With health records security is an afterthought

The eHealth Vulnerability study released today sounds self-serving, but does make clear that health IT is something of a technology backwater where security and patching has yet to catch up with supply or demand.

The group represents existing players in health care, security and IT, rather than the groups seeking to mandate use of electronic health records.

What their report (PDF) finds, basically, is that routine patches often aren't made to hospital programs, that standard security monitors often aren't used, and that no one group has yet established best practices, especially in the area of securing the data.

In some ways this is a chicken-or-egg situation. You need a market before you can build the bureaucracies needed to monitor it -- even the private organizations. But without some assurance of security and privacy the market just won't develop.

The timing of this report, and the HealthIT bill, also points out the problem. These folks should be on the same side. The fact that they're obviously working at cross-purposes, one stepping on the momentum of the other, shows just how deep the problems in this business lie.

There are some awesome opportunities here, for big mainline software vendors, security firms, and privacy auditors. But consumers are going to demand this work be done before they trust any system, even one mandated by law.

The work of the HealthIT coalition just got a lot harder.