Advance for Health Information Professionals posed this question to our own Mac McMillan seeking his insight. Mac, in his own words, answered the question with this:

I’m going to answer this question with what I believe to be the correct answer: Yes, the healthcare industry is capable of doing security successfully. I base that belief not only on my experience over the last 20 plus years, but also because of the many examples of organizations that are getting it right, and the many industry leaders who have proven that security can be implemented successfully. So why do I pose the question? Because many organizations are still lagging in the area of healthcare security. Perhaps the better question is, why do some organizations get it right and others struggle? There are several reasons for that, but what might be more interesting is to look at a couple of critical factors that have contributed to successful healthcare security programs.


Leadership sets the tone for a successful security program. The most effective security programs have often been overseen by a business leader who makes patient privacy and data security a priority, and an experienced security professional that knows how to translate those priorities into practical action. Each executive is directly involved and ensures the information security program is realized through the provisioning of resources needed. They view patient privacy and data security as a responsibility, not just a cost center or necessary regulatory evil. In most organizations where there is struggle — or failure — it is usually traced back to a lack of focus at the top and/or insufficient resources to get the job done correctly. Survey after survey for the past few years has documented the shortcoming.


In addition to strong executive leadership that makes privacy and security a priority, another benchmark of successful programs is an appreciation for — and openness to –objectivity in measuring performance. One of the first tenants of data security is to never allow the same person who built or manages a system to also test or audit that system. Separation of duties, third party assessments and consulting with outside experts have always been important keys to successful data security programs. Information security is an extremely dynamic subject area in which expertise should be maintained. This is particularly true when talking about strategic design and assessing risk.

21Smart organizations seek external input when developing a security strategy, designing an enterprise security controls architecture or selecting the right technologies to enable their strategy. First, consultants come at the problem with the experience of having seen many environments. Second, they have already worked with many of the solutions/approaches in operation and tend to stay current in the technology. Third, there should be objectivity in the process; it is also important to consider the value of lessons learned elsewhere. The successful organization takes advantage of both knowledge and experience and reaps the benefits in cost avoidance, implementation successes and enhanced adoption.

The successful organization also takes advantage of objective measurement in assessing risk, both initially in determining which controls are needed, and on the back end by assessing effectiveness. One of the most informative tools employed in security management is the risk analysis. If done right, it will produce the roadmap needed for building, remediating or validating the security program. If done regularly, it will produce a honed awareness of where risk is enabled and support a better understanding of what security measures are most effective. Risk management is continuous. Risk analysis should be conducted at least annually in most environments, or when significant change occurs in the organization or information enterprise. Every regulated industry is required to conduct risk analysis — healthcare is no exception. The HIPAA Security Rule calls for conducting a risk analysis, as does HITECH in both its Breach Notification Rule for determining harm and its Meaningful Use Rule attestation requirements for receiving incentive funds.

My Answer

Can health care do security successfully? Absolutely, and many organizations are. But, unfortunately many are not. The two success factors that relate to the culture of an organization: leadership and objectivity. Establishing a culture that views security as a core business responsibility and embraces objectivity in measuring effectiveness enables an organization to learn and improve more rapidly. Using external third parties for conducting risk analysis is a security best practice and it allows organizations to avoid costly lessons learned.