Blog

FierceHealthFinance: "Steps CFOs Can Take to Boost Security"

When it comes to security for vertical industries such as finance, education, healthcare, insurance, etc., there are often different circumstances that must be taken into consideration when planning a strategy. But there is a common denominator between them all- private data is private data and it all must be locked down.

When it comes to security for vertical industries such as finance, education, healthcare, insurance, etc., there are often different circumstances that must be taken into consideration when planning a strategy. But there is a common denominator between them all- private data is private data and it all must be locked down.

FierceHealthFinance reporter Carolyn Davis ran a piece on why CFOs need to take an interest in privacy and data security. She interviewed Dr. Barry Chaiken, MPH, chair of the Healthcare Information and Management Systems Society (HIMSS), who shared three critical steps he feels hospital CFOs should take when it comes to addressing security:

No. 1: Audit work flows.

CFOs should review financial processes to look for places where damage can occur, says Chaiken. "Everything is about work flow in healthcare. You have to examine those processes to see where you think there are weak points." One obvious example of what a CFO might review: a lobby kiosk where an employee is entering personal data. "That is clearly where a work flow could be broken," he explains. "So you have to examine those processes."

No. 2: Institute surveillance.

Surveillance is a common tool for dealing with public health emergencies, but Chaiken believes in surveillance "all across the board." Hospital CFOs should create a surveillance process to monitor processes "to, in an early way, identify potential breaches that could become huge problems," he advises. Often, data breaches start out small, but they aren't caught until the drip becomes a flood. For example, CFOs need to have a surveillance tool to check whether anyone is accessing records that they shouldn't. "You would want to know that early on vs. finding out later that large numbers of people are accessing records without authorization or inappropriately."

It's important to note that surveillance "is not about identifying a problem," stresses Chaiken. "It is about identifying a potential problem."

No. 3: Drop the "silo" mentality.

The interoperability of financial systems and clinical systems in hospitals means "access to one often gives you at least some partial access to the other," says Chaiken. Consequently, CFOs should work collaboratively with the clinical IT leadership to address privacy and security. If the chief medical information officer (CMIO) has a weak process, "that could potentially expose the CFO," he points out. Likewise, a weak security process on the financial side could potentially cause a breach of the clinical data.

"We can no longer in healthcare work in silos," says Chaiken. "Everybody is interconnected, so clinical and nonclinical people have an obligation to work closely together to address all the issues in healthcare, particularly privacy and security."

These are very sound ideas for sure. One important piece that is missing is actually locking down the data and private information itself beyond the periphery. Unfortunately once a breach or exposure occurs, that's it. Then everyone is left scrambling to conduct damage control.

As part of our roundtable discussion that was hosted by Paul Roberts of The 451 Group, we discussed this exact issue and shared some insight into securing the data itself: