The number and cost of data breaches is on the rise, especially in healthcare. The latest figures show that the number of healthcare records exposed from data breaches tripled in 2018, totaling 15 million records, the highest recorded number to date.
In the midst of the alarming increase in threats to data privacy and security, new legislation is being enacted worldwide. Most notably are the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), with many other states passing related laws governing cybersecurity, privacy and data protection.
Penalties for non-compliance with existing laws are also increasing. In 2018, the Office for Civil Rights (OCR), which is responsible for enforcement of the Health Information Portability and Accountability Act (HIPAA), issued all-time records in enforcement activity. This included total fines of $28.7 million, a 22% increase from the prior record in 2016, and the single largest individual HIPAA settlement in history of $16 million.
Let’s face the reality: healthcare organizations are dealing with a myriad of challenges around data privacy, securing electronic health records (EHR) and complying with laws. Breaches, ransomware and employee data violations are the new normal. The proliferation of cloud computing is also driving new concerns around network security, both within an enterprise and across a range of subcontractors and vendors. Additionally, new regulations give the individual more control over his or her data and require organizations to be transparent and accountable. To address all of this, a proactive and integrated strategy is imperative.
The Solution to Meeting Data Privacy Regulations: An Integrated Approach
In this new landscape, privacy and security is about more than just safeguarding data. Healthcare organizations must apply holistic and proactive approaches to designing systems and mitigating risk. The best starting point is to align your internal stakeholders around data protection and to implement a strong governance structure. This includes Privacy, Information Security, Legal, IT and Compliance.
All of these key departments must collaborate to meet today’s regulatory needs. For example, CCPA gives the consumer the right not to have their data sold to a third party. If a consumer sends an email directing your organization not to sell his data, what is your plan? There must be an effective way to assess an individual demand under the law and implement and enforce an appropriate solution. Other important considerations for data protection are:
- Ensuring methods for properly classifying data
- Understanding data movement within systems
- Controlling accessibility and assessing risk
- Implementation of a strong incident response plan with ongoing testing
- Conducting robust vendor oversight
All of these are critical components of an effective data protection program. While these various requirements are challenging, a proactive and integrated approach to implementation is feasible. The healthcare industry is familiar with working in a highly regulated environment, and if an organization is already strongly compliant with HIPAA, and has good risk management operations, it will be well positioned to successfully adapt to these new requirements and regulatory frameworks.
EnvisionRx has created the necessary infrastructure for compliance with new privacy laws, establishing a Security Governance program in which Privacy, Security and Internal Audit divisions work together to support the protection of protected health information (PHI) and personally identifiable information (PII) using various controls and standards. The program partners with IT and the Compliance and Ethics department, as well as other business units to maintain industry defined, leading practices for effective data protection standards and procedures. Qualified, independent security resources are also utilized for testing the overall integrity of the data protection process.
While the rapidly evolving legal landscape will continue to pose significant challenges, you can successfully safeguard data while avoiding the legal and monetary implications of regulatory non-compliance with robust compliance programs that make privacy and security a top priority. By applying an integrated approach, you will be prepared to embrace the ever-increasing shift toward individual data control and protection.
 HIPAA Journal (2018). Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record. https://www.hipaajournal.com/healthcare-data-breach-costs-highest-of-any-industry-at-408-per-record/
 SentinelOne (2019). Healthcare Data Under Attack | 7 Best Practices for Healthcare Security. April 1, 2019. https://www.sentinelone.com/blog/healthcare-data-under-attack-7-best-practices/
 Pratt, M. State data privacy laws, regulations changing CISO priorities. SearchCompliance. https://searchcompliance.techtarget.com/feature/State-data-privacy-laws-regulations-changing-CISO-priorities
 U.S. Department of Health & Human Services. OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html
 Siwicki, B (2018). Next-gen cloud computing: How healthcare can prepare for the future. Healthcare IT News. August 1, 2018. https://www.healthcareitnews.com/news/next-gen-cloud-computing-how-healthcare-can-prepare-future