While practitioners tend to think about electronic health records (EHRs) as a modern convenience or necessity following centuries of hand-written and typed charts, the switch from pens and typewriters to computers also transformed scattered medical notes into data – personal information that forms a collectively valuable and powerful body. Data has become a critical asset for health care providers, arguably equivalent to currency, and in the digital age, failing to adequately protect patient data has become a major risk.
As EHRs have become more ubiquitous and comprehensive over the past two decades, regulators and organizations have become more conscious of the need to protect the privacy and security of this sensitive and confidential information. When the European Union’s General Data Protection Regulation (GDPR) went into effect in 2016, more than half of the EU’s 28 member states already had at least some legislation specific to EHRs, as part of a drive to make health data portable within the Union. By contrast, the United States and its state legislators have been playing catch-up, leaving organizations to choose their own approaches to establishing protections.
Between the ever-increasing quantity of data and inconsistent protections, medical information has become a honeypot for cybercriminals – more valuable and in-demand than ever before. During the COVID-19 pandemic, hackers targeted vulnerable health care systems with ransomware attacks, forcing multiple U.S. hospitals to go back to pen-and-paper record keeping, and impacting countless employees, some of whom lost jobs as a result. Today, victimized U.S. entities face an average cost of $9.23 million for a healthcare data breach, even before making a ransom payment.
Organizations must address multiple issues regarding their growing bodies of data. After obtaining clarity regarding their ownership and control of the asset, health IT leaders will know what their responsibilities are, and how the data can ethically be used. As U.S. legal standards for patient data handling are still evolving beyond HIPAA’s federal Privacy Rule and Security Rule, the 21st Century Cures Act provides guidelines for compliance with recent health data portability requirements.
For health IT leaders and consultants, the challenge is to meet regulatory obligations in a manner that not only supports an organization’s mission, vision, and values, but also identifies and minimizes risks. Unfortunately, the cyber threat landscape today is unlike anything we’ve seen before, with surging numbers of vulnerabilities elevating risk levels across virtually every type of organization. Capitalizing on staffing challenges and underprotected networks, cybercriminals are exploiting everything from technology gaps to human mistakes in an effort to steal or ransom healthcare providers’ data.
To solve these problems, health IT leaders need to transition their organizations’ approach to data privacy and security. Rather than myopically focusing on shifting regulatory schemes or the specific nature of the data, all stakeholders must adopt a programmatic approach whereby data privacy and security obligations are woven into the overall culture of the organization. Specifically, these organizations must:
1. Look Holistically at Data Compliance. A health IT consultant working to transform an organization will need to start by getting the organization’s leadership and key stakeholders on the same page. The goal is to shift the focus of data compliance from a regulatory to a holistic approach. This means looking at the big picture with large-scale practices that enhance overall data security and privacy, while implementing procedures for swiftly and effectively dealing with breaches.
2. Implement Stronger Data Governance. Health IT leaders will need to support strong data governance, correctly classifying data – a step that optimizes the data’s utility – and implementing controls that ensure the proper collection, use, sharing, retention, and destruction of sensitive data, as needed. Strong data governance is a hedge against growing patient concerns over medical data handling; nearly 70% of patients surveyed during the pandemic said they would likely sever their ties with healthcare providers if they discovered their personal medical data was not being properly protected, with younger Gen X (73%) and Millennial (70%) generations showing an even lower tolerance for improper handling.
3. Adopt Privacy by Design. Making a full-scale cultural shift to privacy and security controls that support privacy by design, rather than as an afterthought, is a critical and challenging step for organizations. Although privacy by design is a somewhat amorphous concept, the premise – protecting data using modern technology in the system design – has been broadly required by the GDPR for years. While a wholly privacy-first system may seem daunting to implement, it can be accomplished by working with a trusted partner and following certification programs, ultimately leading to smarter practices as well as true privacy and security compliance.
Combining a holistic data compliance approach with stronger data governance policies and a system designed to protect privacy won’t just protect patient health data against theft and ransoms; it will also enable healthcare institutions to offer patients greater transparency in how their data is being handled. These changes will be necessary to facilitate an era of greater medical data portability, and future-proof health care data systems ahead of the next wave of regulatory changes.
About Marti Arvin, VP of Privacy & Compliance, CynergisTek
With over three decades of operational and executive leadership experience in health compliance, research, and regulatory oversight, Marti Arvin leads CynergisTek’s compliance services business development. She previously served as Chief Compliance Officer for Regional Care Hospital Partners and the UCLA Health System, including the David Geffen School of Medicine.
