In a healthcare setting, there’s no doubt that security matters because hospitals deal with sensitive patient data. The only time we hear about data security in healthcare is when something goes wrong, like when there’s a data breach and personal information is accidentally (or maliciously) released into the wild. Security expert Chris Poulin has calculated that more that 24 million electronic patient health records have been compromised between 2009 and 2013, with a significant amount attributed to lost or stolen computers, usb sticks, and even traditional mail. For example, Montfort Hospital in Ottawa is facing a lawsuit after a usb stick containing information on 25,000 patients went missing. In a related example, three usb sticks containing 18,000 patient records went missing from the Toronto Western Hospital eye clinic; the devices were not protected with medical encryption software, which was against both the hospital’s security policy and the Ontario privacy commission requirements that all mobile devices that carry patient data be securely encrypted. This is why we have to talk about healthcare network and data security, even if it isn’t a sexy topic. On the list of healthcare IT budgets, the list of priorities usually looks like this: technical support for diagnostic equipment, support for new and existing network devices and network access, storage space, and security. It’s the ‘squeaky wheel gets the grease’ philosophy: it’s easier to focus on the growing need for additional computing power and growing storage requirements, because those systems visibly groan under heavy use. However, IT security shouldn’t be delegated to the bottom of IT budgets, primarily because it costs far more to fix a mistake than it does to prevent it. It’s not that nobody believes that security isn’t important, but in a healthcare system that’s facing so many simultaneous and urgent demands, it’s hard to focus on upgrading something if it’s both invisible and not broken -- at least until the security system gets breached or the low-budget firewall can’t identify and fix the latest zero-day threat. Does the lack of investment in IT security may also stem from a lack of sufficient ‘push’ from throughout the healthcare ecosystem – the kind of push you see more frequently in the private sector, where there is a strong correlation between financial security and not wanting to see your company’s name splashed on the evening news because of a data breach? I don’t know. What I do know is that security needs to be baked into every level of healthcare technology and every corner of the IT budget. We need to push for data and network security in a healthcare setting because as patients, we care what happens to our personal data, and as IT professionals, we owe it to our customers to make sure they are protected against potentially dangerous and damaging technological failures. This is a problem we’re going to have to tackle together -- both the medical and IT industry -- because we’re in this together.