In almost every organization, technology, privacy and security are not the core mission. They are enablers and support functions that contribute to our ability to accomplish it and meet prescribed requirements along the way.
Healthcare is no different. The core mission is to provide care and the focus is to administer medical services to heal the sick. I've never seen a billboard with a picture of a guy sitting at a keyboard with the name of the hospital across the top with a slogan that says, "We're the best hospital for IT." If there is one out there somewhere, those marketing dollars seriously went astray.
Instead, it's always "We're the best trauma center" or "The best children's hospital" or "The Number 1 cancer center."
Why? Because that is what we do, it's who we are, it's what we are about. And while security and IT are important, at the end of the day they are there to support that mission. So to put it in perspective; the mission of an organization comes first. And if the mission comes first, what should this mean for IT and security?
First, it means that healthcare organizations should seek to understand that mission and adopt it as its central driver for determining action. Secondly, it means they should seek to understand the key elements of the mission and what is important to its success, and use that knowledge to inform recommendations for technology and controls.
Last, but not least, healthcare organizations should seek to understand the workflows and processes necessary to accomplish core functions that support the mission in order to better inform policies, controls and oversight mechanisms.
Everything we do from a data security perspective should reflect this appreciation. The best way to achieve this is to actually get out and spend time with the caregivers. Get out of your office and into the field. Conduct desk audits, perform workflow mapping exercises, and look at time and spatial factors.
Understand the clinician's environment and the factors that affect what they do, how they use information and systems, and how security controls either help or hinder their workflows. Healthcare needs to start recognizing that IT and information are strategic assets and that information security is a business-critical necessity to ensure the availability and integrity of IT that supports the core mission.
A good friend, who just happens to be the corporate data security officer for the Adventist Health System in Orlando, relayed an experience she had while assuming her duties there: Shortly after arriving, she was confronted with a very unhappy physician. The physician represents a very important presence for the health system, so he garnered a lot of attention from the executive team, as you might expect.
His issue was that the security rules being developed by the information systems group did not work with his workflow.
Instead of seeing a difficult physician, however, what this CDSO saw was someone looking to be heard. She saw an opportunity, not a problem. So she approached the physician and asked if she could spend a day observing him in action with his team.
The physician, who was no doubt surprised that someone was not just going to listen but actually wanted to understand his workflow to evaluate the efficacy of controls, was more than happy to accommodate.
After spending an entire day with him and his team, she understood where the disconnects were and had enough information to go back, sit down, think through the challenges and identify some reasonable modifications to their controls and practices that allowed the physician and his staff to do what they did best, yet not undermine appropriate security or compliance.
A win/win was born that actually created a win/win/win/win. The physician received better articulated practices and controls that supported his workflow. The health system was assured of the revenue stream without compliance suffering – there was a true balance between mission and security.
The CDSO established herself as a problem solver and a team player, and demonstrated that she understood the health system's mission. She was also able to convert a very influential physician from a detractor to a vocal proponent of her efforts - all because she spent a day with the customer, listened to his concerns and then sought the appropriate solution. You might say it was an investment well worth making.
In the example above, the CDSO demonstrated the initiative, but let's flip that around: You own the business, you set the tone, and you define the mission and organizational priority, so why not set an expectation that collaboration is the order of the day, not the exception?
You too can show the initiative and set that expectation requiring IT and security leave their offices and perform those workflow reviews. You can also require clinical staff to entertain and embrace these visits and associated information exchange. In the end, the patient, the organization, the business and their workflow will all benefit.
Healthcare requires an informed balance between delivering care and protecting patient information. That is best achieved when both IT and information security staff have a close working knowledge of how the caregivers are using IT and information to get the mission done.