Home / Resources / News and Trends / Newsletters / COBIT Focus / 2017 / Participatory Health Care Security


Participatory Health Care Security

Author: Ed Moyle, Partner, SecurityCurve
Date Published: 17, August 2017

If you have ever wanted to be a doctor but ended up taking a different career path, participatory medicine may be just the new development for you. As its name implies, it is a philosophy of providing health care in which patients abandon their traditional passive stance and instead take an active role in their treatment. Patients become educated about their diagnoses, explore and understand their treatment options (pros and cons of various approaches), engage actively in treatment by asking questions and understanding the “why” behind a particular treatment path (compared with other alternatives), and work collaboratively with their treatment team (i.e., general practitioner, specialists, support staff and other clinicians) as willing and active partners rather than passive subjects.

There are a few things that result from this process: First, patients become more invested in their treatment, oftentimes leading to better outcomes. They understand the “core” of the treatment (i.e., the motivations behind it and the mechanics of why and how it is effective). This leads them to follow the treatment path more closely and remain committed to it. Second, it also changes the expectations and perspective of the care providers. Years ago, the expectation of many clinicians was that the patient was ancillary to the treatment process—they were seen by some as a distraction, at best, and a force working counter to treatment, at worst. Participatory medicine is helping to change that perception.

Participatory Security?

While participatory medicine is almost always the focused outcome of care, the same principle can be used to shore up the patient’s experience in other ways. Specifically, it can apply to the arena of due care in protecting patient records, from both a privacy and a security standpoint.

While it is unlikely that a patient being informed about and engaged in securing their information and keeping it private will lead to improved care, it almost certainly will bolster the care experience overall. And, to be clear, the care experience is a big deal for providers. For example, a survey from Health Forum (part of the American Hospital Association) and First American Healthcare Finance found that institutional providers (hospitals and health systems) are expanding IT budgets, in large part for the specific and direct purpose of improving the patient experience. Seventy-seven percent of those surveyed, for example, reported that technology investments are important specifically because of the impact on the patient experience.1

So, providers want the patient to have a positive experience. And while better security and privacy is not something on which patients typically make care decisions, it is also true that nothing erodes the patient experience faster than a provider losing records, exposing private information or otherwise acting as a less than optimal steward of a patient’s data.

Beyond this, patients taking an active role in the stewardship of their information serves to transform the expectations of the clinical community just the same way that participatory medicine does. It helps clinicians understand that privacy and security are more than just checking a regulatory box; they are issues of true concern to patients.

With this in mind, ISACA has developed some resources to assist. Guidance focused on expanding and extending governance of enterprise IT (GEIT) principles into the clinical space, GEIT for Health Care, is available now. Very often, in an institutional setting, the IP-connected devices that are directly engaged in patient care (e.g., biomedical devices, lab systems, pharmaceutical systems, medical records systems) are managed differently from those on the back end (e.g., email systems, billing). Very often, they are managed by different teams; they can even be on different networks entirely, although that occurs less frequently nowadays. This serves as a challenge, then, in getting the most from governance efforts. This publication draws on principles from COBIT 5, particularly those related to effecting solid and robust GEIT and discusses the practical aspects of extending those governance principles into the clinical environment and backend IT.

From a patient point of view, ISACA developed GEIT for Health Care to outline questions that patients can ask their providers (whether a small local clinic or a large institutional provider) about the security and privacy considerations around their data. By being informed and knowing what their options are, patients can be engaged in keeping their information safe.

Ed Moyle

Is director of thought leadership and research at ISACA. Prior to joining ISACA, Moyle was senior security strategist with Savvis and a founding partner of the analyst firm Security Curve. In his nearly 20 years in information security, he has held numerous positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers and senior security analyst with Trintech. Moyle is coauthor of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as an author, public speaker and analyst.


1 First American, “Health IT Spending Rises for Patient Satisfaction, Big Data,” Hospitals and Health Networks, 5 January 2017