is Patientco. In this interview, Kurt Lovell, chief operating officer for the company, discusses the steps they are taking to ensure data security today and in the future.
Parrish: The recent Anthem data breach put a very bright spotlight on the importance of data security. What steps are organizations like yours taking to ensure clients don’t face breaches with patient financial data?
Lovell: There are a number of obvious steps that organizations with sensitive and protected data should be taking ranging from implementing effective password security rules to encrypting data in motion and at rest, from establishing secure office environments to auditing vendors for adherence to their own security policies. The more challenging step that all organizations need to be taking is developing a culture of security and compliance. It's not enough to encrypt data, to have a policy written somewhere or to force password changes every 30 days – organizations must realize they're only as strong as their weakest link – and too often that will be their own employees, contractors and partners. Developing a culture of security and compliance ensures that an organization like ours has all of its team members on the lookout for security shortcomings and that, when it comes to security, all team members bear responsibility equally.
Parrish: Does the continued rise of consumerism create new data security challenges in the near-term?
Lovell: Absolutely. As consumers, we are and will probably remain, quite cavalier when it comes to our data security. We prioritize convenience. As consumers demand convenience, organizations like ours must face whether we should share, even if permitted and requested by the consumer, certain data sets with third parties. For example, should we partner with a leading provider of clinical patient portals? Do they take security as seriously as we do? Does having financial and clinical information in one place increase the risk for the consumer? Are hackers more likely to attack? The simple consumer request to have 'everything in one place' is not so simple, especially if the organization is serious about protecting their consumers.
Parrish: Are there data security challenges that are unique to a cloud-based environment?
Lovell: There are real challenges and great benefits. Cloud-based SaaS environments typically present a consistent interface and application to all its users. As such, if a security vulnerability is introduced or discovered, it's likely exposing the entire user base. Thus, the urgency to resolve the vulnerability is much higher. On the other hand, the security expertise that reputable hosting providers possess ensures that their environments are much more secure and aggressively monitored than the environments of a typical client. So though there are tradeoffs, the technology markets are overwhelmingly choosing cloud-based environments as the benefits far outweigh the costs.
Parrish: What trends related to data security do you see coming down the pike in the next 5-10 years?
Lovell: Vulnerabilities like Poodlebleed and Heartbleed will increase. As we move to an ever-more interconnected world, vulnerabilities will inadvertently (and sometimes intentionally) be introduced. Breaches will occur more often and they will garner more attention than they have. Likely, every consumer will come to expect a personal data breach on some frequency level. Organizations, and consumers, will be well served to understand that a breach is no longer a matter of 'if' but 'when.’ And both groups need to have plans in place to actively monitor data and work diligently to prevent all breaches, but be well prepared to report and correct when there is a breach. We all know someone who has lost their wallet – if you're prepared for such an event, it’s not really a big deal when it happens. If you're ill-prepared, don't know what was in your wallet, don't have your phone numbers and card numbers memorized etc., then you've got a problem on your hands. Data security is no different. Prevent, but also prepare.