Just about any security professional can attest that the CISO and infosec teams are often seen as the so-called “Department of No.”
As in: “No, you can’t access our data from your home PC.” Or, “of course you can’t bring your own device into my network.” The list of forbidden activities is a long one, necessarily so.
But I came away from our most recent HIMSS Healthcare Security Forum in San Francisco this past month with a pair of counter-thoughts. First, protected data and usability are beginning to transcend mutual exclusivity. Second, security really is an essential foundation for innovation.
That’s not to say infosec teams should just let employees do whatever they want but, instead, it signals that mindsets are changing.
Security vs. usability: a false dichotomy
Much the way security teams have been seen as obstacles in the way of deploying cutting-edge technologies, a widespread notion persists that developing tools to delight users is, for the most part, antithetical to the very idea of safeguarding data.
“Designing for security and usability can be symbiotic,” said Deb Muro, chief information officer of El Camino Hospital. “Increased usability can promote security.”
El Camino, for its part, is working with Apple and Google to equip clinicians and patients with tablets for tracking medications and therapies.
“Every step we take,” Muro added, “the technology we bring in is resilient.”
Likewise, security can actually serve as an enabler of innovation.
“Security and innovation go hand in hand,” said Rohit Talreja, product manager for Google Cloud Healthcare and Life Sciences.
Consider the San Diego Supercomputer Center at University of California San Diego as an example. The center works with Japanese medical equipment maker Nihon Kohden to take the data it collects from monitoring devices, store it securely in the cloud, then stream it into Nihon Kohden’s environment in near real-time, according to Sandeep Chandra, the center’s director of health cyber infrastructure.
“Compliance is becoming a commodity in the cloud,” Chandra said. “So now it’s more about value-added services, machine learning and AI. We are looking at big-data-as-a-service. We take can take an app that’s not immediately ready for compliance, package it and deploy it so it inherits all the controls so they can upload data, perform analysis and do it in a secure fashion.”
The Supercomputer Center simply could not do that with security and compliance being locked down in the cloud.
Google’s Talreja pointed to predictive models as another example because running them against secure health data can be an aid to clinicians by suggesting what data is important.
“If you have a picture of a retina, there are things that can be variations in quality of image, the noise, and then signs of real damage to the eye and the two can be hard to tell apart,” he said. “Having all the bits and bytes can be a real help.”
Security as innovation foundation
As hospitals deploy more resilient technologies and leverage the cloud, security will naturally continue to be a concern.
Building a foundation for innovation is not a one-time occurrence. But there are steps executives can take to move in the right direction.
The initiative will often require a culture change that both starts at the top and encompasses all employees by making sure they understand what it takes to be both efficient and secure.
“A key message to convey is that it is how well you address governance, policy, process and education that determine the value you get out of your tech investment,” said Allyson Vicars, associate director of health IT research at The Advisory Board.
El Camino’s Muro, meanwhile, said that laying the groundwork for innovation starts with identifying areas where you can make an immediate impact – whether that is population health, value-based care, precision medicine or others.
Another tip is to avoid working in isolation as early as possible in order to find strategic opportunities and, from there, focus on those that existing technologies can be applied to now.
“It’s critical for CIOs to do roundings to be forerunners and examples of creating better efficiencies,” said Michael Archuletta, CIO at Mt. San Rafael Hospital. “If we’re just behind the desk talking about innovation and cybersecurity improvements but we don’t try to executive those it won’t work.”
It’s not my intention to suggest that infosec is close to being solved – it’s not – or that hospitals and health systems can simply start innovating on legacy infrastructure. But I left the conference with a strong sense that the traditional security team’s days of being the “Department of No” are numbered. If only in a beginning-of-the-end kind of way. And for good reason.
“Security can not only make things better,” said Christine Vanderpool, deputy CISO and executive director of cyber risk at Kaiser Permanente (she has since left to be CISO of Florida Crystals). “It can make your business more efficient, more productive.”
I’ll see you at the next HIMSS Healthcare Security Forum in Boston, Oct. 15-16. Register here.
Read more Innovation Pulse columns from Healthcare IT News.