Virtualization Technology News and Information
Plato, Aristotle, Blackberry, Apple and HIPAA

First, let me be clear.  I am not an attorney, I have never played one on TV, and I can't even remember the last time, if ever, that I stayed in a Holiday Inn Express.  If I say anything here that feels as if I am offering advice on compliance be aware that this article is a work of fiction - any similarity to real persons or events (or laws, regulations, statutes, etc.) is purely . . . you get the picture.

I have participated in, or at least observed, many hours of conversation concerning HIPAA, with a variety of people who hold deep interest in the subject from many angles.  I speculate that these conversations harken back to the philosophical debates with the likes of Aristotle or Plato.  Vigorous, even passionate dialog about a matter of logic or a nuanced obligation of the state. 

As I drove from Las Vegas to Salt Lake City today, I found myself contemplating those conversations (HIPAA not Plato), and how applicable they are to the day to day activity around HIPAA compliance.  Yes, I do recognize how boring and sad this makes my life sound, but I believe there is a conclusion worth sharing.

A lesson from Blackberry and Apple.

Perhaps, when we think HIPAA compliance, at least from an IT perspective, we should think more iPhone than Plato, more big-picture than Nuance.

More than one of the HIPAA conversations that I have participated in goes something like this:

". . . we have security, we have trained on HIPAA, but our users continue to (insert risky activity here)."

"Well can't we lock the systems down so they can't (insert risky activity here)."

"We can but we will need to purchase XYZ solution."

As I thought through these conversations I could not help but remember the first time I saw this article  Blackberry, for some time, had been asserting that their secure platform would ensure their continued dominance (or at least relevance) in the mobile handset space.  When I read this article, it became clear, that if the iPhone was good enough for the Pentagon, it would be good enough for nearly any secure environment.

Blackberry's strategy appeared to be to compel the use of their technology by leveraging their security advantage.  Apple's strategy was somewhat different.

The first time I used an iPhone I remember being amazed at what the tiny device could do; I was equally amazed, however, at how easy it was to do it.  There were very few tasks, that I needed or wanted to accomplish, that weren't nearly clairvoyantly intuitive.  I wanted to touch the screen, I wanted to browse the web, I wanted to download apps - it was mesmerizing.  The blackberry, which I owned simultaneously, soon found itself in my sock drawer (literally).

A few years later, most organizations had decided that the IT relationship headaches caused by dictating a platform for security purposes weren't worth it.

The carrot or the stick?

It seems that the majority of the compliance and IT personnel I talk to, with responsibilities associated with HIPAA, are still thinking like Blackberry - and wondering why Apple is winning market share.  How do we stop employees from sending unsecure email?  How to do we lock down USB ports?  What steps can we take to block users from accessing clinical data from their personal Tablet?

For 17 years I was, by profession, deeply embedded in the IT camp.  I will admit that, over the past 5 years or so, I have gone a bit native.  Perhaps more energy could be utilized to understand WHY users find it necessary (or just desirable) to behave the way they do.  As I talk to clinicians, administrators, and even (wink wink, nod nod) IT administrators, it is often easier and faster to accomplish work by bending policies, procedures and circumventing the associated enforcing technologies.

I am certainly not advocating that any specific security posture, policy, procedure or technology is not appropriate.  Brilliant, dedicated, hard working, and did I mention brilliant? professionals and experts have spent far more time than I every will, contemplating and creating these environments.

What I am suggesting is that the best path to HIPAA compliance very well may lay in enabling and delighting users.  Rather than providing a work-around to a behavior, provide an alternative that is BETTER.  Look for options that increase productivity while, at the same time, improving security and compliance. 

Growing a tastier carrot

It is true that there may not always be a win-win, but the technologies that are available to enable users today are orders of magnitude more powerful than they were just 5 years ago.  While in 2004 a focus on security often necessitated a conversation about endless restriction, today that isn't necessarily so.

There is not time here to go into specific technology stacks, and to be honest, that wouldn't fit into my newfound big-picture type of thinking tonight anyway.  I will briefly say that great technologies are out there.  They are lighter, faster, more stable, and even less expensive than ever before.

There are new solutions for maintaining user context and / or roaming profile.  Better, faster, lighter and simpler options for redirected folders as well as delivering and deploying desktops, solutions and applications.  Audit trails for environments, applications, users and data are often embedded seamlessly into these solutions.  There is literally a technological cornucopia of HIPAA related goodness that can be used to appropriately enable users.

I want to be very clear that I don't question the intention of anyone responsible for IT, security or compliance.  As I said before, I have worked with dozens, or maybe even hundreds of such people and you would be hard pressed to find a better group of people doing a harder or more thankless job.  I also recognize that nothing here is philosophically ground breaking.

Still, I believe there is something here that is very actionable and equally simple.  Every time there is a conversation about security or compliance, resist the urge to start by determining how to ‘lock something down'.  Instead, begin the conversation by completely understanding what is being accomplished, why and determine how the user can be given something even better than what they are doing today.  After all, as anyone who has any security or compliance background will tell you, the only solutions that work are those that are USED.


Doug Coombs is a technical advisor for FSLogix, and currently serving as vice president of Fraud Solutions for Verisk Health

Published Wednesday, June 03, 2015 7:01 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2015>