Skip to content Skip to navigation

Your Money or Your Life

March 25, 2009
by Dale Sanders
| Reprints
As we get our security feet on the ground in healthcare, we tend to spend big bucks locking the front door while leaving the backdoor wide open

We've spent gazillions of dollars on HIPAA Security compliance-- some needed, but some of which I think we contrive for no good reason... screening and trapping outbound email for HIPAA-sensitive terms is one of those risk mitigators that, to me, has incredibly low value. As we get our security feet on the ground in healthcare, we tend to spend big bucks locking the front door while leaving the backdoor wide open.

I've had this theory that most of our patients would prefer that we protect their personal identity and financial information first, and then protect their personal health information. But, HIPAA has consumed us while Red Flag is a latecomer invitee to the party. That order of invitation and attention never made sense to me and I would argue that we need to balance our investment and attention in IS security risk management towards our patient's perspective of risk, not ours. Remember that, Risk = The Probability of Something Bad Happening x The Consequences. Many of us tend to focus on one or the other, but you need some of both to equal "Risk." Likewise, drive either variable towards zero, and you can forget about the other.

I'm running a simple little survey (which will drive PhD-survey designers nuts) to test the theory. Click here to take the one question survey: Your Money or Your Life and I will report the results in a few days.

Topics

Comments

While I think it's importat to to protect my PHR, I've seen an overabundance of scarce healthcare dollars and staff expnded on it. Some of that $ could be funneled into protecting our financial info. And after all, how many of us have had the expeince of HIPAA being a tool used to stonewall patients and their families? "I"m sorry I can't help you. HIPAA regulations, you know." And just where do those HIPAA forms end up, anyway?

I'll leave the same comment here that I left on your survey page. I think that people would prefer their personal health information is secured before their financial identity is, because money can be recovered, an identity can be reestablished but personal health information, once released onto the Internet, can never be put back in the bag. Who is to say that insurers aren't already surfing the net for information about prospective policy-holders?

Great post, Dale.

This is such a hot-button issue. Check out this statistic from a survey of about 4,000 Americans conducted by Deloitte Center for Health Solutions: 38 percent of those surveyed said they "are very concerned" with privacy and security, but 24 percent said they "are not at all concerned."

That last part shocks me — a quarter of those surveyed are not that concerned? Do they not read the papers?

Dale Sanders

Chief Information Officer, Cayman Islands Health Services Authority

Dale Sanders was a past VP and CIO of the Northwestern Medical Faculty Foundation at...