Tackling data governance

Technology brings numerous clinical and operational benefits to today’s healthcare organizations. With these benefits, however, data risk threats are rapidly increasing.

Amid a climate full of ransomware attacks, data leakages, and staff shortages within IT departments, it has become increasingly clear that IT should remain a growing priority as management assesses and mitigates corporate risk. This current environment requires an audit approach that contributes to effective risk management. Data governance is one area that can benefit from such an approach.

Vulnerable protected information: A massive problem

A contributing factor to IT’s risk threat is the significant amount of protected information unauthorized users are accessing, viewing, and extracting from healthcare organizations. Beyond clinical data, healthcare organizations also house many other types of protected information, including patients’ names, addresses, birthdates, Social Security numbers, bank account numbers, payment card data, passwords, personal identification numbers, and biometric data.

The data present throughout healthcare organizations is alarmingly vulnerable. More than 5,150 data breaches have been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights since 2009, including the exposure or impermissible disclosure of more than 382 million health records.¹ The healthcare data breach rate has more than doubled since 2018.²

Numerous factors contribute to protected information’s vulnerability in healthcare organizations. Chief among those factors are shrinking IT budgets, increased staff turnover and staffing shortages, outdated equipment and lack of capital for replacements, vulnerable network services, weak passwords, phishing attacks, data leaks, and healthcare data’s growing value on the dark web.

Three common HIPAA violations seen in healthcare organizations also put protected information at risk, leaving those organizations open to costly penalties. These include:

• Insufficient access controls for electronic protected health information (ePHI). HIPAA requires covered entities and their business associates to limit ePHI access to authorized individuals only.
• Failure to use encryption on portable devices. As mobile devices are used more frequently in healthcare settings, encryption becomes even more important to prevent data breaches. Although encryption is not mandatory under HIPAA rules, organizations that bypass encryption are required to implement an equivalent security measure.
• Improper disclosure of PHI. This can happen when sensitive patient information is shared with unauthorized individuals or entities, either by accident or intentionally.

Is your protected information safe?

With so much protected information at stake, healthcare organizations should know the following regarding that information’s status across their enterprises:

• The location of all the protected information
• Who is accessing the information and where it is going
• The location of unstructured data (anything not in a structured database format, including medical images or clinical notes)
• How many people have access to the organization’s IT systems, who they are, and how many of those individuals are located outside the organization
• Whether system users’ access privileges are being elevated beyond their business needs and what potential damage could result
• How effective the organization’s security tools are at protecting the environment

A new approach to auditing IT

If an organization doesn’t know the status of its information, it needs a new strategy to keep its massive – and multiplying – amounts of protected data safe. Outcomes-based IT audits are one such approach.

An outcomes-based approach to auditing IT focuses on achieving specific business outcomes. It relies on advanced technology to enhance audit efficiency and effectiveness. For example, these audits use technologies such as data analytics, artificial intelligence, and automation to analyze large datasets and assess IT’s impact on business outcomes. Outcomes-based audits use data-driven techniques like predictive modeling, anomaly detection, and real-time monitoring to gain insights into IT’s alignment with business outcomes.

A traditional IT audit typically would involve manual testing and other manual methods such as reviewing documentation, conducting interviews, and performing sample-based assessments. In addition to being time-consuming for audit teams that are already stretched thin, traditional methodologies do not always provide a full picture of an organization’s controls or processes.

Technology-led outcomes-based audits, on the other hand, aim to provide full coverage across entire datasets. They use technology to pull full datasets and, through use of tools such as machine learning, can more accurately highlight an organization’s potential risk areas.

An outcomes-based data governance audit in action

Consider an outcomes-based audit in which a health system wanted to assess its data governance. In this type of audit, auditors would take the following steps to uncover critical insights related to data governance and the organization’s ability to keep PHI safe:

• Conduct discovery and analysis of protected information:
  • Obtain a real-time inventory of protected information across the health system’s network.
  • Analyze how protected information is moving across the network.
  • Determine what protected information is being extracted from the network.
  • Quantify the value of protected information at risk.
• Conduct discovery and analysis of user access:
  • Obtain a real-time inventory of user entities on the health system’s network.
  • Track who is accessing protected information, including unauthorized users.
  • Discover if a user’s access is being elevated without authorization.
• Conduct an inventory and analysis of security tools:
  • Obtain a real-time inventory of security tools across the environment.
  • Assess how well these tools protect the environment.
• Conduct discovery and inventory of unencrypted devices:
  • Obtain a real-time inventory of encrypted and unencrypted devices on the health system’s network.
• Conduct discovery of compliance violations:
  • Gain a real-time view of compliance violations (for example, compliance with HIPAA) before regulatory agencies assign findings and penalties. This proactive approach can save the organization financially (by avoiding fines) and reputationally (through patient and community trust).
• Conduct discovery of control exceptions:
  • Obtain a real-time view of control exceptions based on IT standards from organizations such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), ISACA, the Center for Internet Security (CIS), and the Payment Card Industry Security Standards Council (PCI SSC).

Ready to try an outcomes-based audit?

Safeguarding protected information is a crucial goal of today’s healthcare organizations. Organizations can contact our specialists to  learn more about tech-led, outcomes-based audits to enhance their data governance and help protect their vulnerable data.

¹ Rebecca Murray-Watson, “Healthcare Data Breach Statistics,” The HIPAA Journal, accessed Nov. 2, 2023.
² Ibid.