Should Healthcare Privacy and Security Officers take the Hippocratic Oath to do no harm?
A couple weeks ago my co-founder and Ostendio CEO, Grant Elliott, was quoted in an article for CSO. The article posed the question “….should health IT programmers ….be held to the same ethical standards as doctors and other medical professionals?”
The vulnerabilities in healthcare applications have risen dramatically over the last few years. This gives the appearance that security around development has been lax, to say the least. However, I think it is equally important to see that this rise may also be attributed to more attention being paid to security of the healthcare industry as a whole. Recent data breaches and ransomware attacks have put the industry in the spotlight.
While I think it is a valid question, I would direct the question to a different department. “Should Privacy Officers and Security Officers of a healthcare organization take the Hippocratic Oath to do no harm?”
To answer my own question – “It depends!” Here is why. Many healthcare organizations have both a Security and a Privacy Officer to protect the privacy of patient data AND the security of the systems that host that data. Their focus is usually at the policy and procedural level, making sure certain tasks are carried out in a timely manner and that protocols are followed according to the guidelines. Unfortunately, this is where most of their authority ends. Rarely do they have oversight of key critical areas of vulnerability, which includes:
- Development of software applications
- Information technology patch and vulnerability maintenance
- Choice of vendors that the organization is sharing or processing patient data with
At the same time, many of the officers are not embedded at the executive level to weigh in on strategic initiatives in which security may play a crucial role. So for those officers that have no insight into these areas of the organization I say “No” they should not have to take the oath because taking the oath would assume that there is some level of autonomy to affect the outcome and therefore the highest level of responsibility is required.
How do you fix this?
If a healthcare organization provides a Security Office or Privacy offices with authority over all of these departmental areas, then taking the oath should be considered. Much like a doctor caring for a patient, the Security and Privacy officers should care about the health of patient information. When they see something detrimental to the health of that data, they should have the ability to prescribe a solution and have it followed, even if it means a short-term loss in productivity to head off a big loss of privacy data later.
When healthcare organizations begin allowing their Privacy and Security Officers to start managing patient health data as preventative care instead of emergency room triage, then my answer would change to “Yes” they should take the oath.
Interested in learning more about streamlined, transparent cybersecurity, risk mitigation and information security compliance? Contact Ostendio about our easy-to-use, cloud-based workflow solution.