Healthcare and Life Sciences: how to 'shift left' in privacy
Life Sciences and healthcare organisations are neglecting their own privacy check-ups
Wendy Spires, Privacy Lead, European Privacy Solutions at Trace, a Datavant company, takes a look at new research diagnosing a critical weakness in the data privacy practices of life sciences and healthcare organisations.
Lifesciences and healthcare organisations (should) need no reminder that they are dealing with what is inarguably the most precious personal data of all. Health data is as valuable to bad actors as it is intimate to the individual. As upsetting and inconvenient as a breach of other sensitive data, like your payment card details, might be, this is not remotely comparable to finding out that information like your medical history, test results or - heaven forbid – your genomic data is ‘out there’ and being used for who knows what.
It is concerning then that, as a whole, life sciences and healthcare organisations appear to be trailing other sectors in proactive privacy governance, according to the IAPP’s 2024 global report on the topic (see the IAPP Privacy Governance Report 2024 landing page here). Although overall 42% of respondents are now carrying out enterprise- or business unit-wide privacy compliance assessments at least annually, only 34% of life sciences and healthcare organisations could say the same. The banking, telecoms, and even the retail services and goods sectors were far ahead of those dealing with precious health data, at 53%, 46% and 44% respectively.
Top-down risk management
As the IAPP rightly notes, regular enterprise- or business unit-wide privacy compliance assessments are invaluable in supporting an organisation’s ability to identify, assess and manage privacy risks in a top-down manner. Despite this, a full 20% of life sciences and healthcare organisations are only carrying out such exercises on an ad hoc basis, in response to a data breach, an unfavourable audit finding or a significant regulatory change.
As a team dedicated to proactive privacy risk management for high-value data, we would submit that this approach is entirely the wrong way around. The value of broad-based privacy compliance assessments is to be forewarned – and forearmed. Coupled with other strands of proactive privacy governance, such as horizon-scanning for regulatory change, stress-testing of information security and checks to ensure that data protection practice really is aligned with policy, life sciences and healthcare organisations can get ahead of risks, rather than just react to them. Being at the cutting edge of science but even slightly on the back foot when it comes to your legal and ethical obligations is going to feel uncomfortable and should not be countenanced by any reputable data controller or processor in this space.
Given the stakes, risk mitigation is (or very much should be) a top concern for organisations dealing with health data, since compliance violations incur top-tier fines, not to mention the hugely negative reputational impacts that arise from breaches of such sensitive data. Trust is foundational to the sector, and once it is gone, it really is gone; who would participate in a clinical trial, choose a healthcare provider or link up to a system which provably can’t keep their most private information safe?
The opportunity within growing threats
And the threat posed by cyberattacks and poor data practices just keeps growing. Since the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) started publishing summaries of healthcare data breaches in 2009, figures have become increasingly scary year on year: in 2023, 720 data breaches of 500 or more records were reported to the OCR, representing 133 million health data records that were exposed or disclosed in improper ways. Headline-grabbing, hugely embarrassing health data breaches happen with similarly disturbing frequency all around the world.
Against this backdrop, there is a massive opportunity for life sciences and healthcare organisations to differentiate themselves on the basis of leading privacy practices, transparency and the vital trust around data use this creates. The broad sector is becoming an increasingly crowded field, fuelled by the growth of challengers to the life sciences powerhouses, and the emergence of entirely new healthtechs focused on telemedicine, wearables, connected healthcare devices, medical apps and digital health systems (as we recently wrote about here). Individuals are going to be ever more empowered by having real choice over which organisations they elect to entrust their health data to, and correspondingly ever more impatient with those which don’t show them the respect they deserve. Scientific success alone is not enough; a conspicuous commitment to always doing the right thing when it comes to individuals’ health data is the only way to build and sustain a strong brand in today’s world.
Looking ahead, the value of having – and maintaining - a clean bill of data privacy health is difficult to overestimate. The laggards in life sciences and healthcare should be implementing broad-based compliance check-ups at least annually without delay. The prognosis is truly poor for those which don’t.
The consultancy offering from Datavant’s European Privacy Solutions team flexes to suit your needs, from privacy governance ‘sprints’ for start-ups/scale-ups to project-specific and ongoing support. Read our case studies to find out more about our NHS-linked clients, or message me directly via LinkedIn to discover how you can unlock the maximise the potential of health data in a compliant and ethical way.
This article was authored by Wendy Spires, CIPP/E. This article should not be taken as legal advice
Trace footer
Our consultancy offers flexes to suit your needs, from privacy governance ‘sprints’ for start-ups/scale-ups to project-specific and ongoing support. Read our case studies to find out more about our NHS-linked clients, or get in touch to discover how you can unlock the maximise the potential of health data in a compliant and ethical way.
This article was authored by Wendy Spires, CIPP/E. This article should not be taken as legal advice. Trace is now a Datavant company.