Healthcare technology companies face unique challenges as they prepare to bring new products to market, including addressing the maelstrom of complexity surrounding security and compliance concerns. Although speed to market is a top priority for new releases, a do-it-yourself approach to security and compliance can create major roadblocks that can turn the path into a congested one. Here are the top ten security and compliance obstacles DIYers may face.
The Data Blob
Data has run amok! It has become increasingly difficult for the DIYer to manage the overwhelming, ever-proliferating amount and variety of data produced by healthcare technology companies daily. Ironically, as the number of OSs, data warehouses, personally-owned devices, and enterprise and mobile applications make data proliferation less restrained, the knowledge of that data’s whereabouts feels more limited. The tragic truth is, if you don’t know where your data is, you can’t protect it, and that vulnerability may invite the hacker hoard to your door—imperiling your speed to market.
Small Budget—Big Responsibility
A compliance staff can be costly. Wrestling with squeezed margins in healthcare, managers must leverage existing resources to keep pace with unrelenting regulatory change, new regulatory expectations and increasing liability. Will a high priority need, like speed to market momentum, get all the attention it deserves when the IT staff must spend a disproportionate amount of their time assuring compliance?
What We Do in the Shadow IT
Employees are using more and more technologies without notifying their IT teams. What’s good about this unauthorized, shadow IT is that most users employ their devices to improve their productivity—which can be a boon to speed to market. The downside: these devices are more vulnerable to data loss, data breaches, inefficiencies and cybersecurity risks—all of which can impact speed to market.
Where the Shared Responsibility Buck Stops
If you’ve recently migrated your workflows to a public cloud, it is not necessarily the vendor’s responsibility to store it compliantly, as that is highly dependent on the individual cloud service you are utilizing.
Making sure cloud vendors meet current standards must be part of your due diligence process.
You may have not fully delegated compliance concerns to your vendor, and in many ways you may still be going it alone. Legally, your company is responsible for the security of your data in the cloud. Public cloud services can offer compliance and security features, but it’s still your data and your duty—unless you contract with a provider who offers shared responsibility via a Business Associate Agreement.
Misconfiguration: Much Worry, Little Action
Concerns in regard to misconfiguration are high, but few organizations continuously monitor misconfiguration alerts.
Leaving a bucket exposed or unwittingly using a default password as your login are the everyday configuration mistakes that leave healthcare technology companies open to data security risks. The downstream effect of this kind of human user is, once again, increased vulnerability. User misconfiguration means data infiltration. And that will clog any product pipeline.
Forget hackers for a moment. What about collective self-sabotage? If a healthcare technology company is tethered by antiquated legacy systems, capital expenses and the time-hole of maintaining infrastructure, it isn’t sowing the seeds for accelerated growth. It’s pouring speed bumps at best, or blowing up the upcoming bridge, at worst. Compliance is about scaling as well. Compliance scales security, and that helps protect companies from monetary damage—whether it’s from the ransom demands of the criminal underworld or the steep fines of legislative bodies. Either way, having the agility to scale your business quickly and easily can help speed your time to market.
Iffy Identity Management
Identity Management is often put on the back burner as rapidly-advancing companies race to market. The rules regarding user access are often maligned as impediments to day-to-day processes. Actually, the opposite can be true.
Sloppy identity management, often involving off boarding employees and contractors, can leave critical data exposed and heighten the risk of unauthorized access.
If this compromises the security of the networks and information systems, speed-to-market, along with everything else, may grind to a halt. Now that’s an impediment.
Employees’ roles change over time, and in tech start-ups, responsibilities can shift as frequently as the company’s objectives. Management often gives short shrift to fluctuating job responsibilities and exit management—and the access removal that must accompany them. Like careless identity management, this can lead to a compromise of security and interference with the company’s larger goals.
Regulation’s Pace Race
While increased data protection legislation for consumers is beneficial, its introduction has expanded the workload for healthcare technology companies and the enormous universe of data they constantly collect. And it’s not slowing down. Europe’s General Data Protection Regulation (GDPR) is already snowballing into the Asia/Pacific region. And who gets planted in the face with that snowball? Internal IT departments are increasingly overwhelmed as they try to keep up on their own. Heightened risk of fines, legal action, and damage to your company’s reputation—all of which distract from growth and innovation goals.
Extracting Value from What You Download
A big challenge for an internal staff is making optimal use out of big data—while having that data accurately protected and compliant. But the thing is, effective PHI security and compliance is an essential—but ancillary—goal. Compliance builds the launchpad that enables data to rocket to its primary goal—providing actionable insights that propel the enterprise forward.
An Emersonian sense of self-reliance is an admirable trait, but when it comes to the intricate and ever-shifting realm of risk and compliance, healthcare technology companies should consider a different path. The effects of non-compliance can be grave and occur without warning. If companies consider security and compliance an afterthought, or even worse, a hindrance to innovation and convenience, they will be surprised how this underestimation can create problems of such a higher order of magnitude that they jeopardize a company’s future.
What competitiveness-crushing effects could an adverse event create? The abyss is the limit. Infrastructure held hostage. Work stoppages. Service disruptions. Production delays due to lengthy investigations. Regulatory moratoriums. The attrition of key staff. Adverse media attention. The erosion of consumer loyalty.
Or you could make security and compliance a priority by working with a healthcare-dedicated cloud provider to streamline and monitor these concerns. With the right partnership, you can avoid the repercussions of a mishap while discovering your pipeline to the marketplace can flow faster than you ever expected.