Taming the Healthcare Compliance and Data Security Monster: How Well Are We Doing?

Posted on October 18, 2018 I Written By

The following is a guest blog post by Lance Pilkington, Vice President of Global Compliance at Liaison Technologies.

Do data breach nightmares keep you up at night?

For 229 healthcare organizations, the nightmare became a reality in 2018. As of late August, more than 6.1 million individuals were affected by 229 healthcare-related breaches, according to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly call the HIPAA “wall of shame.”

Although security and privacy requirements for healthcare data have been in place for many years, the reality is that many healthcare organizations are still at risk for non-compliance with regulations and for breaches.

In fact, only 65 percent of 112 hospitals and hospital groups recently surveyed by Aberdeen, an industry analyst firm, reported compliance with 11 common regulations and frameworks for data security. According to the healthcare-specific brief – Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare – protected health information has the highest percentage of compliance, with 85 percent of participants reporting full compliance, and the lowest compliance rates were reported for ISO 27001 and the General Data Protection Regulation at 63 percent and 48 percent respectively.

An index developed by Aberdeen to measure the maturity of an organization’s compliance efforts shows that although the healthcare organizations surveyed were mature in their data management efforts, they were far less developed in their compliance efforts when they stored and protected data, syndicated data between two applications, ingested data into a central repository or integrated data from multiple, disparate sources.

The immaturity of compliance efforts has real-world consequences for healthcare entities. Four out of five (81 percent) study participants reported at least one data privacy and non-compliance issue in the past year, and two out of three (66 percent) reported at least one data breach in the past year.

It isn’t surprising to find that healthcare organizations struggle with data security. The complexity and number of types of data and data-related processes in healthcare is daunting. In addition to PHI, hospitals and their affiliates handle financial transactions, personally identifiable information, employee records, and confidential or intellectual property records. Adding to the challenge of protecting this information is the ever-increasing use of mobile devices in clinical and business areas of the healthcare organization.

In addition to the complexities of data management and integration, there are budgetary considerations. As healthcare organizations face increasing financial challenges, investment in new technology and the IT personnel to manage it can be formidable. However, healthcare participants in the Aberdeen study reported a median of 37 percent of the overall IT budget dedicated to investment in compliance activities. Study participants from life sciences and other industries included in Aberdeen’s total study reported lower budget commitments to compliance.

This raises the question: If healthcare organizations are investing in compliance activities, why do we still see significant data breaches, fines for non-compliance and difficulty reaching full compliance?

While there are practical steps that every privacy and security officer should take to ensure the organization is compliant with HIPAA, there are also technology options that enhance a healthcare entity’s ability to better manage data integration from multiple sources and address compliance requirements.

An upcoming webinar, The State of Privacy and Security Compliance for Enterprise Data: “Why Are We Doing This Ourselves?” discusses the Aberdeen survey results and presents advice on how healthcare IT leaders can evaluate their compliance-readiness and identify potential solutions can provide some thought-provoking guidance.

One of the solutions is the use of third-party providers who can provide the data integration and management needs of the healthcare organization to ensure compliance with data security requirements. This strategy can also address a myriad of challenges faced by hospitals. Not only can the expertise and specialty knowledge of the third-party take a burden off in-house IT staff but choosing a managed services strategy that eliminates the need for a significant upfront investment enables moving the expense from the IT capital budget to the operating budget with predictable recurring costs.

Freeing capital dollars to invest in other digital transformation strategies and enabling IT staff to focus on mission-critical activities in the healthcare organization are benefits of exploring outsource opportunities with the right partner.

More importantly, moving toward a higher level of compliance with data security requirements will improve the likelihood of a good night’s sleep!

About Lance Pilkington
Lance Pilkington is the Vice President of Global Compliance at Liaison Technologies, a position he has held since joining the company in September 2012. Lance is responsible for establishing and leading strategic initiatives under Liaison’s Trust program to ensure the company is consistently delivering on its compliance commitments. Liaison Technologies is a proud sponsor of Healthcare Scene.