Prioritizing data security concerns for digital health organizations
By Karen Johnston, Partner at Wipfli LLP, Risk Advisory Services
Digital health organizations have access to a wide array of sensitive and private information, making data security a must. Customers and regulators alike expect that robust protections will be put in place to prevent leaks and mishandled data.
Whether your organization is a startup with limited financial resources or an established digital health provider, your data is subject to strict compliance requirements.
Demonstrating secure data handling procedures will allow you to gain certifications and attestations that can help attract new customers and assure them that you are in compliance with security best practices.
Potential pitfalls to avoid
Meeting your obligations can be challenging. Avoid getting caught up in any of the most common misconceptions surrounding cybersecurity and safety.
- Appointing the wrong person to manage your cyber needs: Don’t just appoint anyone to handle compliance — your organization should invest in an employee who truly understands data security. Since the data you receive and store is often sensitive, it needs to be managed by someone with the expertise to build out a program that meets the right compliance requirements.
- Skipping security responsibilities by hosting systems in the cloud: Regardless of where your data is stored, your organization is responsible for its security. Contracting a third-party cloud vendor to manage your systems doesn’t absolve you of your duty to protect your information. You need a comprehensive cyber program to enforce and control compliance with access control, risk assessment and management, incident response capabilities and vulnerability management.
- Believing that security and compliance don’t need to be an ongoing process: Security is never a one-and-done situation; you need to stay informed about emerging threats and changing regulations. Continuously monitor the regulatory environment and make an ongoing practice of checking for compliance against security frameworks. Schedule regular program reviews to stay up to date and consider bringing in outside assistance for an independent perspective.
It’s critical to get ahead of security and compliance from the start. Determine which frameworks are important to your customers and stakeholders and build your compliance program from there. But don’t panic if you missed some steps in the beginning — it’s never too late to implement and commit to a security protocol.
Self-assessment is possible, but an independent perspective can help build confidence in your overall system. Consider contracting with experienced security professionals to assist. They see both the best and worst practices on a daily basis throughout their client base and are well-positioned to provide helpful advice for improvement.
For many digital health companies, an insurance payer or hospital system will want to be assured that your organization can comply with HIPAA and other regulations as a prerequisite for partnership. Certifications like HITRUST and ISO or independent SOC audit reports can also help gain the trust of leadership, prospects, and customers.
Preventing a no-win situation
Digital health startups often see security as a Catch-22 — they can’t go to market or sign with certain prospects without certifications and attestation reports, but they can’t generate the revenue they need to invest in the costs of third-party audits and assessments without customers. The system can seem like a pay-to-play situation with high costs and minimal alternatives.
A systematic, step-by-step approach can help organizations navigate the paradoxical trap. Starting out with a thoughtful and organized assessment against the HIPAA security rule to identify gaps is an inexpensive way to get started. Following that, a third-party independent audit and assessment can lead to a certification or attestation report. Your third-party provider can help decide which assessments will meet your customers’ needs at a fair price point, as they range in size, complexity and requirements.
Overall, it is essential for leadership teams to grasp the importance of security from the beginning. Investing in individuals who can properly oversee your efforts is crucial to the overall success of your security and compliance program, and third-party professionals can play a critical role in bringing those efforts to fruition.