Healthcare leaders may have a false sense of security regarding cybersecurity

July 1, 2019

Survey results from Integris Software indicate some overconfidence among top business executives and IT decision makers at healthcare and other organizations regarding their data privacy management. The Integris Software 2019 Data Privacy Maturity Study, in which highly regulated industries were well represented (Financial Services 21 percent, healthcare/pharma/medical devices 18 percent, and government at 7 percent) also suggests organizational maturity for data privacy management scored much higher and more consistent than technical maturity.

According to another study from the Identity Theft Resource Center, healthcare had the second largest amount of breaches of any industry in 2018 and the highest rate of exposure per breach.

Kristina Bergman, Founder and CEO of Integris Software spoke with Healthcare Purchasing News, in particular, about the idea that while industry regulations may have made healthcare organizations prepared for security compliance they have also led to overconfidence on the technology side, which she says is where policies get operationalized across the organization.

“There’s often a disconnect between the policies and contracts that have been agreed to on paper and what’s happening with the actual data,” Bergman told HPN. “For example, a hospital may have policies in place dictating that certain patient data must be encrypted at rest, or de-identified when streaming into a data lake for analysis. Operationalizing these policies mean that there are controls in place to ensure these policies are being followed, alerting team members to violations, and automating remediations like kicking off a workflow to an encryption vendor.”

Furthermore, Bergman says as healthcare companies consolidate through mergers and acquisitions, they acquire unknown datasets and data transfer agreements with new business partners, which can complicate matters.

“The point here is that as data is acquired through the M&A process, healthcare companies are at risk of acquiring unexpected, inappropriate, or problematic data,” she said. “Due diligence should include the inspection of data being acquired. This allows the healthcare company to properly evaluate the risk prior to merging large data sets.”

Here are some of the key survey findings:

·   Data privacy management overconfidence: 40 percent were Very or Extremely Confident in knowing exactly where sensitive data resides despite only taking inventory once a year or less; and a mere 17 percent of respondents are able to access sensitive data across five common data source types.

·   Data privacy impacts much more than regulatory compliance: Enforcing internal data handling policies like classification and retention was cited 69 percent of the time. Proving compliance with business obligations like data sharing agreements was cited by 63 percent of respondents. About one third of respondents cited the impact on M&A due diligence (34 percent) and data lake hygiene (32 percent). About a quarter of respondents (24 percent) viewed data privacy as impacting the delivery of AI / ML projects.

·   The proliferation of data sharing agreements: In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements. 40 percent of respondents had 50 or more of these data sharing agreements in place. However, respondents reported being 43 percent more confident in their ability to be compliant compared to how they perceived their partners.

·   Data privacy management budgets reside in IT departments: About 50 percent of data privacy budgets are concentrated in IT departments. Technology leaders are increasingly being tasked with operationalizing their companies’ data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

Additionally, respondents were behind when it came to domestic preparedness. Only 16 percent said they were “Fully Prepared” for the California Consumer Privacy Act (CCPA).

“Fully prepared is a high bar,” Bergman said. “Compliance comes down to doing two things really well 1) Understanding where sensitive data resides across all data sources and 2) Mapping that data back to data handling obligations. In today’s world of data-intensive healthcare operations and big data, data privacy requires real-time knowledge about your data and data flows. The survey showed that only 17 percent of healthcare companies can incorporate all five common data source types into their privacy management programs. If you don’t know what you have, you’re not prepared.”