In today’s fast-moving, hyper-connected world, legal and compliance teams shield organizations from a constant stream of internal and external threats to sensitive data.
Effectively countering these threats requires more than simply erecting strong controls; it requires navigating the complex, shifting landscape of privacy and data protection laws.
Privacy and cybersecurity laws and regulations change constantly. Laws such as the Health Insurance Portability and Accountability Act (HIPAA) stringently control how organizations manage, store, use, and protect data within their scope. And literally every state has laws that may also bear on privacy, security, or both. Noncompliance can result in reputational harm, financial penalties and damages, or even long-term consent decrees.
Addressing these requirements requires people, process, and technology controls. But as good as process and technology get, humans remain the weakest link. I’ve seen seemingly small mistakes, such as leaving confidential documents on a printer or sending sensitive information to the wrong recipient, escalate into major compliance issues.
For instance, a pharmacy’s training video once inadvertently revealed sensitive health information – a patient’s name, prescription details, and medical diagnosis – leading to multiple federal investigations. While awful for the organization involved, this underscores a broader point: That staff in every department must understand their role in protecting sensitive information.
Since legal and compliance teams can’t be everywhere, training is an essential tool. Regular, targeted training helps employees better understand their critical role in data protection and avoid potential lapses. Real world examples like that pharmacy training video powerfully illustrate the importance of compliance.
Training must accompany and foster a culture of accountability and awareness. Employees should feel comfortable questioning the need for certain data and explaining how and why they follow established procedures when handling sensitive information. Organizations must also engage in cybersecurity tabletop exercises so everyone knows how to respond in an emergency, and hold regular data protection tests to help avoid one.
When incidents occur, a coordinated reactive strategy is as vital as proactive prevention. Legal and compliance teams must work closely with IT and security departments to deploy a swift, effective response, analyze breaches, determine cause and exposure, and identify and enact remediations. Post-incident reviews should focus on root cause analysis, letting organizations learn from mistakes and opportunities.
Not every compliance risk or effort is internal. Data may flow between organizations in unseen virtual rivers. Therefore, it’s crucial to ensure that a company understands these data flows and that its vendors who receive information maintain high privacy and security standards for data in transit and at rest. Simple questions and processes can help unearth potential red flags.
For a vendor, such questions might include:
- Tell me about your privacy and cybersecurity teams. How many people are on these teams? What are their credentials and training?
- Can you share your incident response plan? Please provide a real-world example of the plan in action.
- What strategies do you employ to protect data and ensure it is used and disclosed properly?
- Can you share details about your access control measures?
- How do you train your teams?
- How do you test the effectiveness of your data protection measures?
As legal and compliance professionals, we champion privacy and cybersecurity in our organizations, but success requires a team effort. Building resilient, actionable frameworks that meet regulatory requirements but also instill trust, confidence, and reliability enables success.
Fortunately, with diligence, thoughtfulness, a culture of compliance, and strategic action, we can navigate this complex terrain, safeguarding our companies, colleagues, leaders, and partners.
Photo: anyaberkut, Getty Images
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.