What do healthcare privacy and security have to do with an airline accident investigation?

On July 19, 1989, a DC-10 crash-landed in Sioux City, Iowa, killing more than a third of its passengers. Survivors said it was a miracle anyone lived, and members of the flight crew were hailed as heroes. The tail section and right wing broke off as the plane caught fire, bounced and flipped upside down. Debris was scattered as far away as 75 miles. The cause: Microscopic cracks in the plane’s fan disk that formed when the disk was made. These tiny imperfections could have been prevented and should have been discovered during inspection. They were small links in a complex chain of parts that went into creating the airliner. But they failed.

When a privacy or security breach occurs in the healthcare chain, a break in just one link can be caught and managed. The problem arises when a series of imperfections across multiple links shows up. Privacy and security must be addressed at each link. Policies and technology standards that only address a component of the value chain don’t address the larger ecosystem. The broader impact to the patient, physician and health IT systems must be considered. Looking end to end at the chain enables organizations to make sense of how privacy and security work together holistically.

In the healthcare industry, the ability to use a simple cellphone app to help maintain a patient’s care is fast becoming a reality. Users will highly value this capability as long as it’s reliable. Safeguarding privacy and security within such mobile technology consists of a long series of links. The stronger the links, the more secure the value chain. But with the proliferation of medical apps for patients’ and physicians’ smartphones and other mobile devices, protecting the shared information presents a hard rain of challenges.

Smartphones and tablets have their own security and operating systems. Each device may use three or more Internet browsers, multiple email accounts and multiple non-health software applications. Not all software is designed the same, so the ability to interface with other applications varies. Protocols differ regarding how data is transmitted and accessed. As many as six different networks can pass along a patient’s healthcare information – the patient’s mobile device carrier, a hospital Wi-Fi or wireless/wired network, a third-party telecommunications provider, a data center network, a personal physician’s network and an insurance company network.

So where to begin?

List your value chain in detail to find the weak links. Think about these areas:

  • Smartphones/tablets – What data is being accessed? What non-clinical data resides on the device? Who can access the device?
  • Applications/software platforms and integration – What data does the application gather? Who is responsible to update it and ensure compatibility with other software?
  • Networks – How is the data is transmitted: Wi-Fi, wireless, wired, communications providers?
  • Data storage – How is information stored? Where is it stored? Who manages it?
  • Access – Who needs access to the data: patient, physician, nurses, labs, pharmacists, payers, insurance company?
  • Management of data – Who manages the data as it’s created, stored and accessed: hospital IT staff, third-party data storage, payer, insurer?

Once you identify your value chain and the health of each link consider the following:

  • Review your current privacy and security standards and processes across your value chain.
  • Identify the critical path necessary to execute privacy and security safely and effectively.
  • Identify the silos that exist within your organization, and the dependencies of each.
  • Review ways to minimize risk regarding how PII works its way through your system.

Discovering the health of your ecosystem and addressing issues early will keep catastrophic disasters from happening to your healthcare value chain. Discovering the strength and value of your health system is a process – one that can be streamlined through valuable conversation with like-minded mHealth and privacy & security professionals in the mHIMSS LinkedIn group.

An opportunity to start forging your value chain dialogue can be found in the upcoming HIMSS Virtual Forum, The Future of Mobile Technologies and mHealth: Staying Securely Connected, which will take place on Thursday, April 26, beginning at 9 a.m. CST.

Geoffrey Hancock is director of business/sales and technical implementation for cloud, security, mobility and healthcare at Verizon. He is a member of the mHIMSS blog workgroup.