Data privacy has been a hot topic recently in healthcare and continues to be a primary concern for organizations around the world. As data ownership is becoming better defined, regulations are being enacted that put individuals in charge, giving citizens ownership of their data. The European General Data Protection Regulation (GDPR) is one prominent example of this, and similar regulatory efforts are underway globally that have implications for healthcare providers.
With regulations that shift data ownership and control to the consumer, it’s becoming a requirement for organizations to answer patient questions such as “Who has accessed my data?” or “Can I see all my information?” Yet today, many organizations are unprepared to respond.
As a result, providers must prioritize building the operational capability to adequately address these types of questions. Here are four steps you can take with your teams to develop an effective data privacy and protection strategy.
Identify all your users and access points to improve data management
Hundreds of clinicians and staff access patient information within a busy health system from multiple locations using multiple devices. Many organizations are making mobile experiences available to empower providers to do their jobs more efficiently wherever they are. While these are positive steps forward, you need to carefully consider how the trade-off for more user-friendly experiences may increase risks related to privacy. For instance, nearly a quarter (23%) of all data breaches happen in the health industry, and attacks are more becoming frequent.1
Patients need to be able to trust that their health organizations can deliver full transparency when it comes to identifying who has accessed their records. By setting up systems that control access and log activity based on roles, devices, apps, locations, and various risk factors, you enhance your ability to keep data protected. You can even grant conditional or limited access based on compliance standards and monitor data access and sharing.
What’s important are consistent policies for managing access and permissions across your organization, as well as systems that keep track of what information has been accessed by whom.
Building a comprehensive understanding of access points and user activity enables you to implement better data controls and keep patient health information secure.
Classify your records consistently to protect sensitive patient health information
All patient data is not created equal. Certain information is classified at differing levels of sensitivity and must be treated accordingly. Most health organizations have a system in place for classifying medical records, yet the process often involves manual tagging or coding. While this may work for smaller organizations, as your volume of patient data increases, maintaining compliance using manual or outdated methods becomes a significant challenge.
By leveraging technology to automatically classify records on a clinician’s behalf according to system-wide classification protocols and global industry standards, you can help ensure greater consistency and compliance within your organization. This may include actions such as encryption, restricting access rights, applying visual markings or a watermark, applying a retention or deletion policy, or even blocking sharing capabilities. You can also track the flow of sensitive data across devices, apps and services to enable a quick response in the event of potential abuse or policy violations.
In scenarios where automation is not feasible, intelligent recommendations can still help improve classification. For instance, a system can indicate how similar information was classified in the past, giving the user data-driven guidance to enforce the right behavior. What’s essential is a consistent approach—one that minimizes manual steps and that can handle data coming from a variety of sources and formats.
Infusing intelligence into the classification process helps you save time while maintaining compliance and uniformity, as well as enhancing layers of protection in the event of a breach.
Assume breach and plan accordingly
Health information continues to be a highly valued commodity within the hacker community. The 2018 HIMSS Cybersecurity survey found that nearly 76 percent of healthcare organizations had a significant security incident in the past 12 months.2 Despite this ongoing trend, many providers still lack the appropriate personnel or financial resources to adequately mitigate and prevent cyberattacks.3
Healthcare organizations shouldn’t be asking if they will experience a breach, they should be asking when. Maintaining constant vigilance and readiness will enable you to respond more effectively when the next breach attempt does occur.
Guarding against threats involves answering preemptive questions like: How do we manage data day-to-day? Where are our biggest risks and how are we mitigating them? What will we use as a backup if something is compromised?
In addition to well-crafted policies and processes, technology can play a significant role in keeping bad actors out. Major cloud providers help you monitor your information and offer services that do much of the legwork on your behalf to stay ahead of breaches.
By taking advantage of a cloud-based system with advanced threat protection, you can more effectively protect your data and detect and respond to threats, while gaining a powerful partner to support your reporting needs.
Ensure you have comprehensive reporting to meet audit requirements
With regulations such as GDPR going into effect, reporting standards are still evolving, but the bar will likely be higher than what many health organizations are equipped to address.
Even though requirements for reporting are in the process of being defined, providers can prepare by building an understanding of their existing reporting capabilities, and ensuring they are able to show they are following the law. For example, organizations may not have auditable methods for demonstrating consistent patient data classification, or for validating that sensitive information is managed differently than other types of data. The same goes for access policies—providers may need tools to report on who has accessed what, from where, and when.
Knowing what your organization’s reporting capabilities are today enables you to comply with the coming regulations and establish processes to identify, review and promptly report any issues.
Your data privacy strategy starts here
As new regulations continue to emerge around the globe, it’s important to recognize that meeting today’s data privacy and protection standards is a journey, not a one-time fix. That journey needs to be an organization-wide effort, which is why these topics are critical discussions to facilitate across your team. For more resources to support these conversations, download our eBook on cybersecurity in health.