Technology brings numerous clinical and operational benefits to today’s healthcare organizations. With these benefits, however, data risk threats are rapidly increasing.
Amid a climate full of ransomware attacks, data leakages, and staff shortages within IT departments, it has become increasingly clear that IT should remain a growing priority as management assesses and mitigates corporate risk. This current environment requires an audit approach that contributes to effective risk management. Data governance is one area that can benefit from such an approach.
A contributing factor to IT’s risk threat is the significant amount of protected information unauthorized users are accessing, viewing, and extracting from healthcare organizations. Beyond clinical data, healthcare organizations also house many other types of protected information, including patients’ names, addresses, birthdates, Social Security numbers, bank account numbers, payment card data, passwords, personal identification numbers, and biometric data.
The data present throughout healthcare organizations is alarmingly vulnerable. More than 5,150 data breaches have been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights since 2009, including the exposure or impermissible disclosure of more than 382 million health records.1 The healthcare data breach rate has more than doubled since 2018.2
Numerous factors contribute to protected information’s vulnerability in healthcare organizations. Chief among those factors are shrinking IT budgets, increased staff turnover and staffing shortages, outdated equipment and lack of capital for replacements, vulnerable network services, weak passwords, phishing attacks, data leaks, and healthcare data’s growing value on the dark web.
Three common HIPAA violations seen in healthcare organizations also put protected information at risk, leaving those organizations open to costly penalties. These include:
With so much protected information at stake, healthcare organizations should know the following regarding that information’s status across their enterprises:
If an organization doesn’t know the status of its information, it needs a new strategy to keep its massive – and multiplying – amounts of protected data safe. Outcomes-based IT audits are one such approach.
An outcomes-based approach to auditing IT focuses on achieving specific business outcomes. It relies on advanced technology to enhance audit efficiency and effectiveness. For example, these audits use technologies such as data analytics, artificial intelligence, and automation to analyze large datasets and assess IT’s impact on business outcomes. Outcomes-based audits use data-driven techniques like predictive modeling, anomaly detection, and real-time monitoring to gain insights into IT’s alignment with business outcomes.
A traditional IT audit typically would involve manual testing and other manual methods such as reviewing documentation, conducting interviews, and performing sample-based assessments. In addition to being time-consuming for audit teams that are already stretched thin, traditional methodologies do not always provide a full picture of an organization’s controls or processes.
Technology-led outcomes-based audits, on the other hand, aim to provide full coverage across entire datasets. They use technology to pull full datasets and, through use of tools such as machine learning, can more accurately highlight an organization’s potential risk areas.
Consider an outcomes-based audit in which a health system wanted to assess its data governance. In this type of audit, auditors would take the following steps to uncover critical insights related to data governance and the organization’s ability to keep PHI safe:
Safeguarding protected information is a crucial goal of today’s healthcare organizations. Organizations can contact our specialists to learn more about tech-led, outcomes-based audits to enhance their data governance and help protect their vulnerable data.
1 Rebecca Murray-Watson, “Healthcare Data Breach Statistics,” The HIPAA Journal, accessed Nov. 2, 2023.
2 Ibid.