Data Governance in Healthcare: 3 Best Practices
According to the Protenus Breach Barometer midyear report, 233 healthcare data breaches have occurred in 2017 so far, with over 3 million patient records compromised. Although the primary culprits are external hacking and ransomware, an alarming 41% was the result of insiders (both from error and intentional wrongdoing). This indicates a continued and pressing need for healthcare organizations to implement data governance in order to protect patients’ information from attack.
Healthcare organizations are gathering more patient data than ever before, and this wealth of data has the potential to help identify future trends, regulate costs, and calculate performance metrics in order to make the most of every incoming dollar. With the transition to value-based reimbursement, governance is more pivotal than ever in the healthcare sector. Great data governance enforces information access policies and leverages security in an easy-to-understand way across an enterprise.
Let’s go into some best practices for data governance from our identity and access management (IAM) experts, and how you, CISOs, can showcase its value to key stakeholders and investors:
#1: Get Executive Sponsorship and Buy-in
One of the biggest obstacles to deploying a data governance framework is a lack of executive-level sponsorship. Data is no longer just an issue with IT – it has become far more complex and multifaceted, which requires a higher level of collaboration and resources. Getting executive support means more resources and funding toward the goal of regulating data, and ultimately, minimizing risk for your initiative.
In its simplest stages, getting executives to listen involves catering to a central problem statement, and tying in the value of a data governance program. For healthcare, these problems range from the risk of a breach, including current vulnerability to an attack. It’s imperative to associate data governance as the solution, and how it will ultimately contribute to the bottom line.
#2: Create a Consistent Organizational Framework
Organizing information doesn’t mean things have to get more complicated; if anything, simplification is key with data governance. Healthcare organizations have a variety of different domains and Electronic Health Records (EHR), and it’s imperative to standardize the codes and information across systems. Finding balance in diverse clinical data and forming universal terminology between disparate systems is a surefire best practice when distributing to applications and other clinicians and providers.
Defining clinical terminology isn’t an overnight project – it takes considerable time, but will ensure the success and quality of your data governance program.
#3: Enforce Data Protection with Access Governance
Insider threats remain a constant risk to data breaches, so restricting appropriate access by defining data and setting policies mitigates leaks. This also helps you stay compliant under PCI and HIPAA regulations.
For example, an entry-level assistant shouldn’t have credentials to view a patient’s Social Security number or other sensitive information that could be targeted by ransomware unless it is required for the role they are filling. Providing access to what an employee needs to do their jobs – and nothing more – is essential to protecting patient data. That’s proper data and access governance at work.
With large-scale conflicting and duplicate data, though, it can present considerable challenges to regulating lengths, codes, and even unstructured information. Look out for:
- Changes in job title, which affects access
- Periodic review of organizational access credentials
- Provisioning and de-provisioning (privileges should be revoked as soon as an employee has left)
Map Out Your Strategy & Roadmap
The road to holistic data governance is a long one, and is just a piece of the identity and access management pie. Managing your healthcare organization’s security, usability, and integrity is vital to getting the resources, access, and peace of mind you need in order to drive success and value-based payments.
Building a roadmap is a pragmatic and effective way to steer your organization toward a common goal. Our advisors have decades of experience implementing an actionable IAM program that minimizes the risk of data breaches and uncomfortable information compromises. If you’d like to learn more, feel free to check out our newest whitepaper on “Towards an Identity-Centric Security Strategy:”