It is easy, when we are constantly involved in the business of protecting organizations, systems, and people, from harm, to forget that security is not just a painful cost center. It is so much more that just finding a way to staunch the blood flow of stolen information.
When security is understood during the inception of something new, it actually makes innovations possible.
While doing some further research on the President's new Health Information Technology initiative, I ran into one of those voices, one that is considering something brand new, which would/will be impossible to do without good security. It is worth considering this as an example of ground-up security thinking, because it doesn't exist yet, and it must be secured, and it will never be secure, unless it is from the very beginning.
In an article entitled: "The Politics of Health Care: Change Can't Happen with Technology Alone", Dr. Michael L. Cowan, MD presents a view of health care in the near future. It is health care that is "democratized" by a patient's access to information and providers, and it is health care that is often delivered through virtual means that are not available today. As I read through it, and as I take Dr. Cowan's charge to heart, I am struck by the role that technology will need to play, in concert with a new way of thinking about health care, which is the meat of Dr. Cowan's proposition.
At the same time that I am enervated by this visionary view of health care, my security self begins to outline the dangers, unasked. The pervasive sharing of information that would expose our most personal weaknesses and histories is one, and the likely availability of financial and insurance information to the unscrupulous who could extract services or payments at will. As examples, there is the Akron Children's Hospital breach in 2006, and then there are the celebrity record thefts, like that which affected George Clooney in 2007. Research shows that medical identity theft is even more profitable than that of credit card data, due to fraudulent claims and services.
So, back to the enabling:
Understanding the Data, Upfront
This one is easy. Systems that will be built to accommodate the vision of more interactive and accessible health care will naturally be handling private data. While it is obvious that an individual's identity and treatment information must be secured, so, too, must their interaction with the system when looking for advice on specific ailments. This entire system can become an open and interactive system, so long as the user's anonymity can be protected, and so long as the details of their history, and the pattern of their new requests, cannot be associated with any knowable individual. It speaks to a network of trust, and the type of obfuscated identity that allows the patient to connect the dots, but which would appear chaotic to the external observer. Components can be found in one-time use authentication, federated security models, and the use of strong encryption for any assembled and identifiable data.
While it is possible that there will be some amount of non-personal data that will be handled by these systems, (generic health care content), the system should first be designed to process the critical private data, and then only provide unsecured access to very particular resources.
This type of access is enabled through security practices and technologies, and can extend the range of these private services well beyond the doctor's office.
Enabling the Flexibility
Security technologies also provide the means of differentiating access communities between doctors, service providers, and users. Individual architectures and systems are not necessarily required, nor are their expense, with the introduction of appropriate management of users, roles, and access. In the idealized environment, a doctor in a hospital anywhere, can access the records of a patient in a hospital anywhere. As well a patient who falls ill far from home, would be able to locate and share their records with any practitioner. For less serious illnesses, a patient would be able to access symptomatic information, seasoned with his/her own medical history, to understand likely seriousness and remedies for the condition. Again, it will be security technologies that enable this interaction, doing more than just protecting it.
New technologies and new models are rapidly changing the face of health care, voting, retailing, and socializing. If we can build these new systems with security in mind, while continuing to shore up the insecure systems of the past, privacy and convenience may sometime find themselves not at odds, but in harmony.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment