Healthcare Intelligence Network

Privacy and security regulations for enterprise data in healthcare organizations are complex and current efforts to bolster enterprise data compliance among all organizations, including those in healthcare, are immature and ineffective, according to a recent study conducted by Aberdeen, an industry analyst firm.

In fact, 86 percent of 112 hospitals and hospital groups in the study are dealing with multiple types of data and data-related processes that are subject to compliance requirements. This is not surprising because healthcare organizations generate, collect, store and manage financial transactions, personally identifiable information, protected health information, employee records and confidential or intellectual property records such as partnership agreements and contracts.

When asked if their organizations were compliant with 11 common regulations and frameworks for data privacy and security, only 65 percent reported achievement. PHI has the highest percentage of compliance reported—85 percent. The lowest compliance rates were reported for ISO 27001 and the General Data Protection Regulation at 63 percent and 48 percent respectively.

To measure the maturity of healthcare organizations’ efforts to comply with privacy and security requirements for data, Aberdeen developed a Net Maturity Index across six key elements of an enterprise data lifecycle. An index score above 50 percent indicates strong maturity in compliance activities and below 50 percent indicates immaturity.

Managing data, which includes normalizing, cleansing, validating and correlating data, earned a 66.6 percent score for healthcare respondents, the only element that indicated maturity. Scores for other key elements were:

• 49 percent for storing data—persistent, on-demand, self-service access to data;
  
• 41.2 percent for protecting data—encryption, tokenization;
  
• 33.4 percent for syndicating data between any two applications—including mobile, connected devices, on-premises or cloud;
  
• 25.4 percent for ingesting data into a common repository—cloud-based, data lakes; and
  
• 3.9 percent for integrating data from multiple sources—disparate sources, formats and protocols

The immaturity of the data lifecycle and associated enterprise data compliance efforts has real-world consequences for healthcare entities. Four out of five (81 percent) study participants reported at least one data privacy and non-compliance issue in the past year, and two out of three (66 percent) reported at least one data breach in the past year.

Investment in data compliance efforts is not lacking. A median of 37 percent of the overall IT budget of healthcare survey respondents is allocated to data compliance activities. This is a significant amount of funding to still experience data breaches, data compliance issues and low percentage of achievement of compliance with multiple enterprise data security and privacy regulations. When compared to respondents from life science and other industries, healthcare respondents reported the highest percentage of the IT budget devoted to data compliance.

The survey also indicated that healthcare organizations are more likely than organizations in other industries to have instituted compliance-specific governance processes and appointed specialized leadership such as data protection officers, compliance officers or chief risk officers, to oversee enterprise data compliance initiatives. While these are often considered to be best practices for achieving data compliance, still less than half of all healthcare organizations have instituted these approaches. Having specialized leadership is one of the most likely ways to effectively address enterprise data security and privacy compliance issues but it may also present further complications. Although the role may be assigned to an individual, the task of ensuring compliance with multiple regulations that evolve and change along with new technology and the addition of new data sources, requires an expertise that is difficult to achieve and oversee by one person who probably wears multiple hats in the organization.

One solution to the complex, challenging task of achieving data security and privacy compliance is the use of third-party providers who can address the healthcare organization’s need to enhance integration, management and storage of data. Providers who are experts at data management and integration but also provide the added value of the expertise needed to ensure compliance with regulatory requirements affecting data will offset some of the burden on hospital staff. The solution is not a simple application or a one-off project. Achieving and sustaining compliance with data privacy and security rules as they evolve is an ongoing effort.

The study also points to the need to better manage financial investment in compliance strategies. One option for healthcare organizations is managed services agreements with data management and integration providers. Switching to a predictable, monthly fee versus periodic capital investment or ongoing efforts that are ineffective frees IT funds to be used to advance other hospital goals.

Although many healthcare organizations do not consider outsourcing some of their data management, integration and compliance challenges, but choosing a partner wisely—one with expertise in healthcare as well as other data-centric industries with multiple privacy and security requirements—can reduce the compliance burden on an already overworked hospital IT staff and make funds available to continue digital transformation or other strategic initiatives.

Read the overall survey report here: Enterprise Data in 2018: The State of Privacy and Security Compliance

Read the brief on results for healthcare organizations here: Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare

About the Author:

Gary Palgon