The tax, audit and advisory firm KPMG recently reported that, among 223 healthcare executives surveyed, 81% said their organization had been compromised by at least one cyber attack in the past two years. And attacks have not been limited to hospital and insurance networks; big-name pharma execs have also acknowledged their companies have been targeted. While we recognize that security breaches have become more common and certainly more public, we also know that there are ways to meet this threat head-on that can provide pharma with a real sense of security. It starts with a shift in policy.
Going Beyond Compliance
The focus of data security — in healthcare and healthcare marketing — has primarily been on complying with government requirements, such as those contained within the Health Insurance Portability and Accountability Act (HIPAA). But mere compliance isn’t enough. What’s often missing in current data security strategies is a focus on comprehensive data privacy that includes understanding what’s at stake, where potential threats lie and what policies minimize risk.
Why It Matters
From a monetary standpoint, the incentive to steal health data is substantial. Whereas credit card info is worth a few dollars per file at most, health records can bring in as much as $50 a piece. That’s easy money for a savvy hacker.
From the standpoint of the patient, health data theft represents an enormous loss of privacy. Patients whose information has been compromised may face broader identity theft or even public disclosure of private health details.
While individual EHRs might be worth more than their credit card record cousins, for the healthcare brand, there is a still larger financial issue at hand. We noted this last year, but this point is still valid if not more so. The market valuation exposure that a health record breach presents to the effected organization can be devastating, especially in these times of significant cost containment and fervent drives for efficiency. The applicable fines levied by organizations like the FDA pale in comparison to the market devaluation caused by negative publicity and erosion of consumer trust. Remember Target?
The Best Defense Is a Good Defense
The best defense for data privacy is having well-defined policies, including retention and destruction policies.
A good data retention policy reduces risk by identifying when sensitive information may be destroyed or de-identified. A good data destruction policy describes how data is destroyed without disruption of business; this may include those often-forgotten backup and cloud systems. While that may sound simple, good information is expensive to collect, making long retention periods attractive, particularly to marketers.
Know What You’ve Got and Where to Store It
Knowing how to handle data safely and according to any and all applicable standards requires healthcare marketers to understand what our data really is and how we intend to use it. Conducting a thorough inventory — paper and digital — can help identify the distinct types of data, where they reside, and how they should be managed and accessed to minimize security risk.
For example, there is often debate regarding what truly constitutes PHI (personal healthcare information) versus PII (personally identifiable information). While there are solid standards for security on the outer layers of the cake, the inner layers are somewhat dictated by what’s being protected here. So, if you’re storing PHI (or even PII), we might recommend encryption at the database level. If you’re not storing this type of information, you probably don’t need this level of encryption. However, policies can be written to support both scenarios and thus drive best practices and meet the diverse needs of pharma clients.
Keep It Secret, Keep It Safe
In short, pharma must remain vigilant and proactive in its approach to combatting data security issues. As noted previously, it starts with having a policy in place, educating folks throughout the organization regarding the policy and related processes, monitoring for compliance, and finally reviewing those policies regularly (at least annually).