I worked for the guy who coined the term “Internet speed” - - as in “we work at Internet speed”, or “we live life at Internet speed”. At least I think he coined it - - this was back when the Internet, as we know it, was still pretty new - - post-Gopher and pre-Facebook. In any case, I knew what he meant. He meant we did things fast, sometimes too fast. Sometimes we did things fast just because we could. Don’t get me wrong, fast can be good; not only good, sometimes it is essential, mandatory. Success requires Internet speed - - sometimes.
Sometimes answers have to be right. Even if it takes more time. While he was talking about Internet speed, I was training the rest of the executive team to “take time to think”. Literally. We shut down all the operational executives at this company on Friday mornings to read, research, talk to experts and then I made everyone report to the group on their morning - - what they had learned, what they thought, how they felt. We came off Internet speed, worked at human-being speed.
If I haven’t lost you yet, this blog is about information security in healthcare. And some of the things I’m seeing in the provider setting. We’ve come a long way but it has been a long time since the HIPAA Security Rule became effective. What I’m seeing now is some things being done at Internet speed and that concerns me that maybe things are not getting done right. You can do security fast - - with appropriate funding and adequate headcount with the right skills - - and you can do security wrong. If you do it fast without funding, people, skills and human-being speed thinking, you will likely get it wrong. One of the things I’ve learned about security is this: “A false sense of security is worse than a true sense of insecurity.” I wish I knew who said it but I don’t. I wish I had said it first but I didn’t. I am seeing a lot of false senses of security being deployed rather than real security.
There was a time when you could let the desktop group solve their security issues (anti-virus, asset tracking) and the server guys their issues (configuration management, anti-virus, asset) and the messaging team and the back up team . . . well, you get the picture. And let’s not forget things like mobility and cloud. Today, it is all connected. Or should be. Even if they don’t all use the same solution, those solutions have to work together to optimize security and integrate for reporting. In fact, today, security can’t be just an IT strategy - - security, privacy, compliance, availability must be a business strategy.
This is no one’s fault. Healthcare is under the gun. Margins are under pressure. The entire economy is struggling. The regulations never stop. One-off point solutions won’t provide the protection and insight you need. Using something because “we already own it” is not a strategy. It is fast - - you can do it at “Internet speed” - - and it is cheap. I’d be concerned whether everyone who needed to take some time to think about it, had done so. Or whether it supported a more holistic approach to making data secure and available.
Healthcare will solve the myriad of security, privacy, and compliance issues it is facing. I have no doubt about that. I do suggest, though, that if we solve them at “Internet speed” it will take much longer than if we think about it, plan and design strategically and act tactically. And if we do Security right (Security with a capital s - - security, integrity, availability) we’ll see some of these things happening:
- Security will be designed into systems, not added after the fact
- Security will not be the first thing cut as scope creep begins because it is easier to cut security than to explain cutting functionality (no matter how obscure or arcane the function may be)
- Security and Privacy will be part of the business mission, not a compliance requirement that you do as minimally as possible.
- Security will not be a small group in IT, it will be embedded in all the operational functions of IT
- Security and Privacy will be part of every employee’s job description (not just in IT)
- Security will be important to the organization and not be another card IT plays to get head count, OpEx or CapEx budget. Rather, the organization will appropriately fund security and expect it to be strategic and well thought out, not a bunch of one-off, inexpensive but hard to manage products
Tell me what you think about Security - - at Internet speed or otherwise.