The Health Insurance Portability and Accountability Act (HIPAA) of 1996 required covered entities to protect the privacy of protected health information. However, there was no encryption requirement. Enforcement of the law was non-existent for over a decade. Therefore, a very lax culture developed and became the norm in the healthcare industry.
When the HITECH Act of 2009 came along it was a game changing event for several reasons. First it provided massive infusion of federal incentive funds for strategic technology investments in electronic health records (EHRs) through an incentive program called Meaningful Use – the goal was to provide any healthcare provider complete and accurate information about the patient. These EHRs were required to adhere to certain interoperability standards (groundwork for these standards were established in 2004). Interoperability would allow the secure exchange of electronic health records between providers through health information exchanges (HIE) at the state level.
These innovations and investments were designed to improve patient outcomes and reduce costs and begin a movement towards quality and results based payments for medical care rather than the quantity based payment system (regardless of result) which has existed in the industry for decades.
As I visited conference after conference and heard stories from the doctors themselves it was clear to me that both doctors and patients were excited about the errors that were reduced and the lives that were saved through the use of electronic health records. In addition, artificial intelligence, derived from the work of the highest quality doctors, suddenly provided doctors with the ability to glean through large volumes of data on the patient and arrive at higher quality decisions.
However, half of the US healthcare industry continued to suffer from an anachronism dating back from the 1980s. In these organizations the Chief Information Officers (CIO) and the IT departments continued to report to the Chief Financial Officer (CFO) or other comparable executive. Thus CIOs in these organizations are not empowered to make the right decisions related to technology and cybersecurity -- because they do not report to the CEO. They serve under an organizational structure which views them as a cost center instead of an investment and a business driver.
Whenever diligent CIOs developed plans to comply with the encryption requirements of the HITECH Act and also wished to enable their organizations to participate in health information exchanges, the typical conversation in the regressive organizations went like this:
CFO, “I see you want 4 servers. Can you do with 1?”
CIO, “If I could do with 1 why would I ask for 4?”
CFO, “Don’t get defensive. I need to know how the money is being spent.”
CIO, “I thought I am in charge of planning the IT and cybersecurity strategy ...”
CFO, “Yes you are. But I am in charge of the money.”
CIO, “So are you saying you cannot afford this?”
CFO, “No I am not saying that – just wondering why 4? Okay how about 2? Can you do with 2?”
CIO, “Ok let’s ask the same question differently. If there is a cybersecurity breach are you willing to take the blame?”
CFO, “Of course not. That is why I hired you. It is your job to make sure we are secure. You are the Chief Information Officer.”
CIO, “Right. But you keep overruling me all the time.”
CFO, “I am in charge of making sure our money is spent wisely. By the way, I am not even sure that HIPAA requires encryption.”
CIO, “It is a requirement of the HITECH Act of 2009”
CFO, “Oh one of those Obamacare things … ?”
CIO, “No this has nothing to do with health insurance exchanges …”
And thus these circular conversations persisted. Many CIOs resigned out of frustration. Many felt it would be career suicide to be prevented from doing the right thing and then be blamed for lack of due diligence in the event of a breach. Several major healthcare organizations decided they could do without a CIO for several years. Some even decided a healthcare executive could perform the role. Today about one-third of US healthcare organizations do not have a Chief Information Security Officer and one-fifth do not plan to have one anytime soon.
Without the right IT and cybersecurity strategist in place, healthcare organizations may not maintain compliance with the appropriate laws, rules and regulations. They may not implement controls and software to monitor unusual user behavior. They may have no controls to prevent data loss or unauthorized data access. If a single user account is sucking out 80 million records they may never know until it is too late. They may never analyze logs. And more dangerously, they may not invest in appropriate technology to manage and monitor privileged user accounts or engage in cybersecurity governance and leadership as well as continuous innovation and improvement or user training – a key requirement for cybersecurity.
Dr. Mansur Hasib,
Dr. Mansur Hasib aka #DrCybersecurity has established a global personal brand as a cybersecurity leader, business executive, professor, author, and public speaker with more than 30 years of experience in Healthcare, Biotechnology, Education, and Energy.
He served as Chief Information Officer for 12 years for the Baltimore City Health Department and within the University System of Maryland.
Between 2016 and 2019, his academic leadership and branding strategy at a major public university, tripled the size of the academic program from 1,500 students to 4,800 students globally and went from $30 million annual revenue to $117 million annual revenue. His program won back to back awards as the Best Cybersecurity Higher Education Program in the USA in 2018 and 2019 from SC Awards. His students won back to back Rising Star of the Year Award from (ISC)2 in 2019 and 2020.
Dr. Hasib explained cybersecurity leadership in his widely acclaimed book Cybersecurity Leadership, which is listed among the best cybersecurity books of all time by Book Authority. Dr. Hasib believes that every person has unique gifts to share with the world. Thus his academic programs focus on the individual and includes business strategy and risk, writing, speaking, and personal branding elements.
The key to success in any field is to find your gifts, refine them, and monetize them to create multiple streams of income. He discovered the power of his own personal brand when he won the global 2017 People’s Choice Award in Cybersecurity competing against 19 companies and 3 individuals. He repeated this feat in 2020. His personal branding methodology and the stories of several students are shared in his recent book Bring Inner Greatness Out: Personal Brand.
Dr. Hasib has been quoted, interviewed, and cited in countless media all over the world. His books have been sold in the USA, Canada, Mexico, India, Australia, United Kingdom, Japan, Kuwait, Middle East, Algeria, Brazil, Kenya, Ghana, Nigeria, New Zealand, Germany, Philippines, Singapore, France, Italy, Bangladesh, Cyprus, South Africa, Bahrain, Bahamas, Switzerland, Sweden, Hungary, Pakistan, Malaysia, Trinidad and Tobago, Spain, and various other parts of the world.
Dr. Hasib enjoys table tennis, comedy, and travel and has been to all 50 states of the USA. Follow him on Twitter @mhasib or LinkedIn: www.linkedin.com/in/mansurhasib.
To access more content, subscribe for free to his YouTube Channel with over 100 educational videos: https://www.youtube.com/channe...
To contact Dr. Hasib, visit: https://www.cybersecurityleadership.com.