Managing and Protecting Data in Healthcare
As featured in IT Pro Portal & Information Age
The smarter use of patient data has long promised the potential for more efficient and better-targeted services, but past projects have often ended as costly failures. Moreover, any technological advancement that allows us to better capture, record, and analyze data also increases the risk of that data being lost, stolen, or misused. Patients, understandably, are concerned about the security of their personal information.
As the world becomes increasingly connected and the value of patient information to cybercriminals rises, efforts to steal it are becoming more frequent and sophisticated. So, how can healthcare organizations gather the information they need to improve services while ensuring consumers their data is safe?
Currently, the healthcare industry is responsible for more data breaches than any other sector in the US.
For example, 91% of healthcare organizations in the United States have experienced at least one data breach in the past two years, and 40% have suffered more than five incidents.
Even more concerning, criminal attacks now outpace errors and negligence as the leading cause of these breaches. Criminal attacks on the healthcare sector have increased by 125% since 2010. In many cases, hackers are stealing vast quantities of data—such as in the recent Excellus breach, which involved nearly 10 million individual records.
Rising Risks and Accountability
In the United Kingdom, the Information Commissioner’s Office (ICO) oversees data privacy and investigated 517 data breaches in UK healthcare organizations last year. Since 2010, serious breaches of the Data Protection Act have been punishable by fines of up to £500,000, with nearly £6.5 million levied so far, mostly against public sector organizations.
In 2015, the ICO gained new powers to conduct compulsory audits of public healthcare organizations, allowing it to act proactively before breaches occur. Additionally, once the EU’s General Data Protection Regulation (GDPR) was enforced, penalties for data breaches could increase dramatically, with fines reaching up to €100 million.
Addressing Challenges with Technology
The Department of Health in the UK developed the Information Governance Toolkit (IG Toolkit) to address the need for better control over sensitive information in healthcare. However, surveys in early 2015 revealed that fewer than 40% of respondents felt the IG Toolkit met their needs. Many frustrations stemmed from outdated content and a lack of focus on practical governance issues.
Introducing the Information Asset Management solution
Instead of accepting piecemeal approaches, NHS England turned to technology for a comprehensive solution. By introducing the Information Asset Management (IAM), NHS England implemented a management tool that complements the IG Toolkit. This solution demonstrates control over information assets and data flows, identifies risks, and reduces administrative burdens associated with compliance.
As Richard Eddolls, Head of Platforms at CoreStream GRC, explains:
“Of course, no organization should expect to purchase their information governance solution ‘off the shelf.’ Technology is only part of the equation; it allows processes and content to be managed more effectively, but those elements must also be well-designed.”
Information Asset Management’s rollout has already expanded to Northern Devon Healthcare Trust and could soon be adopted across other healthcare organizations. The success of Information Asset Management and similar technologies demonstrates how public sector organizations can lead the way in innovative data security practices.
Frequently Asked Questions (FAQs)
1. What is CoreStream GRC, and how does it relate to data governance?
CoreStream GRC is a platform designed to streamline governance, risk management, and compliance (GRC) processes for organizations. It helps manage information assets, reduce compliance burdens, and mitigate risks such as data breaches.
2. Why is patient data particularly vulnerable to cyberattacks?
Patient data is highly sensitive and often includes personally identifiable information (PII), medical history, and insurance details. This makes it valuable to cybercriminals for identity theft and financial fraud.
3. What is the Information Asset Management (IAM), and how does it improve data governance?
Information Asset Management is a technology solution developed to enhance data governance by integrating with the IG Toolkit. It provides tools to monitor and manage information assets, identify risks, and ensure compliance more efficiently.
4. What penalties can healthcare organizations face for data breaches?
In the UK, fines for breaches under the Data Protection Act can reach up to £500,000. Under GDPR, penalties are significantly higher, with fines reaching up to €100 million or 4% of global annual revenue, whichever is greater.
5. How can technology help healthcare organizations improve data security?
Technology solutions like Information Asset Management allow organizations to automate compliance processes, identify and mitigate risks, and better manage information assets. This reduces administrative workloads and improves overall security.
6. What should organizations consider when implementing a data governance solution?
Organizations should focus on integrating technology with well-designed processes and policies. A comprehensive solution should be scalable, adaptable, and capable of addressing specific risks while ensuring compliance with regulations.
