I’m generally someone who hates certifications. However, I hate them because they’re often implemented poorly and easily gamed. When they’re implemented effectively, they can be extremely helpful. Think about all the safety certifications that electronics have you go through. I’m sure they’ve saved our lives and saved our houses getting burnt down many times over.
I’ve wondered if a security certification would be useful for healthcare IT applications. Certainly it wouldn’t be perfect (security never is), but it could serve as a baseline security check that would help healthcare organizations with their acquisition process.
The reality is that many organizations don’t properly vet the healthcare IT applications they purchase for security. They aren’t consistent and they have limited resources. A security certification in theory would spread the costs of certifying a healthcare application’s security across a large number of organizations and thus save everyone money.
The key to this certification is not to have it as a kind of pass/fail certification. Sure, you want to say that it meets a certain standard of security, but more importantly it would also create a report on what type of security was implemented for that software.
Take encryption for example. Every healthcare organization looks for encryption. A security certification could ensure that the software system has implemented certification appropriately and also describe how the encryption was implemented. Is it end to end security encryption. Do they encrypt the data at rest? What about encryption of the data being stored on the customer’s device? etc etc etc
One challenge with this idea is that CIOs, health IT companies, and other technology professionals can become over reliant on certifications. It would have to be clear that the security certification was just a baseline and not a 100% foolproof way to secure your IT software. This is a challenge since health IT sales reps are going to position a security certification as such. It would take some effective marketing for people to know that the security certification could save them time in their security analysis of a new health IT software purchase, but wasn’t the end all be all.
I imagine some people would argue that this type of certification and details about how an organization or software company implements their security would be a treasure trove for hackers. Certainly you’d have to be careful with what you share and how you share it. However, most of the details are things that a good hacker could figure out anyway.
As it is today, health IT companies just say they’re HIPAA compliant (whatever that means) and many healthcare CIOs are floundering with limited resources for evaluating the security of the applications they buy. A security certification could help them make some headway on this I think.
Done the right way, a security certification could help set a new bar for how vendors approach security. That could be a very good thing. Of course, if not updated regularly and effectively, it could also require a bunch of hoop jumping that doesn’t provide real value. It’s a tricky challenge.