The Future of Healthcare Data Governance: Protecting Patient Privacy with Smart Solutions
03 MarManaging and Protecting Data in Healthcare
As featured in IT Pro Portal & Information Age
The smarter use of patient data has long promised the potential for more efficient and better-targeted services, but past projects have often ended as costly failures. Moreover, any technological advancement that allows us to better capture, record, and analyze data also increases the risk of that data being lost, stolen, or misused. Patients, understandably, are concerned about the security of their personal information.
As the world becomes increasingly connected and the value of patient information to cybercriminals rises, efforts to steal it are becoming more frequent and sophisticated. So, how can healthcare organizations gather the information they need to improve services while ensuring consumers their data is safe?
Currently, the healthcare industry is responsible for more data breaches than any other sector in the US.
For example, 91% of healthcare organizations in the United States have experienced at least one data breach in the past two years, and 40% have suffered more than five incidents.
Even more concerning, criminal attacks now outpace errors and negligence as the leading cause of these breaches. Criminal attacks on the healthcare sector have increased by 125% since 2010. In many cases, hackers are stealing vast quantities of data—such as in the recent Excellus breach, which involved nearly 10 million individual records.
Rising Risks and Accountability
In the United Kingdom, the Information Commissioner’s Office (ICO) oversees data privacy and investigated 517 data breaches in UK healthcare organizations last year. Since 2010, serious breaches of the Data Protection Act have been punishable by fines of up to £500,000, with nearly £6.5 million levied so far, mostly against public sector organizations.
In 2015, the ICO gained new powers to conduct compulsory audits of public healthcare organizations, allowing it to act proactively before breaches occur. Additionally, once the EU’s General Data Protection Regulation (GDPR) was enforced, penalties for data breaches could increase dramatically, with fines reaching up to €100 million.
Addressing Challenges with Technology
The Department of Health in the UK developed the Information Governance Toolkit (IG Toolkit) to address the need for better control over sensitive information in healthcare. However, surveys in early 2015 revealed that fewer than 40% of respondents felt the IG Toolkit met their needs. Many frustrations stemmed from outdated content and a lack of focus on practical governance issues.
Introducing the Information Asset Management solution
Instead of accepting piecemeal approaches, NHS England turned to technology for a comprehensive solution. By introducing the Information Asset Management (IAM), NHS England implemented a management tool that complements the IG Toolkit. This solution demonstrates control over information assets and data flows, identifies risks, and reduces administrative burdens associated with compliance.
As Richard Eddolls, Head of Platforms at CoreStream GRC, explains:
“Of course, no organization should expect to purchase their information governance solution ‘off the shelf.’ Technology is only part of the equation; it allows processes and content to be managed more effectively, but those elements must also be well-designed.”
Information Asset Management’s rollout has already expanded to Northern Devon Healthcare Trust and could soon be adopted across other healthcare organizations. The success of Information Asset Management and similar technologies demonstrates how public sector organizations can lead the way in innovative data security practices.
Frequently Asked Questions (FAQs)
1. What is CoreStream GRC, and how does it relate to data governance?
CoreStream GRC is a platform designed to streamline governance, risk management, and compliance (GRC) processes for organizations. It helps manage information assets, reduce compliance burdens, and mitigate risks such as data breaches.
2. Why is patient data particularly vulnerable to cyberattacks?
Patient data is highly sensitive and often includes personally identifiable information (PII), medical history, and insurance details. This makes it valuable to cybercriminals for identity theft and financial fraud.
3. What is the Information Asset Management (IAM), and how does it improve data governance?
Information Asset Management is a technology solution developed to enhance data governance by integrating with the IG Toolkit. It provides tools to monitor and manage information assets, identify risks, and ensure compliance more efficiently.
4. What penalties can healthcare organizations face for data breaches?
In the UK, fines for breaches under the Data Protection Act can reach up to £500,000. Under GDPR, penalties are significantly higher, with fines reaching up to €100 million or 4% of global annual revenue, whichever is greater.
5. How can technology help healthcare organizations improve data security?
Technology solutions like Information Asset Management allow organizations to automate compliance processes, identify and mitigate risks, and better manage information assets. This reduces administrative workloads and improves overall security.
6. What should organizations consider when implementing a data governance solution?
Organizations should focus on integrating technology with well-designed processes and policies. A comprehensive solution should be scalable, adaptable, and capable of addressing specific risks while ensuring compliance with regulations.
COMPANY
CoreStream Ltd
20 Grosvenor Pl,London,
SW1X 7HN
4th Floor,
New York,
NY 10017
Privacy Overview
| Cookie | Duration | Description |
|---|---|---|
| _GRECAPTCHA | 5 months 27 days | Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks. |
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
| Cookie | Duration | Description |
|---|---|---|
| _clck | 1 year | Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID. |
| _clsk | 1 day | Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording. |
| _ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
| _ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
| _gid | 1 day | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. |
| CLID | 1 year | Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited. |
| MR | 7 days | This cookie, set by Bing, is used to collect user information for analytics purposes. |
| SM | session | Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains. |
| vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website. |
| Cookie | Duration | Description |
|---|---|---|
| ANONCHK | 10 minutes | The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well. |
| MUID | 1 year 24 days | Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations. |
| Cookie | Duration | Description |
|---|---|---|
| __cf_bm | 30 minutes | Cloudflare set the cookie to support Cloudflare Bot Management. |
| Cookie | Duration | Description |
|---|---|---|
| _gat | 1 minute | Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites. |
| _uetsid | 1 day | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| _uetvid | 1 year 24 days | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| SRM_B | 1 year 24 days | Used by Microsoft Advertising as a unique ID for visitors. |
