Despite big security risks, healthcare leaders say they're sure of their preparedness
Healthcare executives and IT leaders are overconfident regarding data privacy management, according to a new report from vendor Integris Software.
Its study of 258 business executives and IT decision makers found 70% of healthcare leaders were "very" or "extremely confident" in knowing exactly where sensitive data resides, less than half update their inventory of personal data once a year or even less.
Despite the healthcare industry's history of stringent privacy regulations, as well as an understanding of the importance of securing personal data for compliance purposes, they were not able to effectively track, monitor or know which data they held.
More than half of respondents to the survey said they needed to access 50 or more data sources to get a clear picture of where their sensitive data resides.
"Compliance efforts to protect personal data are nothing new to the healthcare industry, so it's no surprise that respondents scored very high on organizational data privacy maturity, which makes them feel they've got things under control," Kristina Bergman, founder and CEO of Integris, told HealthcareITNews.
For example, according to the study: 98% of those surveyed have a process in place to identify and mitigate privacy risk.
Healthcare companies were best prepared for GDPR with 35% scoring themselves as "fully prepared" and no one claiming unprepared, but respondents appear to be behind when it comes to domestic regulatory preparedness.
Too much confidence in outdated documentation processes
Bergman said that as an industry, healthcare organizations have spent a lot of resources mapping out workflows, conducting surveys and introducing data handling guidelines.
However, she noted respondents are placing too much confidence in documentation and process, pointing out that operationalizing data privacy requires applying that knowledge to an increasingly diverse and expanding set of data repositories.
"In today's world of data-intensive healthcare operations and big data, data privacy requires real-time knowledge about your data and data flows," she said. "The disconnect is coming from respondents' lack of technical data privacy maturity."
The study showed that the vast majority of healthcare companies simply don't have the tooling in place to access and monitor the volume, variety, and velocity of personal data flowing in, out, and across their organizations.
Bergman said to get up to par, organizations should implement data privacy automation to support their internal data use policies and third-party data sharing agreements.
"Once they have an accurate inventory of their data, they can reallocate resources to better protect their most sensitive assets," she explained. "Automation could be a key technology for improving data security practices at scale."
For example, data privacy automation can tell users that there's sensitive information sitting in a database that should be encrypted, and can then kick off an automated workflow to an encryption vendor to encrypt the data.