Health IT administrators have had to balance conflicting priorities in recent months as internal stakeholders push for greater innovation and industry regulators offer new data compliance mandates. Although there is no one-size-fits-all approach for equitably allocating resources toward these two objectives, stronger enforcement of Health Information Portability and Accountability Act (HIPAA) rules inspired a renewed emphasis on identifying and mitigating data security risks.

Protecting sensitive data has always been a leading priority among health IT professionals, but sometimes organizations need a little extra incentive to make room for risk management investments within strained budgets.

"Selling security is hard because it is not directly apparent to the business why it's valuable as opposed to something like and MRI machine," security consultant Ed Moyle noted in a recent interview with CRN. "It's all about spending priorities, but there needs to be a recognition that part of patient care is respecting the privacy of patient health data."

For better or worse, the millions of dollars in regulatory fines racked up by healthcare providers during the past six months have served as powerful reminders of where priorities should lie. Acknowledging the need for data compliance progress and forging it are two different things, however, and the latter demands a clear and nuanced plan of action.

Engineering strong data protection frameworks
It takes an intelligent pairing of policy and technology to address data compliance mandates and protect sensitive patient information in today's increasingly complex healthcare operating environments. To make this process a bit easier, IT staff can begin by identifying regulatory mandates and aligning internal expectations.

Employee education will be instrumental in this pursuit, according to Becker's Hospital Review, and should be extended all the way up into the boardroom. Without proper end user training, secure data exchange technologies are of limited value. And without executive buy-in, chances are internal governance will suffer.

Meeting internal and external data security demands requires continuous diligence as well, as simply "setting and forgetting" tools and policy will only postpone problems.

"[Healthcare providers should] conduct small but focused risk assessments rotating control review on a monthly basis to continually understand and measure risk," information security executive Chad Boeckman told Becker's. "Most importantly, have a plan to address the risk, through remediation, mitigation or risk transfer activities."

Finally, health IT staff must ensure best practices are extended to third-party partners in today's increasingly collaborative operating environments. Liability ultimately lies with original data owners, so diligently vetting contractors and effectively securing all communications is essential.