The increasingly complex regulatory landscape and cyberattacks mean the healthcare sector has to confront the challenges of adhering to compliance
Mark Roebuck, DPO and Founder of ProvePrivacy, explains that the healthcare sector is struggling to keep up with data regulation adherence demands and should look to internal Data Champions.
For organisations of all sizes, the prospect of keeping up-to-date and adhering to an increasingly complex data regulatory landscape is a daunting one. This is particularly so for the healthcare sector as it sits in a highly regulated space. The pressure to adhere and to ensure that staff understand the nature of compliance and their role in it means it can appear to be an almost impossible task.
As a result, organisations are sticking their heads in the sand and ignoring the issue. The problem is that it will not get any better and is likely to become more complex.
Data regulation: The varying cost of adherence
Organisations are struggling to determine how they can afford to implement the processes needed to ensure adherence. This cost comes in a variety of forms. Budgetary restraints in healthcare impact all areas impacted by regulations. Implementing new technology or managing legacy systems that are needed to conform to regulation can be a costly but necessary step.
Equally, ‘time’ can be a cost that most companies are struggling to accept. This can particularly be the case within healthcare, which often lacks the internal resources to ensure adherence and cannot necessarily attract the required staff.
Remembering why data regulations are implemented in the first place
These logistical and financial costs make this seem too big a task for most organisations to even contemplate. Even for those attempting to adhere, the temptation to treat the road to compliance as a tick-box exercise is understandable. However, it is important to remember why regulations are introduced in the first place.
Regulations are designed and introduced to confront a particular need or threat that is impacting organisations and the public. Therefore, regarding them purely as a tick-box exercise to secure adherence means that companies are missing the point and putting data and customers at risk.
The tick-box route also means that once adherence is secured it tends to be forgotten about, thought of as a completed task, allowing the IT team and the company as a whole to take their ‘foot off the gas’. In reality, regulation has to be an ongoing process.
One just has to look at the recent headlines about the Synnovis ransomware attack on the NHS to see why it is so critical to have ongoing systems in place designed to keep data safe. With cybercriminals using increasingly sophisticated methods to secure access to data, including, in this case, using third-party suppliers to circumnavigate front-line defences, the healthcare sector cannot afford to treat regulations as a tick-box exercise.
Current methods mean it is hard for the healthcare sector to ‘Excel’ at adherence
Alongside the ongoing process of data regulation adherence, organisations are also struggling with their current regulation solutions. Many are still utilising Excel forms, which whilst recording information, cannot be regarded as an effective method of ensuring ongoing adherence nor ensuring data security. Equally, whilst Excel can be used as a risk register, it does not allow organisations to identify and subsequently manage risk as part of the same solution, which stifles the adoption of Excel as a holistic solution.
Data champions
At the heart of successful compliance are people. By utilising a company’s organizational design and working intimately with employees by making them ‘Data Champions, ’ organisations can empower staff to take responsibility for adherence. Too often, those in the healthcare sector place the responsibility on one person or department to ensure compliance. However, Data Champions working in specific departments throughout an organisation can have a much better overview of where the risk lies and what needs to be implemented to close vulnerabilities.
Making compliance a part of everyday life, or as it’s sometimes known, ‘data protection by design and default’, means that it becomes a much more manageable task, rather than a daunting one. Alongside this, implementing a solution that can help manage the policies brought in to deal with data protection risks (and also keep a record of who owns the policies as well as, crucially, who has read and understood the policies) means that suddenly organisations have a more accurate and comprehensive overview of how the company sits in terms of its adherence to regulation.
With Data Champions in place, implementing a solution that allows an overview on one dashboard of risks, reports, policies and adherence, all whilst keeping all staff members advised on what the latest threats look like and what their role is in ongoing compliance, is a logical next step. Education is a key element of adherence. Data Champions can speak to their specific teams to ensure that each member knows what risks impact their department, and so data protection by design and default naturally comes into being.
Regulations are not going away. In fact, the regulatory landscape for the healthcare sector is going to get more complicated and rigorous. Therefore, turning to affordable solutions that can help ensure compliance while empowering employees to take responsibility, keeping data safe, and allowing frontline services to continue is a sensible choice.
