Dr. Cris Ewell, who we’ve talked about before and before, has a great profile in the recent Data Breach Examiner. In it, he talks about the need to look past “compliance” as the end all of security and privacy strategies in healthcare organizations.
“Breach happens. That’s the operative assumption that Dr. Cris Ewell lives by. In the past year, 96% of hospitals have had a data breach, and 60% have experienced multiple breaches. That’s why Ewell, Chief Information Security Officer at Seattle Children’s Hospital, recommends basing PHI security strategy not around regulatory compliance but around the “assumption of breach,” a philosophy that promotes a proactive, relentless approach to information security.”
“When not if” is a phrase we are starting to hear more and more in the healthcare IT world and it seems to be sticking in the minds of security professionals. You can read the whole story: Why Compliance is Not Enough.