Healthcare Industry Takes $6.5B Hit Over Poor Information Security

Technology’s supposed to make us more efficient; more productivity for each hour we invest in a project. It also means less cost associated with the effort. Without the cost benefit, after all, why bother with efficiency?

During the last year or so we’ve seen the evidence of this productivity increase with each new round of earnings reports. This has been a fantastic year for corporate profits, even as the grass roots economy remains in the toilet. While unemployment remains stubbornly above 9 percent nationally, and with even more people out of work but off the books, companies are making record profits making and selling their products and services without adding payroll.

If you are among the un/under-employed, you might not think it’s a very fair shake, but we’ll leave that debate to the Occupy protesters and their foes in D.C. and on Wall Street. For business managers, however, it’s a pretty good deal – invest in new technology and see profits rise.

Yet a study released today by my friends at the Ponemon Institute, sponsored by ID Experts, shows that not every industry seems to understand that the cost savings isn’t just about reducing workforce, but it’s about investing in the right resources. Yes, I’m looking at you, healthcare.

For industries and organizations that deal with large volumes of sensitive information, information security is not an option, yet it seems many healthcare and related companies are trying to cut costs by ignoring their obligations to safeguard patient data and comply with regulations. They are operating in the digital age and a world of mobility and Big Data, but with antiquated policies created for a time when information moved largely on paper. According to Ponemon, the costs of poor information security and inadequate data management cost the healthcare industry $6.5 billion last year.

As the press release announcing the study points out, that $6.5 billion would have been enough to employ more than 81,000 nurses – or to equip the overworked medical administrative staffers with the right tools and training to do their jobs in a manner befitting the trust their patients put in them each day – trust, by the way, that is rapidly eroding. Hey, if you are going to spend that $6.5 billion anyway, why not invest it in the tools to protect information, preserve trust, and provide operational efficiency rather than pay fines, legal fees, and audit costs?

Do it right and the costs might actually decline next year. But I won’t be holding my breath; if I pass out, I might end up in the hospital, and I don’t trust them to keep my information safe.

Harvard Business Review on Communicating Change

Last week I wrote about Trust and the 3PT Model, and how it is essential to communicate IT-driven change down the chain of command in order to get rank-and-file buy in on major new initiatives -- or risk employee revolt and potential project failure.

Today a colleague forwarded a blog post from Chris Musselwhite and Tammie Plouffe, writing for the Harvard Business Review, entitled Communicating Change as Business as Usual, that makes much the same case, though with broader application (and the credibility of the Harvard brand).

The penultimate paragraph is worth repeating here:

"Changing the way you communicate and position change has the potential to transform the way change is perceived and embraced across your organization. Why fight the uphill battle of trying to communicate, develop and inspire your people toward making a change, when you can communicate, develop and inspire people toward making the organization — and themselves — the best in the business?"

It's worth repeating that your ability to get people to recognize change as an opportunity, rather than a threat, may be the most important thing you can do in managing a project. The unknown can be a frightening thing, but I believe optimism is contagious and that people are inclined to be inspired by leader who conveys positive confidence.

Spreading the contagion of optimism, however, requires effective communication.

I'm Baa-aack!

After a couple years of focusing my blogging efforts on providing content for the Ponemon Institute, I’ve decided to revive Private Communications.

For five years I worked as an independent contractor/consultant in the area of privacy and communications. And while I gave up the glamorous life of self employment this past March in order to take up a new (and decidedly less public) challenge at EMC, it doesn’t mean that I’m out of the privacy game. To the contrary, EMC’s focus on cloud computing and big data means there will be plenty of opportunities to put my wealth of knowledge and experience to use. Issues like trust, and governance, risk and compliance (GRC) are all issues that intersect where EMC is and is headed.

I will speak for myself in this forum and not for my employer. I have no role in policy here, nor do I have any authority make statements on behalf of EMC. I may be inspired by some of the things we’re doing, but don’t flatter me by thinking I have any special insight specific to EMC. I don’t.

If you decide to make any investment decisions based on anything I write here, you are a fool.