Integris Software 2019 Healthcare Data Privacy Maturity Study · 2020-05-07 · software...

Integris Software 2019 HealthcareData PrivacyMaturity Study

Government mandates, data sharing agreements and spreadsheets sow confusion amid an avalanche of private data

1525 4th Avenue | 5th floor Seattle, WA 98101-1607 | +1 (206) 539-2145 | [email protected] integris.io

Integris Software 2019 Data Privacy Maturity Study | Copyright 2019 Integris Software, Inc.

Table of Contents

2

Executive Summary

Study Background and Methodology

Demographics

Firmographics

Data Privacy Management Budgets

Projects Impacted by Data Privacy Concerns

Data Sharing Agreements

Technical Data Privacy Maturity

Organizational Data Privacy Maturity

Regulatory Preparedness

Opinions on Federal Privacy Law, and Trust

About Integris Software

3

4

5

9

11

15

18

21

28

35

37

40


Executive Summary

Companies are being inundated with data. A single healthcare transaction may get replicated across a hundred data repositories. Healthcare companies are constantly consuming and sharing information to build better patient profiles and improve outcomes. In addition, as healthcare companies consolidate through mergers and acquisitions, they acquire unknown datasets and data transfer agreements with new business partners. In this environment, it’s no wonder that respondents’ data privacy programs scored much lower on technical maturity than on organizational maturity.

Key Findings:

Data privacy management overconfidence: 70% were Very or Extremely Confident in knowing exactly where sensitive data resides yet 50% of them update their inventory of personal data once a year or less; and a mere 17% of respondents are able to access sensitive data across five common data source types.

Data privacy impacts much more than regulatory compliance: Proving compliance with business obligations like data sharing agreements was cited by 67% of respondents. Enforcing internal data handling policies like classification and retention was cited 61% of the time. About a quarter of respondents cited the impact on M&A due diligence (28%) and the delivery of AI / ML projects (22%). About one third saw privacy concerns impacting data lake hygiene (35%).

The proliferation of data sharing agreements: In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements. But data sharing agreements are nothing new to the healthcare industry. 50% of healthcare industry respondents had 50 or more of these data sharing agreements in place (20% more than the entire set of respondents). However, respondents reported being 61% more confident in their ability to be compliant compared to how they perceived their partners.

Data privacy management budgets reside in IT departments: 52% of data privacy budgets are concentrated in IT departments. Technology leaders are increasingly being tasked with operationalizing their companies’ data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

3


Study Background and MethodologyThis study seeks to understand how mid to large-sized US enterprises manage data privacy within their organizations, as well as their future plans. In February 2019 a web survey was emailed to members of an exclusive community of top business executives and IT decision makers. 258 respondents completed the survey. This version of the study provides a deep dive into healthcare industry cohort which included 46 companies. However, each of the 258 respondents had to meet the following criteria:

• Reside in the USA

• At least “Somewhat Knowledgeable” on how data privacy and data security are managed at their current company

• Mid to senior level professionals and executives

• 500 employees or more (62.4% had over 5,000 employees)• $25 million or more in annual revenue (69.38% had over $1

billion in annual revenue)

• Functional roles/areas had to be in IT, general management, or risk and compliance

Note: unless otherwise noted, N = 46

26.09%Extremely KnowledgeableIt’s part of my primary role

23.91%Somewhat Knowledgeable

50.00%Very KnowledgeableIt’s part of my role

What is your personal level of knowledge on how data privacy

and data security are managed at your current company?

4


6.52%VP, SVP, EVP

23.91%Director, Sr. Director

23.91%Manager, Sr. Manager

Which one of these is the best fit to your current seniority level?

23.91%Senior Professional

DemographicsRespondents had to be, at a minimum, mid-level professionals.

23.91%C-Level Executives

5


DemographicsRespondents came from three key areas of the business:

1. Information Technology/Engineering (67.39%),

2. General Management/Strategy (21.74%) and3. Legal/Compliance/Risk Management (10.87%).

21.74%General Management / Strategy

67.39%Information Technology / Engineering

10.87%Legal / Compliance / Risk Management

Which one of the following is the best fit to your functional area /

department at your current company?

6


DemographicsRespondents saw themselves as taking on a range of roles with most having multiple roles as part of their mandate.

Over a third of respondents claimed privacy management fell into their primary role.

32.61%

50.00%

28.26%

47.83%

50.00%

36.96%

36.96%

17.39%

45.65%

60.87%

Digital Transformation

Privacy Management

InfoSec

Data Infrastructure

IT Operations

Software Development

Business Management

Legal

Risk and Compliance

Data Governance

0% 10% 20% 30% 40% 50% 60% 70%

Which of the following falls into your primary role?Please select all that apply.

7


DemographicsWithin their primary roles, most respondents had either primary/final decision making authority, or were on the decision making committee/had significant influence.

42.86%

37.50%

17.65%

17.65%

39.13%

36.36%

53.85%

21.74%

13.33%

32.14%

52.38%

37.50%

76.47%

76.47%

56.52%

54.55%

38.46%

65.22%

80.00%

53.57%

4.76%

25.00%

5.88%

5.88%

4.35%

9.09%

7.69%

13.04%

6.67%

14.29%

Risk and compliance

Legal

Business management

Software development

IT operations

Data infrastructure

InfoSec

Privacy management

Digital transformation

Data governance

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

I have little or no influence

I’m on the decision-making committee or have significant influence

You’ve mentioned that the following are a part of your primary role. Please indicate your personal decision making involvement for each within your current company:

I am the primary / final decision maker

8


Multiple departments impact decisions related to data privacy. Data privacy management is clearly a multidisciplinary endeavor.

Among healthcare industry respondents, data governance was was cited the most often (66.67%) as having an impact on decisions related to data privacy vs. 46.9% for all respondents. Perhaps not surprising given the critical role data governance plays in healthcare information management— making sure that health information is accurate, private, and secure.

28.29%

50.00%

43.35%

49.22%

58.91%

31.78%

31.01%

56.98%

60.47%

66.67%


Privacy Management

InfoSec

Data Infrastructure

IT Operations


Business Management

Legal

Risk and Compliance

Data Governance

0% 10% 20% 30% 40% 50% 60% 70% 80%

Which of the following roles / departments have an impact on decisions related to data privacy within your current company?

Firmographics

9


13.04%

250 to less than 1,000 employees

28.26%

1,000 to less than 5,000 employees

58.70%

5,000 employees or more

Approximately how many full-time

employees are employed by your

company at all sites and

locations? If unsure, please

provide your best estimate.

Firmographics

1 0

71.74% of firms had over 1,000 employees.


Data Privacy Management BudgetsCompanies are dedicating serious resources to data privacy management. 77.50% had budgets dedicated to data privacy management.

77.50%Yes22.50%

No

Does your current company have a data privacy management

budget?

11


Data Privacy Management BudgetsAlmost half (47.83%) of healthcare data privacy management budgets in 2018 were between $100K and $500K, which is a much higher concentration than the 32.43% concentration for all respondents.

This variance may be partly due to the fact that the healthcare industry has had to operationalize data privacy much earlier than other industries.

47.83%

8.70%

21.74%

8.70%

13.04%

Less than $100k $100k to $500k $500k to $1M $1M to $2M $2M to $5M $5M or more0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

How much did you spend on data privacy management in 2018?Note: This includes spend on people, technology, consulting, etc.

1 2


Data Privacy Management BudgetsOver half (51.62%) of data privacy budgets are concentrated in IT departments (InfoSec, data infrastructure, IT operations, and software development). 29.03% of budgets are concentrated in legal, risk, and compliance departments. A mere 3.23% of data privacy budgets are concentrated in the privacy management department. In 6.45% of organizations, it’s not clearly defined.

Healthcare technology leaders are increasingly being tasked with operationalizing their data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

6.45%

3.23%

16.13%

3.23%

29.03%

3.23%

6.45%

22.58%

9.68%

Other

It is not clearly defined


Privacy Management

InfoSec

Data Infrastructure

IT Operations


Business Management

Legal

Risk and Compliance

Data Governance

0% 5% 10% 15% 20% 25% 30% 35%

In which department does the majority of data privacy budget reside?

1 3


Data Privacy Management Budgets

6.90%

3.45%

62.07%

17.24%

3.45%

3.45%

3.45%

1% to 25% decrease

0% (no change)

1% to 25% increase

25% to 50% increase

50% to 75% increase

75% to 100% increase

Over 100%

0% 10% 20% 30% 40% 50% 60% 70%

What approximate spend changes do you foresee in 2019?

Unsurprisingly, most healthcare organizations (86.21%) are increasing their data privacy management budgets in 2019. Over a quarter (27.59%) of respondents are increasing their data privacy management budgets by 25% or more.

1 4


2.17%

6.52%

28.26%

21.74%

34.78%

56.52%

60.87%

60.87%

58.70%

67.39%

76.09%

Other (please specify)

None of the above

Assessing risk in M&A transactions

Accelerating AI / ML projects

Scanning & tagging data flowing in and out of data lakes

Staying in compliance when migrating apps to the cloud

Responding rapidly to breaches

Enforcing data retention and classification policies

Responding to data subject access requests

Proving compliance with business obligations like data sharing

agreements

Proving regulatory compliance

0% 10% 20% 30% 40% 50% 60% 70% 80%

Which, if any, of your current company's projects are currently impacted

by privacy concerns? Please select all that apply.

Projects impacted by Data PrivacyThe regulatory environment continues to drive urgency around

projects to prove regulatory compliance (76.09%), which

includes responding data subject access requests (58.70%),

enforcing data retention and classification policies (60.87%),

and responding rapidly to breaches (60.87%).

But data privacy impacts much more than regulatory

compliance efforts. When done right, data privacy

management supports the broader healthcare information

management control framework— regulations, policies, and

contracts. For example, proving compliance with business

obligations like data sharing agreements was cited by 67.39%

of respondents.

1 5


Projects impacted by Data PrivacyData lakes ingest disparate pieces of patient data from a variety of sources. When combined, this data has the potential to reveal customer identities along with highly sensitive personal information. So, it’s no surprise that over a third of respondents (34.78%) cited the impact of privacy for projects that scan and tag data flowing in and out of data lakes.

As data is acquired through the M&A process, data lakes and other datasets can become contaminated with unexpected, inappropriate, or problematic data. Increasingly (28.26%), M&A due diligence includes the inspection of the data being acquired. This allows healthcare organizations to properly evaluate the risk prior to merging large datasets.

Finally, when data is locked down for fear of misuse, data scientists don’t get timely access to the streams and feeds they rely on for their machine learning models.

So, it’s no surprise that AI / ML projects were cited by over one in five respondents (21.74%).

1 6


Data Privacy Now Integral to Data Protection

1 7

Privacy

What data is important and why

Security

How those policies get enforced

Data Protection

ProtectedUsableData

Discovery & Classification DSARs Alerting

Contracts PoliciesRegulations

Encryption NetworkSecurity Access Control

ActivityMonitoring Breach Response DLP/CASB

Forward looking healthcare organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how.


50.00%

30.56%

19.44%

50 or more 10 to less than 50 Less than 10 None0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

How many data sharing agreements does your current company have where data is either entering or leaving your organization?

Data SharingAgreements

50% of respondents had 50 or more data sharing agreements in place. That’s a variance of 20% more than all respondents. This is probably due to the highly intertwined nature of the healthcare industry (EHRs, insurance, etc.).

1 8


Data SharingAgreementsRespondents were much more confident in their own ability to respect data sharing agreements than their partners’ ability to reciprocate in kind (there was a 60.91% increase in Very confident and Extremely confident levels in their own compliance efforts vs their partners).

20.93%

44.19%

27.91%

6.98%

Extremely confident Very Confident Somewhat confident Not so confident Not at all confident0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

How confident are you that your current company is using data in compliancewith the terms of your data sharing agreements?

1 9


Data SharingAgreementsThere’s often a disconnect between what has been agreed to on paper by lawyers and what’s happening with the actual data, because the people who negotiate the contract differ from those shipping the data and/or there are no controls in place.

Also, the way contracts are written is not necessarily the way data is represented. The word "location" might appear in a contract, but the data set contains latitude and longitude values. Therefore, businesses must account for how data elements might be combined to fit the legal terms on their data sharing agreements.

7.14%

33.33%

52.38%

7.14%

Extremely confident Very Confident Somewhat confident Not so confident Not at all confident0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

How confident are you that your partners are using the data that you provideto them in compliance with your data sharing agreements?

2 0


32.61%

32.61%

34.78%

I don't know

Not at all confident

Not so confident

Somewhat confident

Very confident

Extremely confident

32% 32% 33% 33% 34% 34% 35% 35%

How confident are you in your current company’s ability toaccurately define what constitutes personal information?

Data Privacy ManagementTechnical MaturitySurprisingly, non of the healthcare industry respondents expressed a lack of confidence in their company’s ability to define what is personal information. 32.61% said they were very confident and 34.78% said they were extremely confident.

Are respondents falling victim to overconfidence? Perhaps. Sensitive data has an evolving nature. What's considered a sensitive category or piece of data today may not be considered sensitive tomorrow, and vice versa.

Understanding derivative personal data is important, yet challenging. For example, notes on patient’s diet can infer religion.

Data flowing in and out of data lakes is also a blind spot for many respondents. Data lakes ingest disparate pieces of customer data from a variety of sources. When combined, this data has the potential to reveal customer identities along with highly sensitive personal information.

2 1


87% of the US population can be identified using only their Zip Code, Gender, and Birthdate. *

*Source: https://dataprivacylab.org/projects/identifiability/paper1.pdf

2 2

https://dataprivacylab.org/projects/identifiability/paper1.pdf


10.53%

7.89%

34.21%

31.58%

15.79%

200 or more

100 to less than 200

50 to less than 100

10 to less than 50

1 to less than 10

0% 5% 10% 15% 20% 25% 30% 35% 40%

How many company data sources does your current company need toaccess to get a defensible picture of where all sensitive data resides?

Data Privacy ManagementTechnical MaturityA single healthcare transaction may get replicated across a hundred data repositories. Healthcare companies are constantly consuming and sharing information to build better patient profiles and improve outcomes. In addition, as healthcare companies consolidate through mergers and acquisitions, they acquire unknown datasets and data transfer agreements with new business partners.

In this environment it’s not surprising that over half (52.63%) of respondents said they needed to access 50 or more data sources to get a defensible picture of where their sensitive data resides.

2 3


4.35%

2.17%

47.83%

45.65%

Other

We don't take an inventory of personal data

If audited, or in reaction to an event like GDPR

Once every 2 years

Once a year

Real-time

0% 10% 20% 30% 40% 50% 60%

How often do you update your inventory of personal data and where it resides?

Data Privacy ManagementTechnical MaturityYet 50% of respondents take inventory of personal data less than once a year or in reaction to an audit.

2 4


52.78%

71.43%

54.05%

66.67%

88.37%

22.22%

21.43%

29.73%

23.81%

9.30%

25.00%

7.14%

16.22%

9.52%

2.33%

Data in motion (data flowing into a data lake, out of a Hadoopcluster, etc.)

Cloud-based Applications (Salesforce, Workday, etc.)

Semistructured data (XML and JSON)

Unstructured data (Google Drive, Email, etc.)

Structured data (Oracle, SQL, etc.)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Which, if any, of the follow data types are included in yourcurrent company’s data privacy initiatives?

Data Privacy ManagementTechnical MaturityContinuous defensibility to meet compliance requirements boils down to doing two things well:

1. Understanding where sensitive data resides across all data source types.

2. Mapping data back to existing data handling obligations.

Point one was a mixed bag among survey respondents. Traditional data sources like relational databases are included in most (88.37%) data privacy initiatives. Cloud-based applications had good coverage (71.43%), as did unstructured data (66.67%). But data in-motion appears to be the laggard at 50.78%.

Analyzed another way, an alarmingly low 17% of respondents were including all five data types in their company’s data privacy initiatives.

No plan in place to access Plan in place to access Accessible Today

2 5


52.63%

62.16%

90.48%

80.49%

62.16%

55.56%

62.50%

63.41%

42.11%

27.03%

9.52%

17.07%

27.03%

27.78%

10.00%

0.00%

5.26%

10.81%

0.00%

2.44%

10.81%

16.67%

27.50%

36.59%

Automated data discovery

Metadata management

Data loss prevention or other data security tools

Data governance

Data catalog

Automated survey and workflow

Homegrown scripts

All manual (e.g. surveys or spreadsheets)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

What tools/software do you use to discover and track thelocation of personal information? Please select all that apply.

Data Privacy ManagementTechnical MaturityThe vendor landscape for discovering and tracking the location of personal information is crowded, diverse, and confusing for healthcare industry buyers. Despite lots of tooling, only 17% of respondents are currently incorporating all five data types in their data privacy initiatives.

With so many DLP and other IT security vendors claiming to solve for regulations like the California Consumer Privacy Act, it’s no wonder that respondents (90.48%) view these tools as helping them discover and track personal information. However, DLP is more about stopping insider threats and stopping end users from leaking out sensitive data (emailing it out).

63.41% of respondents reported using methods such as manually updated spreadsheets and surveys to track and inventory personal information while 62.50% rely on custom-written computer code.

Not in use nor plan Planning to use Currently Using

2 6


Surveys:Inaccurate and Time Consuming

2 7

Regulations Contracts Internal

• Point in time

• Doesn’t scale

• Evolving definition of PI

• Streaming data is blind spot

Challenges

Oracle, MSSQL, MySQL, DB2

Hadoop, Snowflake

Microsoft 0365, Salesforce

Kafka, Amazon Kinesis

JDBC Connectors,RESTful API’s

Unstructured File SharesGoogle Drive,

Microsoft OneDrive

StructuredDatabases

Big Data SaaS Data-in-MotionAdditional Sources

Business Obligations


Data Privacy Management Organizational MaturityOrganizational maturity for data privacy management is higher and more consistent than technical maturity.

91.30% of respondents had a data privacy and awareness program in place.

91.30%Yes

08.70%No

Does your current company have a data privacy training and

awareness program?

2 8


Data Privacy Management Organizational Maturity78.05% had a process in place to evaluate the sensitivity of different datasets.

78.05%Yes

21.95%No

Does your current company have a process in place to evaluate the sensitivity of different data sets?

2 9


Data Privacy Management Organizational MaturityAnd 97.62% have a process in place to identify and mitigate privacy risk.

97.62%Yes

02.38%No

Does your organization have a process in place to identify and

mitigate privacy risk??

3 0


Data Privacy Management Organizational MaturityOrganizations are also mature when it comes to handling customer consent, and communicating when things go wrong. 85% have policies, procedures, and mechanisms in place to track customer consent across channels.

85.00%Yes

15.00%No

Does your organization have policies, procedures, and

mechanisms in place to track customer consent across

channels?

3 1


Data Privacy Management Organizational MaturityYet when technology is reintroduced to the equation, numbers begin to drop. 60% have an automated way to discover whose data was breached. Not surprising given the lower levels of data privacy technical maturity as reviewed in the previous section.

60.00%

40..00%No

Does your organization have an automated way to discover whose

data was breached?

3 2


Data Privacy Team Size

An impressive 95.12% of respondents had data privacy teams in place, and over a quarter of respondents (26.83%) had data privacy teams of 25 or more.

17.07%

9.76%

17.07%

21.95%

24.39%

4.88%

4.88%

50 or more

25 to less than 50

10 to less than 25

5 to less than 10

3 to less than 5

Less than 3

We don't have a data privacy team

0% 5% 10% 15% 20% 25% 30%

How many employees are a part of your data privacy team? Note: Teamcan include full-time, part-time employees as well as consultants.

Data Privacy Management Organizational Maturity

3 3


Data Privacy Management Organizational MaturityTeam Meeting Cadence

Almost a third of data privacy teams (28.27%) meet at least once a week. 41.46% admitted to meeting once a month or less. Infrequent collaboration could be a leading indicator to data privacy vulnerability, especially given that so many departments/roles have a stake in data privacy management.

8.80%

14.63%

26.83%

14.63%

19.51%

9.76%

It is not fixed

Once a year

Once every 6 months

Once every quarter

Once a month

Once every 2 weeks

Once a week

More than once a week

0% 5% 10% 15% 20% 25% 30%

How often do team members meet to discuss data privacy?

3 4


InternationalRegulatoryPreparednessHealthcare companies were best prepared for GDPR with 35.14% scoring themselves as Fully Prepared. No one scored themselves as unprepared.

Respondents were fully prepared for GDPR at much higher rates than the Australian (9.09%), Japanese (14.29%), and Chinese (14.29%) privacy laws. Levels of unpreparedness were also much higher here as well.

Basic Only Well Prepared Fully PreparedUnprepared

How prepared are you for each of the following regulations?

3 5

14.29%

14.29%

9.09%

35.14%

35.71%

35.71%

36.36%

48.65%

35.71%

28.57%

36.36%

16.22%

14.29%

21.43%

18.18%

0.00%

China's Cyber Security Law

Japan's Personal…

Australia's Privacy Act

General Data Protection

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00%


10.53%

16.00%

9.52%

47.37%

48.00%

52.38%

36.84%

36.00%

28.57%

5.26%

0.00%

9.52%

Colorado's Consumer Data

California Consumer

New York State Department

0% 10% 20% 30% 40% 50% 60%

DomesticRegulatoryPreparednessRespondents appear to be behind when it comes to domestic regulatory preparedness. Only 16% said the were fully prepared for the California Consumer Privacy Act.

Basic Only Well Prepared Fully PreparedUnprepared

How prepared are you for each of the following regulations?

3 6


Perspectives78.26% thought there should be a federal privacy law.

78.26%Yes

06.52%No Do you think there should be a

federal privacy law in the United States?

15.22%Unsure

3 7


Perspectives80.43% of respondents thought businesses risk losing customers due to inadequate data privacy practices.

80.43%Yes

15.22%No

Do you think that businesses risk losing customers due to inadequate data privacy

practices?

04.35%Unsure

3 8


PerspectivesAnd well over half (58.70%) thought that employers risk losing employees due to inadequate data privacy practices.

58.70%Yes

23.91%No

Do you think that employers risk losing employees due to inadequate data privacy

practices?

17.39%Unsure

3 9


About Integris SoftwareIntegris Software, the global leader in data privacy automation, helps enterprises discover and control the use of sensitive data in a way that protects privacy and fuels innovation. Regulations like GDPR and the California Consumer Privacy Act (CCPA) are triggering knee-jerk reactions as companies lock down their data for fear of misuse. Integris empowers security, privacy, and data governance leaders to make fact-based decisions about the use and transfer of customer data.

By working securely, at scale, no matter where data resides, Integris provides customers with an accurate and continuous pictureof their data privacy landscape. With Integris, there is finally a way to use your data without fear.

For more information on Integris, visit www.integris.io or follow @Integrisio on Twitter.

1525 4th Avenue | 5th floor Seattle, WA | 98101-1607

+1 (206) 539-2145

4 0

Date post:	25-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Integris Software 2019 Healthcare Data Privacy Maturity Study · 2020-05-07 · software...

Documents