Healthcare organizations are in the business of helping patients, not protecting electronic data.
That may seem a bit obvious, but according to Mac McMillan, CEO of health IT consultancy CynergisTek, it's critical that healthcare organizations understand their mission first, and then figure out how to fit their data security programs around it.
In part, he wrote recently, that means healthcare organizations should seek "to understand the key elements of the mission and what is important to its success, and use that knowledge to inform recommendations for technology and controls."
More specifically, he argues, "healthcare organizations should seek to understand the workflows and processes necessary to accomplish core functions that support the mission in order to better inform policies, controls and oversight mechanisms."
And that means getting out of the office and spending time on the floor with the caregivers. "Conduct desk audits," he advises, "perform workflow mapping exercises, and look at time and spatial factors." In his view, IT and information are strategic assets and "information security is a business-critical necessity to ensure the availability and integrity of IT that supports the core mission."
Which is, once more, helping patients.
This article originally appeared on Government Health IT sister site Future Care.