IT (information technology) is about executing predictable business processes.

Doctors are about handling the unexpected and dealing with the extreme and unfamiliar like lymphedema.

If they will ever bridge this gap, IT and physicians must adopt a common goal and a common language – a language  of patient-centric threat analysis.

Why is there a valley of death between IT and physicians?

When a company  or business unit needs a new line of business software application, IT staffers will do a system analysis starting with business requirements and then proceed to buy or build an application and deploy it.

Similarly, when the bio-informatics group in a healthcare organization needs a better EHR system, system analysts do requirements analysis, test products, and proceed to buy and deploy a new EHR solution.

Things have changed, in IT and medicine, not necessarily for  the better

Web 2.0 SaaS (software as a service) offerings, mobile health apps and private social networks for healthcare delivered as a consumer service, can  replace those old structured systems development methodologies.

There are of course,  good things about not having to develop a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but there is also a  downside of not implementing apps  according to a structured systems design methodology.  Without a plan and structured methodology, you end up with a patchwork of complex and buggy software with all kinds of glue and bailing wire holding things together.

Complex buggy software is insecure software, software that threatens patient privacy and does little to help physicians make easier and faster decisions and keep their patients healthy.

Then there is lip-service to so called user-centric development methodologies which despite their intrinsic value, are often ignored in the breach by practioners).  As important as user-centric is, it is still not a replacement for a serious look at business and end-user patient requirements.

IT is busy talking to vendors and doctors are busy installing iPad apps because they can’t get the answer from IT.

This deepens the fundamental divide, the metaphorical valley of death of  mentality and skill sets between IT and medical professionals.

  • IT is about executing predictable business processes.
  • Medicine is about reducing the impact of unpredictable events

IT’s “best practice”  is technology – things like  firewall/IPS/DLP.  IT is concerned  with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications, hacktivists or competitors mounting APT attacks behind the lines),

IT management  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with  crappy EHR software that kills customers because it doesn’t help the doctor in the front lines.

Patient threat modeling and risk analysis is the antithesis of IT installing a firewall, anti-virus or IPS.

Analyzing the impact of clinical issues requires hard work, hard data collection and hard analysis followed by education and implementation:

Patient risk analysis  may yield results that are not career enhancing, and as  health issues like lymphedema grow into pandemic proportions,  with  big and expensive consequences to public health – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT is primarily systems and procedures-oriented instead of  patient-health and safety oriented.

Truly – the essence of healthcare is protecting the health of patients who use a healthcare providers products and services.

What is the point of complex and costly EHR systems and losing  patients simply because the organization is focused on “big data” instead of helping doctors understand and treat pandemics like lymphedema effectively?

Clearly – the challenge of running a profitable company that values patient health must be shouldered by IT and medical teams alike.

Around this common challenge, I  propose that IT and clinical care teams adopt a common goal and a common language – a language  of patient-centric threat modelling – threats, vulnerabilities, attacks, entry points, assets and evidence-based-medicine.

This may be the best or even only way for IT and doctors  to traverse the valley of death successfully.




Danny Lieberman is the authority in applying threat analysis to Governance, Risk, and Compliance (GRC) in healthcare. He is a sought-after speaker, prolific blogger on healthcare technology, and advisor on software security and privacy compliance issues to healthcare and medical device vendors. He is passionate about Pathcare: the private social network for a doctor and her patients. Danny is a solid-state physicist by training, professional programmer by vocation and avid amateur saxophonist and biker.

Add a comment

Your email address will not be published. Required fields are marked *