Lessons for Healthcare from Finance About Data Governance

In the age of data breaches, bad actors have taken aim at their latest target: the healthcare industry. In fact, more than 590 organizations reported healthcare data breaches tothe US Department of Health and Human Services in 2022, impacting more than 48 million people. 

The streak doesn’t seem to be slowing down in 2023. In fact, nearly 300 healthcare data breacheswere under investigation for data breaches in just the first five months of 2023, resulting in more than 36 million exposed healthcare records. With sensitive patient, provider, agent, and payment data on the line, it’s critical that those in the healthcare industry take advanced steps today to help ensure they’re properly protected against the unexpected tomorrow, or risk suffering the financial and reputational consequences. 

Thankfully, in the pursuit of data security, healthcare companies can take solace in the fact that they aren’t alone. In fact, long before healthcare became a key target for cyberattacks, the financial services industry was the primary focus for large-scale data breaches. That required financial companies to think critically about how to strengthen any security vulnerabilities before it was too late. As a result, the financial services space has in many ways paved a path to data protection that has since served as a model for other industries to follow.  

Below, are three key insights that healthcare companies can glean from the financial services industry in order to bolster their data security practices both now and in the future:

1. Treat patient data like financial data

For years, financial services data has been held to the highest degree of regulatory scrutiny. Just consider the countless government directives, as well as regulatory agencies, that have been created for the purpose of ensuring compliance with the latest financial data security policies. Examples include the Payment Card Industry Data Security Standard (PCI-DSS) and the Payment Services Directive Two (PSD2), as well as regulatory agencies such as the New York State Department of Financial Services and The Consumer Financial Protection Bureau, which have been created for the purpose of ensuring compliance with the latest financial data security policies.  

While healthcare data regulations aren’t as rigorous as in financial services, it’s still important that healthcare companies operate with similar stakes. Consider that 75% of the world’s population isanticipated to be under global privacy laws by the close of 2023. With that in mind, healthcare companies should continually “stress test” their cybersecurity practices to ensure compliance with ever-changing government regulations. By treating patient data with the same urgency and scrutiny as financial data, healthcare companies can “de-risk” their platforms and implement ironclad data protections that make security a top priority.    

2. Give more power to your information security organization

After years of cyber-threats and ransomware attacks, financial services companies have come to an important realization about the role of information security within their organizations, most notably: Make sure they have a seat at the table. In fact, today, many financial services companies empower their information security leaders to participate in even the highest levels of strategic discussion -- allowing them to dictate how company data will be used from the top down.

For healthcare companies, giving their information security organization a similar voice will be of paramount importance -- ensuring that the most sensitive data is protected at all levels of the organization. Particularly at a time when providers are increasingly sharing patient information with third-party vendors for analysis, information security oversight will only become more important as data increasingly moves between devices -- providing cybersecurity at every step of the way.   

3. Break down silos and share best practices.

As today’s cybersecurity landscape continues to evolve, so does the elusivity and omnipresence of cyberattacks. To keep up with this rapid pace of change, healthcare companies must be willing to break down silos that have long existed within the healthcare community in order to exchange best practices and navigate new frontiers in data protection.  

For years, companies within the financial industry have been coming together for this very reason. In fact, first established in 2006, the Payment Card Industry (PCI) Security Standards Council (SSC) was founded in order to create global cybersecurity collaboration for payment security. In doing so, PCI SCC members have been able to better protect themselves against cyber threats by setting consistent compliance requirements that align with the most up-to-date guidance. In taking a page from this book, healthcare companies can similarly join forces and reimagine their existing data security practices and policies, using all the tools at their disposal in order to triage any red flags before they escalate into a full-blown crisis. 

Final Thoughts

For healthcare companies today, no longer is it a question of if you will fall victim to a data breach, but when. To prepare for this clear and present reality, business leaders should act with the utmost urgency and diligence to update their existing security networks to meet the needs of this new normal. By taking a page from the financial services industry’s playbook, healthcare organizations can take compliance and security practices into their own hands, empowering healthcare companies to see around corners and ensure they’re protected for years to come.