But he said besides the Meaningful Use rule, the medical field has seen, "increasing adoption of PACS (Picture Archiving and Communication System) for radiology departments, the widespread adoption of mobile devices by many physicians, and an ever-increasing amount of medical equipment becoming network enabled."
He said these are all aimed at improving care, but that many organizations, "rolled out these technologies without being able to devote as many resources to the information security aspects of things as they could the patient-care aspects."
Indeed, the drive for improved patient care, while obviously laudable, tends to leave security as the proverbial afterthought.
"There is a tension for many providers," Fisher said. "Do we spend on security, which can be big dollars, or do we buy a new clinical device like an MRI? Many healthcare CISOs do not know how to tie the mission and needs of security to the core mission of the provider, and lose that argument every single time."
Berger sees the same thing. "PHI is anything but protected,'" he said, noting that spending in the healthcare industry on security, "is very low compared to other industries that rely on sensitive data."
He doesn't see rapid improvement on the horizon either, even with more awareness and tougher regulation. "The overall ecosystem may get better in the future but the glaciers may melt before that can happen," he said.
That doesn't mean nothing can be done before the glaciers melt, however.
Berger said, for starters, "PHI should be considered an asset within organizations and be treated as such in the overall governance and risk management process."
Fisher agreed. "Understand that security is a crucial part of patient safety and quality of care and prioritize security that way," he said.
He also urged organizations to focus on what many experts call basic security hygiene. "Patch and maintain your machines," he said. "Do good user access management. Pick a framework, do your required security risk assessment and then relentlessly work the remediation plan.
Panner said government should play a more active, and modern, role. HIPAA, he said, which became law in 1996, "wasn't designed for an Internet and cloud-enabled health system. We can and should do better."
And Frenz emphasized that it takes people as well as technology to improve security. "Establishing a culture of security is very important get employees to understand that security is the responsibility of every employee and not just IT or people with the word security in their title," he said.
"This will not only help to mitigate issues from human error or social engineering attacks, but will also make other control initiatives more palatable to employees, since they will have a better understanding of the rationale behind the control."
Sign up for Computerworld eNewsletters.