Wednesday, 5 August 2009
It's been three weeks since I joined the CCHIT Advanced Security working group and so far it has been a very educational experience. I’ve been impressed by the amount of knowledge and drive my new colleagues bring to the process, as well as the sheer volume of government regulations, standards and guidelines that we have to contend with. As I spend more time thinking about this initiative, two new points have become apparent:
Certification is Expensive
Developing more secure software is expensive, but that expense actively improves the software. The certification process can also be expensive. Currently, CCHIT tests products by auditing a demonstration of the product following a set of test scripts and reviewing documentation provided by the vendor. When I first looked at this, it did not seem like much, at least in terms of security. However, I’m beginning to realize that the level of organization the process requires and the amount of time qualified professionals must invest to observe demonstrations and review paperwork is immense.
I still believe we need a more rigorous testing process, but I think we also need to consider how to do this in a way that is both economically feasible and actively improves the products. This is easier said than done, but it’s an important thought to keep in mind.
Failure would be Really, Really Bad
This wasn’t an entirely new thought for me – health data has always seemed more valuable than financial data because of its permanence. If someone gets your credit card number, you can cancel your credit card and get a new one. Of course, it isn’t quite that simple, but knowing that your data has been compromised can allow you to prevent future misuse. With health data, the information is about you, not assigned to you.
The part I had not considered is that a failure to handle security and privacy properly could prevent electronic health records from being quickly and widely adopted. While the Obama administration and others believe that electronic records can improve efficiency and accuracy in medicine, many believe they are expensive boondoggles. In short, supporters of electronic health records need to push for stronger security regulations. Without these regulations, we are likely to see a series of public breaches like the ones we've seen in the financial industry, which could prove to be a huge setback for the digitization of health records for decades to come.