What threats keep you up at night?

I think probably the top two are, first, insider abuse – individuals who have elevated privileges who can affect things, either inadvertently or deliberately, but who are not monitored. People like database administrators, who can bypass the audit capabilities of the application by going directly into the database itself and making changes. We have very little monitoring of what goes on there. That’s one of those 800-pound gorillas that no one wants to talk about. Now we’re beginning to talk about controls around applications, certified EHRs that have the ability to audit, and yet all of the data that’s associated with that sits in a database that a database administrator can go directly into, using their privileges and their level of access, and make changes that will never be seen. It’s one of those back doors that haven’t gotten a lot of attention yet. The second biggest issue in my mind is an organization just really not knowing or having a good handle on where their data is, and where it’s going. There’s a lot of emphasis being put on the EHR because of meaningful use. Well, the EHR typically is one of a handful of systems in a hospital environment. There are many more systems that have personal health information in them. Sometimes I think we do a disservice by placing so much emphasis on EHRs and obfuscating the rest of the environment where there’s still a lot of information that can be compromised and mishandled.

[See also: Privacy hindering EHR progress, say researchers.]

Ultimately, are you optimistic?

I am, actually. And I base that on a couple things. I lived through what I call the transformational process that occurred in the federal government back in the 1980s. In the early ‘80s we didn’t have really good information security programs or controls in the federal space. But we started that process, and began to build those requirements and began to require organizations to certify and accredit their systems. And we kind of went through the same transitional process. People said, ‘This stuff is getting in the way, it’s slowing us down, why do we need all this security?’ But we did it anyway. And we worked through that. It took a while, but today it’s second nature. Same thing with the banking industry. If you look at the industry in the ‘80s, it was the same thing. The larger banks that were more sophisticated were able to do it much faster. The mid-size and community banks were vey slow to adopt. It was very painful. But those requirements didn’t go away and eventually the industry evolved and adopted them and today has very standard ways that they do IT security. It’s an evolutionary process. We started this IT security evolution in healthcare in 2005, with the HIPAA security rule. So when you think about it, healthcare has only been doing this in an organized way since 2005. That was only six years ago. Back in 2005, nobody was talking about data leakage in healthcare. Nobody was talking about wireless or Web application security, or encrypting databases. Today they are. There’s been a big change in the industry in a short time. But are we done? We’re nowhere close to done. We still have a long way to go.