How health IT security evolved into an industry priority

Tools

As recently as last spring, privacy and security appeared to be a back-burner issue for many in the healthcare industry. For instance, a planned cyberattack simulation conducted in April by the Health Information Trust (HITRUST) Alliance and the U.S. Department of Health and Human Services revealed that healthcare organizations had not been engaging their stakeholders enough in security preparedness plans. What's more, the simulation found that healthcare organizations were not terribly open to adopting industry-wide best practices.

Then, last August, news broke about a hack attack on Franklin, Tennessee-based Community Health Systems in which protected health information for roughly 4.5 million patients was compromised.  

All of a sudden (and despite a constantly updated website tracking health data breaches of 500 individuals or more), IT security seemed to be a higher industry priority.

Fast forward five months and cybersecurity now appears to be a national issue. Granted, breaches at Target in late 2013 and--more recently--Sony Pictures likely were more influential in President Barack Obama's plea to Congress to pass related legislation in his State of the Union Address last week; it doesn't matter. All that matters is that cybersecurity is getting serious national attention on a political scale.

Obama's plan, which calls for increased sharing of information on cyberthreats from the private sector with protection from liability, isn't necessarily geared toward the healthcare industry. Still, HITRUST gave it a glowing endorsement for its designation of Information Sharing and Analysis Organizations (ISAOs). HITRUST, last October, announced the development of its Cyber Threat XChange (CTX) to speed up detection and response to threats targeted specifically at the healthcare industry. CTX also involved the sharing of information between organizations.

Additionally, in November, the National Institute of Standards and Technology created draft guidelines to help organizations handle relationships surrounding the sharing of cyberthreat info.

"[T]he White House has provided clarity that ISAOs are a key link that will continue to provide value and strengthen our government, our economy and our nation as a whole, given the growing cyberthreats the nation faces," HITRUST said in a statement following Obama's speech.

Now, both healthcare mergers and acquisitions and ICD-10 implementation are being discussed in the context of cybersecurity. And according to the Wall Street Journal, as cyberthreats continue to grow, so, too, does chief information security officer pay.

As George McCulloch, head of the Association for Executives in Healthcare Information Security, recently pointed out, such threats are bringing visibility to the profession.

No doubt, it would have been more prudent for healthcare organizations (and lawmakers) to be more proactive about cybersecurity. But at least things are moving in the right direction. - Dan (@Dan_Bowman and @FierceHealthIT)