Dive Brief:
- Some 70% of mid- to large U.S. healthcare companies are very or extremely confident in their ability to manage sensitive data yet roughly 50% update their inventory of personal data once a year or less, according to a new Integris Software survey.
- About half of healthcare respondents had 50 or more data sharing agreements in place — 20% more overall compared to all other U.S. industries, likely due to the interconnected nature of healthcare companies. However, once again they were more confident (61%) they could be compliant with privacy regulations than their partners.
- Privacy concerns primarily affected business obligations (67%), enforcing internal data handling policies like retention and classification (61%), due diligence during mergers and acquisitions (28%) and the delivery of artificial intelligence and machine learning projects (22%).
Dive Insight:
Keeping consumers' sensitive healthcare information secure is of mounting importance as the government continues to push for free and unfettered data sharing across the industry.
Two sweeping HHS rules to promote interoperability and penalize information blocking received thousands of public comments from payer, provider and health IT groups earlier this month, many of them revolving around data privacy and security of electronic health information.
The security of EHI when it's shared with a third party application such as a consumer portal or health app is of particular concern. Such apps usually don't have business associate agreements with healthcare organizations, so they're not covered under existing HIPAA liability protections, and often share health data with third and even fourth parties.
About a quarter of healthcare companies suffered a security breach from a mobile device in 2018 — a high figure, even in an industry that beat out all others for the most cybersecurity incidents last year, according to recent reports.
Despite these statistics, the Integris survey found healthcare companies spend more on data management than other industries. Roughly half of data privacy management budgets were between $100,000 and $500,000 — a much higher concentration than the other industry respondents.
And most organizations (86%) are increasing their budget in 2019 — more than a quarter by 25% or more, Integris found. Regulatory concerns were a big driver, accounting for 76% of data projects, including enforcing data retention and classification policies and rapid response to data breaches (61% for both).
No respondents said they had no confidence in their organization's ability to define and protect personal information, with 32% saying they were very confident and 35% saying they were extremely confident.
The majority of companies have clear processes in place to handle data privacy and awareness, evaluating data sensitivity, handling consumer consent and communicating when things go wrong. However, very few of these processes are technological — only 60% of organizations have an automated way to tell whose data was breached.
The survey sampled about 250 mid- to senior-level executives and IT decisionmakers at companies with 500 employees or more and at least $25 million in annual revenue.