At events like HIMSS, Mac McMillan, co-founder and CEO of the consulting firm CynergrisTek, and chair of the HIMSS Privacy & Security Policy Task Force, can truly be a breath of fresh air. While a good chunk of the people at this event are giving you a structured, manufactured set of thoughts on a particular topic in health IT, a guy like Mac is simply telling it like it is.
I had a great conversation with Mac on the HIMSS exhibition floor on the various privacy and security issues that the industry is facing. Mac, who was a speaker at the HIMSS pre-conference symposium, was firm in his belief that this growing data breach problem is an indictment of healthcare organization leadership. Reiterating the point he made in his HCI blog debut from a few weeks ago, this is a cultural issue. It’s about organizations not spending the money they need to protect their patient data.
Mac isn’t shy about pointing fingers. After he talked about the lack of resources in healthcare organizations that go to into security measures, he mused, “Whose responsibility is it to set priorities and determine who gets resources? Leadership. When you look at the crux of the problem, that’s what it is,” McMillan says.
This leadership issue will be solved one way or another. As McMillan says, either healthcare organizations themselves will get their act together and work on solving this problem. Or, the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) will do it for them. The latter option, McMillan tells me, is basically what happened in banking, expect with the Federal Reserve stepping in.
Heaven knows that I’ve blogged and written enough on this subject enough times that I can see McMillan’s point of view. But still, walking around the HIMSS exhibition floor can often seem like an exercise (literally with the floor stretching 1.5 miles and figuratively) in publicized ignorance. Take for instance, the mobile health (mHealth) and bring-your-own-device (BYOD) craze.
Don’t get me wrong, I firmly believe mobile devices can be transformative tools in delivering care. But hearing every vendor talk up these solutions without seriously discussing the security protection is a bit disconcerting. It’s always, “Oh yes, it’s HIPAA compliant,” and then it’s onto the next function. There is a reason why many healthcare CIOs are hesitant to bring tablets and smartphones into the workplace. Security is a huge concern.
“Most of those devices don’t have the right security functionality, or we’re not able to control it, or the user has the ability to disable it. The bottom line is there’s no real good solution out there yet with respect to mobile devices,” McMillan says.
Instead of putting the data on a smartphone, McMillan suggests having a gateway created that gives practitioners access to the data without leaving it on the device. This can be done, he says, through a web interface with a secure, authenticated connection. There’s also the matter of encryption, to which he was his typical honest self.
“If you’re going to put it there [on the device]…encrypt, encrypt, encrypt,” McMillan says.
It’s this kind of truthfulness that sometimes makes me wish I could talk with 20 Mac McMillans at HIMSS. If I did, the air inside the stuffy Ernest N. Morial Convention Center, with 35,000 some-odd guests, might not seem as stuffy.