The Power of Diligence on Data Privacy

By Josh Dunaway, Senior Director, Data Solutions, CereCore
Twitter: @CereCore

Data breaches, stolen identities, and fraudulent charges are a fact of life in our modern age. However, for healthcare organizations, protecting patient data is only the beginning. Additional complexity comes in the form of maintaining compliance with data privacy regulations and the high number of healthcare IoT devices and endpoints in a health system.

Data diligence and privacy considerations

1. Store only what’s needed.

While the number of federal and state regulations demonstrated in this HIMSS Infographic is an eye-opening visual of the requirements around healthcare data privacy, it is still a best practice for healthcare organizations to be as thoughtful about deleting data that is no longer useful or required as they are about storing and protecting data. This task requires thorough planning, policies, training, access management, software technology, monitoring, mitigation, and more. Healthcare organizations store large volumes of private patient data, growing by the second. While storage and protecting access to the data are important, it may seem counterintuitive to make retiring data part of a privacy strategy. You might be saying, “Why would we ever get rid of data – who knows if we will need it in the future?” Maybe that thinking supports your business model, maybe it doesn’t. If it does, maybe you seek to eliminate duplications of the same data in multiple storage locations. Meaning, if data are in our data warehouse, do we also need it to remain in the legacy storage source?

The benefits: reduced storage costs, fewer access points to data, and overall decreased risk.

2. Assess device and network vulnerabilities.

According to the HIPAA Journal, more than half of all healthcare IoT devices have a known, unpatched critical vulnerability. When it comes to the most commonly used healthcare device – the IV pump, the majority of these devices were found to have a vulnerability that could be potentially exploited to gain access to networks and sensitive data, or even worse, impact patient safety. Steps such as segmenting the network can be a start to protecting data, along with performing a comprehensive IT asset inventory and analysis to identify issues such as outdated software, weak credentials, and more. The payoffs can result in reduced risk, efficiency gains, and cost savings through the discovery of overprovisioned licenses.

The list of most common HIPAA violations involve all facets of safeguarding PHI from improper data disposal to failing to control access to patient data. Healthcare technology leaders must make smart, tough decisions based on reducing risk, optimizing costs, and improving data quality, reporting, and accessibility.

Recommendations

When your organization is ready to take the next step toward enhancing patient data privacy, consider the following next steps:

  1. Make data diligence a priority. It is often easy to push the deletion of data to the bottom of the priority list, but making it an organizational priority increases the likelihood of realizing the above benefits.
  2. Evaluate which data is necessary to store and why. The first step to knowing what data can be deleted is knowing what data is needed and why.
  3. Create and employ a data diligence strategy.
    • Establish an internal governing body to offer clear strategy and action items around data privacy.
    • Explore options for cost-effective and secure data storage.

This article was originally published on CereCore and is republished here with permission.