The volume of data sloshing around medical practices grows every day, creating an ever-growing reservoir of information that also expands the surface for potential cyberattacks, says Matthew Bernstein, information governance strategist at consulting firm Bernstein Data.
Information governance is frequently limited to data within the electronic medical records system of a hospital or other healthcare entity.
But electronic medical records aren’t the only place for protected health information regulated under HIPAA.
“We find that PHI is also pervasively in other systems, including file shares, email – in records of all divisions, particularly finance, procurement, and others,” he says. Those responsible for information governance within hospitals often do not realize that PHI has “escaped” the EMR systems, he says in an interview with Information Security Media Group.
‘Fragmented’ Governance
In other cases, information governance ownership is “fragmented” at healthcare entities, as well as organizations in other industries, he says.
“There’s often not a person bringing this all together across the enterprise saying … ‘this is what we need to retain,” in consideration of privacy issues and applicable laws, he says.
Enterprises often hold onto data merely out of an expectation one day it might be valuable. “Storage is cheap and no one has a retention schedule that covers the enterprise,” he says.
“No one gets rid of it. So, the legacy data that might get exposed in a cyber incident just grows and grows.”
In the interview (see audio link below photo), Bernstein also discusses:
- The security risks involving patient PHI and other sensitive information contained in email;
- Steps to better protect and manage various types of legacy data from potential compromises;
- Why many CISOs “by default” often end up responsible for information governance duties at their organizations.
Bernstein, who is founder and information governance strategist at consulting firm Bernstein Data, led information management practices in various global financial services businesses at Deutsche Bank for more than 20 years. Before launching Bernstein Data he was head of group information and records management at Deutsche Bank, with global responsibility for records management, archiving, and eDiscovery operations.