Healthcare Data Privacy Checkup – The Integris Software 2019 Data Privacy Maturity Study
Integris Software recently conducted a survey to an exclusive community of 258 top business executives and IT decision makers at mid-to large-sized enterprises across six verticals including financial services, technology and healthcare.
Key findings from the full report included: that most organizations expressed overconfidence in their technical maturity; that a proliferation of data sharing agreements are causing issues across industries; and that data privacy concerns impact a wide range of business decisions from M&A to machine learning and AI projects.
In this second part of our series investigating the state of data privacy maturity and security, we analyzed the technical and organizational data privacy maturity levels of leading healthcare organizations.
We found that despite the healthcare industry’s history of stringent privacy regulations, it is not keeping an accurate pulse on the sensitive data it maintains, transmits or acquires.
Even though the industry had the second largest amount of cybersecurity breaches and the highest rate of exposure per breach last year, key healthcare decision makers still expressed overconfidence in their data privacy management practices.
Further, organizational maturity for data privacy management also scored much higher and more consistent than technical maturity within study findings. Despite healthcare organizations understanding and investing in the importance of securing personal data for compliance purposes, they were not able to effectively track, monitor or know which data they held.
Top findings from the data and privacy research include…
Misplaced Confidence in Data Privacy and Security: While the healthcare industry shows high levels of organizational maturity when compared to other sectors, it still lacks technical maturity.
In addition, data flowing in and out of data lakes is also a blind spot for many healthcare organizations. Data lakes ingest disparate pieces of customer data from a variety of sources. When combined, this data has the potential to reveal customer identities along with highly sensitive personal information.
- Within this environment of routine data sharing and collection, more than half (53 percent) of respondents said they needed to access 50 or more data sources to get a defensible picture of where their sensitive data resides.
- Meanwhile, only 50 percent of respondents update their personal data even once a year, without holding an ongoing view of their data under management.
- This finding contradicts with the 70 percent of respondents who claimed to be “Very” or “Extremely Confident” in knowing exactly where sensitive data resides.
- Even more concerning, only 17 percent could access their sensitive data across the five common data source types.
Industry Regulations Set the Pace: The healthcare industry is better prepared for security compliance mandates than other industries due to stringent regulations that drive the pace of adoption leading to higher levels of organizational maturity. But these requirements have also led to overconfidence on the technology side, which is where policies get operationalized across the organization. Healthcare organizations must proactively monitor the data they hold and be able to trust the capabilities of their data sharing partners to protect sensitive information.
- An impressive 95 percent of respondents had data privacy teams in place, and over a quarter of respondents (27 percent) had data privacy teams of 25 people or more.
- Organizations were also mature when it came to handling customer consent and communicating when things went wrong. 85 percent had policies, procedures, and mechanisms in place to track customer consent across channels.
- Healthcare companies were best prepared for GDPR with 35 percent scoring themselves as “Fully Prepared.” No one scored themselves as unprepared.
- However, respondents were behind when it came to domestic preparedness. Only 16 percent said they were “Fully Prepared” for the California Consumer Privacy Act (CCPA).
Data Powers the Industry: The healthcare industry relies on and requires extensive data sharing amongst providers, insurance companies, specialists and billing parties to function, but this necessity makes it more challenging to keep sensitive data private.
- A single healthcare transaction may get replicated across a hundred data repositories. Healthcare companies are constantly consuming and sharing information to build better patient profiles and improve outcomes.
- Additionally, as healthcare companies consolidate through mergers and acquisitions, they acquire unknown datasets and data transfer agreements with new business partners.
- Fifty percent of respondents had 50 or more data sharing agreements in place. That’s a variance of 20 percent more than all industry respondents. This is probably due to the highly intertwined nature of the healthcare industry (EHRs, insurance, etc.).
- Respondents were much more confident in their own ability to respect data sharing agreements than their partners’ ability to reciprocate in kind (there was a 61 percent increase in “Very Confident” and “Extremely Confident” levels in their own compliance efforts vs. their partners).
How Healthcare Organizations Can Improve Data Privacy
These study findings and the ongoing data breaches plaguing the healthcare industry paint a dire picture, but organizations can improve their data privacy and security practices. Compliance isn’t enough, to build a more secure future healthcare organizations need to:
- Harness current technological tools to continuously monitor and map the sensitive data they collect and store across locations.
- Avoid blind spots by also identifying and monitoring data in motion, to know what data is entering and leaving their organizations and adhere to data handling policies.
- Establish and enforce their own data retention policies, that are above and beyond current requirements.
While the healthcare industry is outpacing many other sectors for organizational data privacy maturity, its volume of severe security breaches and overconfidence in technical maturity are concerning. We hope this study helps shine a light on these contradictions and encourages organizations to improve the health of their data management systems and processes.