It’s Time for Healthcare Orgs to Get Serious About Data Governance

For healthcare CISOs [chief information security officers], keeping networks and associated data secure can be a daunting task. The sector suffered 337 data breaches in the first half of 2022, affecting over 19 million patient records, even as organizations struggled with a shortage of cybersecurity professionals. The cost of breaches is soaring, too, with the average impact of a healthcare data breach now standing at well over $4 million.

As high-profile healthcare cyber attacks make headlines all over the world, providers are rethinking the ways they safeguard their data — and with 45% of breaches happening in the cloud, that means many healthcare providers are reevaluating their relationships with cloud providers.

For providers, that generally means choosing one of two options: either lock down your data altogether, so that it isn’t in the cloud in the first place, or turn to a reputable tech giant such as Amazon, and trust their out-of-the-box cloud security tools to keep your data safe. The trouble is, neither option, on its own, is fully suited to the needs of today’s healthcare organizations.

Trouble with the cloud

Turning your back on the cloud might seem like an effective way to maximize data security. The issue is that in the modern world with virtual health and tele-medicine this is not really a viable option. Moreover, the reality is that on-prem [on premise] solutions are still vulnerable to attack, so depending on the specifics of your architecture and implementation it’s still possible for things to go wrong. What’s more, locking down your data limits your ability to run a modern healthcare team, forfeits a potentially significant revenue stream, and hinders the innovation needed to deliver stellar patient care.

Simply trusting cloud vendors to keep data safe isn’t a great approach either, though. It’s true that big cloud vendors have solid security features. But the reality is that a cloud vendor’s security infrastructure is only as good as a healthcare organization’s own data governance, and security practices.

Even with a robust cloud solution, for instance, healthcare providers still need to determine who gets access to their data. That’s hard to manage within an organization, but when you also grant access to outside partners you’re effectively handing over the dataset in question  and hoping they will respect the data governance rules associated with that data.

Organizations also need to properly activate and calibrate all their cloud provider’s security features and make consistently smart decisions that fully reflect their evolving needs. For complex healthcare data systems, that’s a big ask. Something as simple as an unchecked box or an overlooked setting can be all that’s needed to critically degrade the security of your cloud data.

A better way to harness clinical data

Fortunately, there’s a third option that enables healthcare providers to unleash the full value of their data and ensure robust security. Instead of pushing data out into the world, it’s possible to invite selected partners into trusted data environments where they can safely harness your data — without ever directly viewing your datasets.

Much like a laboratory glove-box, this approach lets analysts “reach into” your datasets and work with your data, without ever actually touching the data they’re using. It might be possible to query one of your datasets to find the average age, BMI, or white blood cell count of a certain category of patients, and further filter that data with inclusion or exclusion criteria to find the relevant patient information you need, without ever seeing the individual data points driving the analysis.

For medical innovators, that’s a powerful approach that gives them the ability to extract deep insights from datasets without ever needing to handle the raw data. Anonymization, de-identification, and synthetic data can also be used to further shield patients’ personal information, enabling partners to capture the value they need without putting the underlying data at risk.

Control is key to healthcare data security

For healthcare CISOs and other leaders, meanwhile, a trusted data environment enables organizations to prioritize and implement effective data governance and use data flexibly while maintaining full control over PHI records.

Instead of handing datasets over to outside partners, and trusting them to use them responsibly, organizations can continuously monitor exactly how data is being accessed and operated on. They can revoke access at any time, or instantly apply new rules to ensure full regulatory compliance. Crucially, they can also validate that clinical data has been accessed and used correctly before permitting partners to export algorithms or other work products.

With baked-in version control, well thought of security architecture, a trusted data environment can even offer a final line of defense against ransomware attacks. Though not designed for clinical care functions, having records safely sequestered in a trusted data environment can help organizations to restore compromised data systems more rapidly, and serve as a reference point for critical clinical data to support continuity of care.

For today’s healthcare industry, data is the key to driving innovation and improving patient care — but only if healthcare operators remain fully in control of how their data is accessed and used. Enabling collaborative analysis and research begins with dependable data governance, be it in the cloud or on-prem.

To enable that, we need to prioritize development of trusted data environments anchored in military-grade security and built for the specific needs of today’s healthcare organizations. To successfully leverage their data to drive better patient outcomes, organizations need governance tools that let them put their clinical data to work — without compromising patient privacy or data security.

Photo: Traitov, Getty Images