The Wit and Wisdom of Howard Schmidt
For example, he stressed that healthcare organizations of all sizes need to take security more seriously, especially in light of the HITECH Act's toughened HIPAA privacy and security requirements.
A one-doctor clinic needs to trust that the identities of everyone who has contributed information to an electronic health record have been verified and the information is reliable, Schmidt said. "But they don't have an IT department and they don't have a CIO. As a matter of fact, the CIO generally is somebody's child down the road who's really really good at Nintendo."
The key issue is you have to trust the system. If you don't trust the system, nobody will use it, and if nobody uses it, nobody benefits.
The Obama Administration recognizes that "we need to make sure we have an e-health system that is secure, resilient, protects privacy and works," Schmidt said in his keynote address at the conference, "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by the HHS Office for Civil Rights and the National Institute of Standards and Technology.
"The key issue is you have to trust the system. If you don't trust the system, nobody will use it, and if nobody uses it, nobody benefits."
As more healthcare organizations adopt electronic health records and exchange information over health information networks, patients and providers alike need to trust that the information is secure and accurate, Schmidt said.
For example, if a patient provides sensitive personal information to validate membership in a health plan, he wants to be assured that the information will be disposed of properly once he's no longer in the plan, Schmidt said. Patients want answers to their questions about the fate of their information, he said, such as: "Are you going to throw it in a trash can behind the building? Do you shred it? Or is it on a yellow sticky note? Or if it's in a computer system, what are the controls that keep other people from viewing it?"
The National Strategy for Secure Online Transactions, an ongoing White House effort to build policies for identity management, is designed to protect healthcare information as well as financial information, Schmidt stressed.
ID management is essential to the success of health information exchanges, which can, for example, give emergency physicians access to the medical records of an out-of-town patient, he said. ID verification is essential, Schmidt said, so that the doctors treating an accident victim "can have a transaction that is viable and trusted."
Schmidt told his audience of security officers that "security and privacy are two sides of the same coin. Without security, you have no privacy."