Are Security Certifications Needed to Simplify the Acquisition Process?

I’m generally someone who hates certifications. However, I hate them because they’re often implemented poorly and easily gamed. When they’re implemented effectively, they can be extremely helpful. Think about all the safety certifications that electronics have you go through. I’m sure they’ve saved our lives and saved our houses getting burnt down many times over.

I’ve wondered if a security certification would be useful for healthcare IT applications. Certainly it wouldn’t be perfect (security never is), but it could serve as a baseline security check that would help healthcare organizations with their acquisition process.

The reality is that many organizations don’t properly vet the healthcare IT applications they purchase for security. They aren’t consistent and they have limited resources. A security certification in theory would spread the costs of certifying a healthcare application’s security across a large number of organizations and thus save everyone money.

The key to this certification is not to have it as a kind of pass/fail certification. Sure, you want to say that it meets a certain standard of security, but more importantly it would also create a report on what type of security was implemented for that software.

Take encryption for example. Every healthcare organization looks for encryption. A security certification could ensure that the software system has implemented certification appropriately and also describe how the encryption was implemented. Is it end to end security encryption. Do they encrypt the data at rest? What about encryption of the data being stored on the customer’s device? etc etc etc

One challenge with this idea is that CIOs, health IT companies, and other technology professionals can become over reliant on certifications. It would have to be clear that the security certification was just a baseline and not a 100% foolproof way to secure your IT software. This is a challenge since health IT sales reps are going to position a security certification as such. It would take some effective marketing for people to know that the security certification could save them time in their security analysis of a new health IT software purchase, but wasn’t the end all be all.

I imagine some people would argue that this type of certification and details about how an organization or software company implements their security would be a treasure trove for hackers. Certainly you’d have to be careful with what you share and how you share it. However, most of the details are things that a good hacker could figure out anyway.

As it is today, health IT companies just say they’re HIPAA compliant (whatever that means) and many healthcare CIOs are floundering with limited resources for evaluating the security of the applications they buy. A security certification could help them make some headway on this I think.

Done the right way, a security certification could help set a new bar for how vendors approach security. That could be a very good thing. Of course, if not updated regularly and effectively, it could also require a bunch of hoop jumping that doesn’t provide real value. It’s a tricky challenge.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

   

Categories