An Integris report takes pulse of the industry’s data privacy maturity, finding that while healthcare was one of the most breached sectors in 2018, its leadership is overly confident in their privacy policies.
The majority of healthcare leadership is overly confident in their data privacy maturity, despite failing to keep an accurate pulse on the data it maintains, transmits, and acquires, according to a recent Integris Software report.
Integris researchers surveyed 258 top business executives and IT decision makers from mid- to large-sized organizations to determine where the healthcare sector stands with data privacy maturity.
The researchers found most organizations were overly confident in their technical maturity, with 70 percent of respondents reporting they were very or extremely confident in knowing exactly where sensitive data resides.
However, 50 percent of those respondents update their personal data inventory just once a year – or even less. And just 17 percent of respondents are able to access sensitive data across five common data source types.
What’s more, none of the respondents had a lack of confidence in their organization’s ability to define personal data, with about 66 percent feeling very or extremely condiment in their ability.
“Are respondents falling victim to overconfidence? Perhaps,” the researchers wrote. “Sensitive data has an evolving nature. What’s considered a sensitive category or piece of data today may not be considered sensitive tomorrow, and vice versa. Understanding derivative personal data is important, yet challenging.”
“For example, notes on patient’s diet can infer religion,” they continued. “Data flowing in and out of data lakes is also a blind spot for many respondents. Data lakes ingest disparate pieces of customer data from a variety of sources. When combined, this data has the potential to reveal customer identities along with highly sensitive personal information.”
In fact, the report noted that 87 percent of the US population can be identified with just their zip code, gender, and birthdate.
Compliance Still Driving Privacy Decisions
The researchers stressed that data privacy impacts more than compliance, with 76 percent of respondents saying the regulatory environment continues to drive urgency to prove regulatory compliance.
These measures include data subject access requests, enforcing data retention and classification policies, and responding rapidly to breaches, the report found.
“Data privacy impacts much more than regulatory compliance efforts,” the researchers wrote. “When done right, data privacy management supports the broader healthcare information management control framework— regulations, policies, and contracts.”
“For example, proving compliance with business obligations like data sharing agreements was cited by 67 percent of respondents, they added.
Sixty-one percent cited enforcing internal data handling policies like classification and retention as compliance related, with another 28 percent privacy impacting mergers and acquisitions’ due diligence, and 22 percent citing the delivery of AI and machine learning projects (22%). And 35 percent saw privacy concerns impacting data lake hygiene.
What’s more, about 29 percent of budgets are designated for legal, risk, and compliance, while just 3 percent of privacy budgets are assigned to privacy management. And in 6 percent of organizations, it’s not clearly defined.
“Healthcare technology leaders are increasingly being tasked with operationalizing their data privacy management program,” the researchers noted. “Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.”
“Forward looking healthcare organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how,” they added.
Date: June 26, 2019
Source: Health IT Security