Saturday, February 6, 2010

Privacy or Security - what's more important?

While the standards are shaping up, and there is monumental work to be done in a relatively short amount of time. How do you choose which one to do first. It is clear that a reasonable prioritization is needed, some things are relatively more important than others.

Same argument applies to establishing a privacy and security policy. That begs the question - What's more important? Should an organization establish and implement a privacy policy first or should it ensure that a consistent standards-based security policy is implemented so no breach happens in the first place. If you answered "Both", you are on the right track as potentially judged by any reasonable person. However, an organization with limited resources can have the right intent but some things do need to take precedence over others so the implementation goal can be realized.

Establishing and implementing a consistent privacy policy takes precedence and requires unwavering support in any health care organization. Security policy is highly important but it need not be standards-based right for the get-go. You might have heard the saying "Security implementation is a function of the size of your wallet". You can build elaborate checks, audits, disk/server-space, authentication and authorization and make them consistent across the organization if you have the right kind of money to throw at it. With limited funds, you can still uphold the goal of data security by adopting security policies that allow for individual businesses within the organization to have their respective security policies which meet the data security aims. For instance, to fulfill the goal of role-based security, individual businesses can implement an elaborate suite of roles and implement a sophisticated and highly automated mechanism OR can decide a maintain a combination of spreadsheets and manual tracking to fulfill the goal. Either way, the security goal will be fulfilled.

No comments:

Post a Comment