It's time for a new data privacy and security compliance strategy in healthcare
July 24, 2018
By Gary Palgon
At hospitals and healthcare systems worldwide, data is flowing in at a faster rate from a wider range of sources and in a broader variety of formats than ever before. This data is incredibly valuable. Healthcare organizations that unlock the value of their data can gain new perspectives on population and individual health management and identify ways to continuously improve patient care and operational efficiency.
Data can yield insights that drive organizational effectiveness and inspire next-generation innovations. But first, healthcare organizations must meet the challenges posed by modern data’s higher volumes and greater complexity. They must contend with ever more sophisticated security threats, comply with constantly changing data privacy regulations and standards and meet patient privacy expectations.
However, a new report from leading industry analyst firm Aberdeen suggests that healthcare organizations, while more aware of data compliance requirements, at an alarmingly high percentage aren’t currently meeting regulatory standards, and that’s only on the data they use today. Aberdeen’s report, “Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare,” outlines the challenges they face.
Authored by Derek Brink, vice president and research fellow in Information Security and IT GRC at Aberdeen, the report found that the current state of privacy and security compliance is “exceedingly complex, surprisingly immature and disappointingly ineffective.” Brink and his team surveyed more than 360 enterprises to compile the report, including hospitals and health systems.
The results of the survey led Brink to conclude that enterprise leaders – including hospital and healthcare system executives – should strongly consider a new strategy for data integration and management since their current approach to handling data and related processes may be inadequate. The increasing complexity of data integration and management demands new ideas.
The report noted that although compliance frameworks for many regulations and standards have been in place for years, only 65 percent of healthcare organizations report full compliance. For more recent standards like GDPR, the compliance rate dropped to 48 percent. The survey included standards like HIPAA, CFR Part 11, GDPR, SOC2, PCI DSS, and other regulations that govern how organizations handle sensitive data like financial and personal health information.
According to the Aberdeen study, “less than half of healthcare organizations have assigned primary responsibility for assurance of compliance with data privacy and security requirements in a way that’s most likely to be effective.” One issue may be that healthcare organizations tend to appoint leaders who focus on specific compliance initiatives with responsibilities fragmented across multiple groups.
The Aberdeen report also ranked net maturity levels across six key elements of the data lifecycle, ranking healthcare organizations’ capabilities related to their ability to perform the following data functions: integrate, ingest, manage, store, protect, and syndicate. A score of 50 percent or more indicated a high level of maturity in current capabilities related to these elements, and scores below 50 percent denoted low maturity.
Healthcare organizations surveyed scored highest on storing, managing and protecting data, but managing was the only element that scored above 50 percent. Data integration was scored at less than 4 percent, and processes around ingesting and syndicating data were also assessed to be immature. The scores suggest that healthcare organizations have a lot of work to do to bring capabilities up to speed.
Despite investing heavily in data security and privacy initiatives, more than 80 percent of healthcare organizations surveyed reported that they’d experienced at least one data privacy and security noncompliance issue over the past 12 months. Noncompliance issues took the form of audit deficiencies or similar findings that required remediation.
Two-thirds of surveyed healthcare organizations reported that they had experienced a data breach during the past year – a “confirmed incident of unauthorized access” to data that is “subject to compliance requirements.” They’re not alone. According to HIPAA Journal, “healthcare data breaches are now being reported at a rate of more than one per day.”
Data breaches at healthcare organizations damage patient trust and can have devastating consequences from an operational standpoint. As new sources of data come online, including wearables that monitor patients’ health remotely and AI-enabled medical devices, the challenges will multiply. The current state of data security and privacy doesn’t bode well for its future state.
The Aberdeen report offers a prescription for healthcare leaders who are struggling with compliance issues: “Given the complexity, costs, and consequences, the current state of privacy and security compliance for enterprise data in healthcare makes a compelling case for using third-party solution providers for integrating and managing … data and data-related processes.”
The Aberdeen report provides a sobering look at the scale of the challenges healthcare organizations face. It’s clear that the fragmented approach many hospitals and health systems currently use isn’t working, and the scope of data privacy and security requirements is expanding. A partnership with a full-service data integration and management specialist can help healthcare organizations meet the challenge today and set the stage for compliance and data-driven innovation in the future.
About the author: Gary Palgon is vice president of healthcare and life sciences solutions at Liaison Technologies. In this role, Gary leverages more than two decades of product management, sales, and marketing experience to develop and expand Liaison's data-inspired solutions for the healthcare and life sciences verticals. Gary's unique blend of expertise bridges the gap between the technical and business aspects of healthcare, data security, and electronic commerce. As a respected thought leader in the healthcare IT industry, Gary has had numerous articles published, is a frequent speaker at conferences, and often serves as a knowledgeable resource for analysts and journalists. Gary holds a Bachelor of Science degree in Computer and Information Sciences from the University of Florida.
At hospitals and healthcare systems worldwide, data is flowing in at a faster rate from a wider range of sources and in a broader variety of formats than ever before. This data is incredibly valuable. Healthcare organizations that unlock the value of their data can gain new perspectives on population and individual health management and identify ways to continuously improve patient care and operational efficiency.
Data can yield insights that drive organizational effectiveness and inspire next-generation innovations. But first, healthcare organizations must meet the challenges posed by modern data’s higher volumes and greater complexity. They must contend with ever more sophisticated security threats, comply with constantly changing data privacy regulations and standards and meet patient privacy expectations.
However, a new report from leading industry analyst firm Aberdeen suggests that healthcare organizations, while more aware of data compliance requirements, at an alarmingly high percentage aren’t currently meeting regulatory standards, and that’s only on the data they use today. Aberdeen’s report, “Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare,” outlines the challenges they face.
Authored by Derek Brink, vice president and research fellow in Information Security and IT GRC at Aberdeen, the report found that the current state of privacy and security compliance is “exceedingly complex, surprisingly immature and disappointingly ineffective.” Brink and his team surveyed more than 360 enterprises to compile the report, including hospitals and health systems.
The results of the survey led Brink to conclude that enterprise leaders – including hospital and healthcare system executives – should strongly consider a new strategy for data integration and management since their current approach to handling data and related processes may be inadequate. The increasing complexity of data integration and management demands new ideas.
The report noted that although compliance frameworks for many regulations and standards have been in place for years, only 65 percent of healthcare organizations report full compliance. For more recent standards like GDPR, the compliance rate dropped to 48 percent. The survey included standards like HIPAA, CFR Part 11, GDPR, SOC2, PCI DSS, and other regulations that govern how organizations handle sensitive data like financial and personal health information.
According to the Aberdeen study, “less than half of healthcare organizations have assigned primary responsibility for assurance of compliance with data privacy and security requirements in a way that’s most likely to be effective.” One issue may be that healthcare organizations tend to appoint leaders who focus on specific compliance initiatives with responsibilities fragmented across multiple groups.
The Aberdeen report also ranked net maturity levels across six key elements of the data lifecycle, ranking healthcare organizations’ capabilities related to their ability to perform the following data functions: integrate, ingest, manage, store, protect, and syndicate. A score of 50 percent or more indicated a high level of maturity in current capabilities related to these elements, and scores below 50 percent denoted low maturity.
Healthcare organizations surveyed scored highest on storing, managing and protecting data, but managing was the only element that scored above 50 percent. Data integration was scored at less than 4 percent, and processes around ingesting and syndicating data were also assessed to be immature. The scores suggest that healthcare organizations have a lot of work to do to bring capabilities up to speed.
Despite investing heavily in data security and privacy initiatives, more than 80 percent of healthcare organizations surveyed reported that they’d experienced at least one data privacy and security noncompliance issue over the past 12 months. Noncompliance issues took the form of audit deficiencies or similar findings that required remediation.
Two-thirds of surveyed healthcare organizations reported that they had experienced a data breach during the past year – a “confirmed incident of unauthorized access” to data that is “subject to compliance requirements.” They’re not alone. According to HIPAA Journal, “healthcare data breaches are now being reported at a rate of more than one per day.”
Data breaches at healthcare organizations damage patient trust and can have devastating consequences from an operational standpoint. As new sources of data come online, including wearables that monitor patients’ health remotely and AI-enabled medical devices, the challenges will multiply. The current state of data security and privacy doesn’t bode well for its future state.
The Aberdeen report offers a prescription for healthcare leaders who are struggling with compliance issues: “Given the complexity, costs, and consequences, the current state of privacy and security compliance for enterprise data in healthcare makes a compelling case for using third-party solution providers for integrating and managing … data and data-related processes.”
The Aberdeen report provides a sobering look at the scale of the challenges healthcare organizations face. It’s clear that the fragmented approach many hospitals and health systems currently use isn’t working, and the scope of data privacy and security requirements is expanding. A partnership with a full-service data integration and management specialist can help healthcare organizations meet the challenge today and set the stage for compliance and data-driven innovation in the future.
Gary Palgon