Insights from Symantec’s David Finn
**REPOSTED FROM HEALTHITJOBS.COM BLOG Tuesday, January 17, 2017**
What do theater and health IT have in common? A lot, according to David Finn, CISA, CISM, CRISC, member of ISACA, and Health Information Technology Officer for Symantec. Although he now works to combat major cybersecurity issues in health IT, he began his career with a master’s degree in theater. And he’s just as passionate about health IT as a thespian is about their art.
“This may be the most exciting time in the history of healthcare and the most exciting time to be engaged in information technology,” Finn said. “Put the two industries together and you have a chance to really change the world, to make people well and keep them healthy with technology. You have the opportunity to change the way healthcare is delivered, making it cheaper, better, and faster than we ever imagined.”
We spoke with Finn to talk about his unique path into the field, cybersecurity, and the future of health IT. Here’s what he had to say:
Where art meets science
While a theater degree and IT seem like an odd pairing, Finn sees his career as a natural progression. Many of the concepts he learned in theater actually apply to skills he’s needed to succeed in IT.
Theater is about understanding what drives people to do things the way they do. So, writing code was an easy leap from theater — I was telling a computer what to do to elicit a particular input from an end-user. Play script or deck of punch cards, it was the same process to end production.
For several years, I moved back and forth between IT audit and what was then called management information systems. As an auditor, I learned controls and risk. In IT, I learned that operations for an organization were much more critical than filling out the questionnaires “properly.” Both were important lessons, and they shouldn’t be mutually exclusive. I had been an auditor at a major Integrated Delivery System and I had seen IT from both sides, but “cyber security” hadn’t really been invented yet.
When I had the chance to move from IT consulting to security in healthcare — this is still before HIPAA was in effect — I jumped at it. It was like writing my own play, where operations and security actually worked together. The best art comes from constraints and limits. The best systems are created when security is built into operations and workflows. An uncontrolled system is as worthless as one that is so locked down, no one can use it.
Taking the path less traveled
For professionals with unusual educational backgrounds looking to enter health IT or even those with at least some of the technical fundamentals, Finn suggests they start on the clinical side.
Learn healthcare first, preferably from an operational perspective, then move to technology. People with clinical backgrounds are in great demand.
So if you are in IT already and want to move to health IT, start to learn how healthcare works. Volunteer at a hospital to see and understand the needs. Take classes. There are more and more educational opportunities to learn health IT. Get certified in privacy or security in healthcare.
Getting involved
Learning the ins and outs of healthcare is just the first step. Finn believes it’s important for all professionals to earn certifications and participate in organizations like ISACA to keep their skills sharp.
Certifications are critical to maintain professionalism and stay current in a world that changes, literally, hour by hour. It is nearly impossible to keep up on your own. And belonging to organizations like ISACA provide the platform, training, and education to keep up with the times.
ISACA is one the best professional membership organizations worldwide and it is directly related to some of the most important work going on in the world — protecting our information and our identities. ISACA defines the roles of information systems governance, cybersecurity, audit, and assurance.
One of the things that our cyber world has done is shrink our “real” world. Cyber is global, and our training, education, personal network, and certifications should be as well.
The security problem
Security is one of the biggest issues in health IT right now, but Finn thinks the nature of healthcare will require different solutions.
In my opinion, there are two main barriers to better security in healthcare. First, because healthcare was late to digitizing business, there was never really a need for cybersecurity. When you could lock up all the medical records in the records room, security was easy.
Then we rolled out Electronic Medical Records (and that happened quite fast, frankly), but it happened with little attention to privacy and security because no one understood that was a need. So, you have this historical lack of attention to and investment in security.
Now, people are beginning to understand. After millions of breached records and hundreds of hospitals shut down or slowed down due to ransomware, it is beginning to sink in. Not unrelated to that is the fact that privacy and security was pushed out under HIPAA as a compliance issue. It was more important to check the boxes than to really implement effective, risk-based policy and procedure.
Second, healthcare is a uniquely difficult environment to secure against cyber threats, and often, security measures conflict with care delivery or research. There are a lot of shared devices, many of which are critical to patient care. Routine security measures in other industries sometimes won’t work in a clinical context. You can’t just log a doctor off the system if his session times out in surgery.
Information and trust
Despite ongoing challenges, Finn sees health IT as an exciting field that’s improving information and trust in the healthcare system.
Introducing information technology to healthcare has already changed it forever. One could argue about which changes are for the good and which may be a step backward in the patient-caregiver relationship, but healthcare will never be the same. I believe, overall, these changes have been and will be immensely positive.
Healthcare has always been about information: the details the patient can provide, the results of tests, what the physician knows about a specific disease or certain populations of people. But as we learn more, no one person can retain enough information to effectively correlate and synthesize millions of pieces of data. IT makes that possible. IT will be as indispensable as the stethoscope — and may replace it.
How do security, assurance, and privacy play into that? It’s about trust. If patients can’t trust doctors with their information, if physicians can’t trust the veracity of information from patients or other providers, if we don’t know who we are actually talking to or caring for, that is the end of healthcare.
As we have digitized healthcare, we have made information security and privacy a strategic function of providing care and the business of healthcare. Data may run at internet speed, but healthcare runs at the speed of trust.