To the best of this blog's knowledge, Hippocrates never once turned on a computer, woke up in a cold sweat at night worried about electronic medical record (EMR) data breaches or cursed loudly (though surely eloquently), while sifting through  the 68,000 ICD-10 codes to distinguish toxic sting of a scorpion, subsequent encounter (T63.2X1D) from initial encounter with other, less-worthy-of-classification, arthropods (T63.481A).

What Hippocrates did, however, was command healthcare provider organizations everywhere to a definite and required task: make cyber security a core component of your health IT initiatives. It's in the Hippocratic Oath.

For more than 2,000 years, physicians have taken the oath that bears his name—a tradition that has survived empires and emperors, supersedes national borders and survives, generation after generation, because its basic tenets of moral ethics, are innate, universal and powerful. The Hippocratic Oath is the same whether you’re a country doctor or a Kaiser CMO. You are not a vendor—you a caretaker of human life.

A Latin precept borrowed from the text sums the core of the Oath up nicely. First, do no harm. But “first do no harm” is not the extent of the oath.

So too are doctors advised to “Keep [patients] from harm and injustice.”

In the digital IT enterprise, harm and injustice are often only a mouse click away. A staff member visiting a Website containing malicious software can, for example, cause remote code execution to occur, infecting the machine and IT network and opening the door for bad actors to personal health information (PHI), tantamount to a violation of the most basic principle of doctor-patient trust.

PHI is vital data in a way nothing else is. It cannot simply be cancelled like a compromised credit card number. PHI is descriptive, biographical and often so intimate as to only be shared—sometimes reluctantly so—behind the closed doors of a doctor’s office. PHI is not a record that exists independently of the patient. It is the patient, in ever so much detail. 

What can be a greater violation of trust—of the basic Hippocratic oath—than to have your confidential personal health records revealed without consent, posted on the Internet or used to commit financial fraud?

The benefits of having health information digitized cuts both ways—data can be made anonymous, stored and accessed much more easily and used for large population studies of disease spread and control—however, the same digital data can be compromised with a single click ... and in volumes greater than paper.

As we move into the digital health record era, we must do so with the words of the Hippocratic oath bolted onto our servers and emblazoned on the splash screens of our applications.

Above all, "keep [patients] from harm and injustice."

Cyber security is a core element of this protection, not simply a feature, as Hippocrates might have advised had he been born in the digital age.

Because of the wide range of promised benefits for health IT, the full extent of the risks as documented by cybersecurity lapses may not be clear to every provider. Yet, data breaches of patient records are already significant, and iwill continue to grow in 2014. As of this writing, 674 incidents of breaches of more than 500 records sit on the U.S. Health and Human Services Wall of Shame, a project begun in September, 2009—and there are thousands of additional incidents that contained less than 500 records. In just four years, since the inception of the Wall of Shame, the industry has averaged more than 161 incidents per year, or more than three breaches of more than 500 records every week.

These statistics do not provide the sense of safety expected by patients.

Keeping them from harm and injustice is an absolute—not an if possible.

If your healthcare organization hasn’t yet been compromised, consider yourself fortunate. Healthcare is projected as one of the primary targets for bad actors in the near future due to increased adoption of EMRs, increased black market value of medical records and lack of industry experience in the digital realm—compared to the military or financial markets—that have had to long fight off hackers, criminals and nation state threats.

And if the words of Hippocrates don't sway your organization, perhaps more acute warning will. According to a  2012 Ponemon Institute study, health IT has the highest per capita cost per data breach of any industry. While a large percentage of data breaches to date can be attributed to physical security issues, such as lost or stolen laptops containing non-encrypted health records, sources like the 2013 Verizon Data Breach Report point to the healthcare industry increasingly being targeted by hackers and malware. Meanwhile, Ponemon’s third annual study on patient privacy and data security added up the cost of healthcare data breaches in 2012 to $6.78 billion. Ninety-four percent of participating healthcare organizations in the study experienced at least one data breach. And that’s only the compromises we’re aware of.

Cyber security, of course, is not a subject found in "Gray’s Anatomy" or taught in medical schools, nor should it be.

After all, medicine is a profession of specialists and cyber security is its own discrete profession apart from—yet integral to—general IT. Just as healthcare organizations would never ask a doctor to fix the plumbing or ask an obstetrician to do an organ transplant, so too must the healthcare enterprise invoke cyber security experts who understand the security controls and in-depth defense principles used to protect any vital data.

In 2014, we urge an increased utilization of third-party vulnerability scans, widespread deployment of managed security services and an absolute focus on using tools and techniques, such as data loss prevention products, to secure all digitized health records. This should be done before the current rate of data breaches escalates even further, leading to more multi-million dollar fines, impacting the reputation of healthcare organizations, violating the privacy of patient health records and eroding patient trust in the overall network of healthcare providing organizations.

Just as doctors advise patients, a small amount of preventative care can avoid subsequent ill effects in the future ... be it monitoring high levels of sugar consumption (which can lead to diabetes) or intrusion detections (which can lead to PHI data breaches).

Many products and services exist to protect digital records and asses cyber vulnerability across the enterprise. It is the responsibility of health IT to evaluate those products and to provide the most cost-effective IT environment possible so the healthcare professionals can continue to leverage the revolutionary power of IT to achieve new and better clinical outcomes and research discoveries, rather than rendering potential tools useless due to a lack of vigilance.

Trust is the cornerstone of the practice of medicine. Patients trust the judgment of physicians, healthcare organizations trust their physicians to only order necessary procedures and insurance companies trust the bills submitted to them for payment are accurate. Fraud, lost equipment and lost records all contribute to the erosion of this base of trust.

Does the industry have to continue down this path of simply hoping attacks don’t occur? Certainly not. The value of health IT, moreover, the responsibility of health IT, is to protect and secure PHI as it is protecting and securing the patient, himself or herself. Anything less is an abdication of fiduciary and medical responsibility—from those who originally generate the digital health data all the way up to the  board of directors of a particular healthcare organization.

We know this, because we’ve all been told this for 2,400 years, generation after generation.

Keep them from harm and injustice.