Security is a growth industry, and, given human nature, can be expected to remain that way. So the title of this article is a kind of stalking horse. Yet one with a point. From the point of the view of the consumer of healthcare one of the most fearful things is to come down with a dread disease and have no insurance coverage. That means confidentiality. That means keeping secrets - from one's insurance company. Granted that is a practical impossibility, it does not matter when it comes to worry and high angst. Still, insurance companies are operated by and for human beings and have all the strengths and weaknesses of human beings. They will do what they are incented to do. In a market that requires underwriting, insurance companies will perform underwriting - or be at the effect of adverse selection, attracting the sickest patients while the competition "cherry picks." However, if legislation were enacted to require community rating and that the preexisting conditions be insured (covered), then there would be a much smaller penalty if your dreaded disease of choice became know to the insurance company. The patient would still have insurance - case closed. Of course, without community rating, one's premiums would go up by an order of magnitude, which is about the same thing as denial of coverage. So the two requirements go hand in hand. That is not to say that the data should be posted on the Internet; yet in the bigger picture, if one can still get insurance, who really cares? Naturally, it might make less employable because of too many sick days; yet the employer would not be incented to throw the person "over the side" because of the cost of insurance premiums.

Of course, people will care about security because people value their privacy - being able to sit down to dinner without the phone ringing off the hook with marketing calls; being secure in their personal, financial, and medical identities. Yet not because they fear loss of insurance coverage! The point? Regarding data and information security, constant diligence is the order of the day. Yes, technologies such as encryption, passwords, and authentication are critical path. Two factor security solutions are increasingly in demand by both users and regulators. A two factor system requires both a password as well as a device such as a smart card, appliance (phone), or thumb print (biometric id). If one is lost or stolen, it is useless without the other factor. But also be aware of social engineering - someone calls up pretending to be the system administrator who has forgotten her or his password. Don't laugh. It has been used - and has worked. Identify and implement related best practices such as never, ever, ever leaving a laptop computer unattended, leaving a laptop visible in a locked car, attaching a post-it with a password to a computer screen, or allowing sensitive data to go off site.