Data Risk Management Best Practices for Healthcare

Best Practices for Managing Data Risk in Healthcare

Adam Winston, WatchGuard field CTO, says policies that govern the use of AI applications need to be implemented internally within organizations.

“General-purpose tools employed by end users should not be used to process or upload protected health information or intellectual property; instead, look for purpose-built products that adhere to the HIPAA rules or are targeted for automating some of these tasks,” he says.

Jackson says organizations should start by classifying and mapping their data: “If you don’t know what you have or where it resides, you’re operating blind.”

“From there, embed privacy and security — such as endpoint protection and extended detection and response — into your systems from the start, not as an afterthought,” he says.

Regular risk assessments, strong access controls, encryption and continuous staff awareness training (not once a year) should be standard practice.

“These aren’t optional; they should be considered mandatory for protecting sensitive health data and are key elements of security management,” Jackson says.

RELATED: Here’s what healthcare IT leaders need to know about third-party risk management.

Aligning Risk Management With Innovation and Compliance

From Murphy’s perspective, the benefits of AI ingenuity and adoption in the healthcare industry appear to outweigh the risks.

“I’m extremely encouraged by the innovation happening within my healthcare client segment, including research hospitals and university-affiliated hospitals,” she says. “These institutions are not being cavalier about their adoption, but they are being incredibly aggressive.”

Operationally, and taking cybersecurity into account, having full lifecycle data security posture management drives dual positive outcomes: reduced breach potential and smoother AI experiences.

“Risk management is a proactive strategy, and proactivity maintains an ability to stay on the bleeding edge,” Murphy says. “It’s a philosophical strategy that can extend to your security and compliance practice from your innovation practice.”

In this way, she says, security is a massive enabler of innovation, allowing organizations to move quickly and safely, with less technical debt. 

Jackson adds that when risk frameworks are integrated early in the design and development phases, they support faster, more secure innovation.

“Compliance becomes a natural outcome, not a last-minute scramble, which reduces longer-term headaches and challenges,” he says. “The goal should always be security, risk management and compliance all working together seamlessly, not as separate operations.”