Customer data privacy management is essential in all business sectors, not only from a legal perspective, but as part of the customer experience. Customers trust organizations and service providers with their information and personal data.
Any organization that fails to provide reasonable and adequate safeguards for personal information and data is in breach of what customers and legislation expects.
In 2019, Equifax was forced to pay out $700 million in a settlement agreement for a nationwide class-action lawsuit brought against them for failing to protect customer data. Facebook, now Meta, was forced to pay out a $5 billion fine issued by the FTC, plus another $100 million the SEC hit them with.
In Europe too, Facebook and other companies are paying massive fines (often up to 4% of turnover, for failing to adhere to GDPR, the EU's privacy laws). Worldwide, governments, data protection and consumer watchdogs, and consumers themselves have no patience with companies that can't safeguard their personal data.
Why Customer Data Privacy Management and Protection is Essential
Over the last 10 years, consumer data protections have become stronger. Governments and regulators have caught up with the Internet's fast-paced advances.
Every year, hackers and cyber criminals steal data from thousands of companies of every size, taking customer data and sensitive information from hundreds of millions of people. Governments are also targets, often when hostile foreign governments attack them.
Healthcare organizations are equally attractive targets for cyber criminals, especially when so many work with multiple layers of software vendors, making them easier to attack than organizations that keep software in-house.
Healthcare organizations have a legal responsibility to adhere to multiple data protection laws. In the US, healthcare providers need to comply with the California Consumer Privacy Act (CCPA), and HIPAA (Health Insurance Portability and Accountability Act) legislation. Plus, there's a good chance the Data Care Act will pass after it is reintroduced to the US Senate.
However, it's a good idea to use HIPAA security levels for any business. Download our whitepaper discussing why HIPAA compliance should be applied to other industries.
In Europe and the UK, healthcare providers need to comply with the General Data Protection Regulation (GDPR). Even if you only work with European vendors, GDPR is something you need to comply with.
Failure to comply with this legislation — especially if you suffer a data breach — could result in fines, reputational damage, and losing the trust of customers, patients, shareholders, and stakeholders.
Protecting customer data is essential, and here are seven ways healthcare providers and other sectors can ensure their chosen software safeguards customer data.
7 Data Privacy Solutions Towards Ensuring Your Software Safeguards Customer Data
Test for Security Vulnerabilities
According to surveys by TRUSTe and the National Cyber Security Alliance, 89% of customers "avoid companies they believe do not properly protect their privacy."
Do you want to lose customers and patients to other providers?
One cyber attack could seriously undermine your organization's reputation, reduce revenue, and leave you open to class-action lawsuits and regulatory fines. Cyber security is something every organization needs to take seriously.
One way to avoid cyber attacks is to test for security vulnerabilities. In other words, don't sit and wait for a cyber attack. Work with IT and cyber security specialists to test your IT and software systems for vulnerabilities.
IT security specialists can perform penetration tests, assessing for weaknesses, seeing if they can get into your systems. And if they can, how far can these fake cyber criminals get? How vulnerable is your customer and sensitive data?
Once you know how weak or strong your IT security is, IT teams and software vendors can put preventative safeguards in place to prevent actual cyber attacks in the future. Below are more actions that IT, data security teams, and software vendors can implement to safeguard customer data and your organization.
Get HIPAA and other Certifications, and Make Sure to Tell Customers
HIPAA (Health Insurance Portability and Accountability Act) certification is something that every healthcare organization and vendor should have. However, any organization may keep ahead of the competition and build the trust of their customers by applying the same guidelines to ensure their data and customer information is kept safe and confidential.
For example, Giva's cloud-based SaaS software is compliant with the following data protection legislation:
- HIPAA (Health Insurance Portability and Accountability Act)
- HITECH (Health Information Technology for Economic and Clinical Health Act of 2009)
- GDPR (General Data Protection Regulation)
- EU-U.S. Privacy Shield Framework (aligning with the U.S. Department of Commerce and European Commission)
- SSAE 18 SOC 2 Type 2 compliance (adhering to SOC 2 standards)
- Payment Card Industry Data Security Standards (PCI-DSS), for payments
- Data security at the same level as FedRAMP and StateRAMP compliance
- Plus 24/7 physical security for data centers, annual third-party penetration tests, using secure VPNs, and numerous other security measures
We feel these safeguards are the minimum that customers of any software vendor should expect, especially healthcare providers having patient data to protect. Always review any certifications a software company has before working with them.
At the same time, review your own certifications and aim to plug any gaps. Your customers will appreciate the extra effort taken, and your bottom line will be safeguarded when customer data is more secure.
Limit Customer Data Intake
Do you know what data you actually need to collect?
It is worth taking time to review the data you've been collecting and assess whether individual data points are necessary. You might find that you don't need to collect everything from them. Limiting the amount of data coming in makes it easier to protect what you've been collecting, especially when it comes to information on payments and insurance policies.
More sensitive data should be given higher levels of security, encryption and safeguards. So that, in the event of a data breach, cyber criminals have less chance of reaching the most sensitive data stored in the systems of you or your vendor.
Limit the Time You Hold Customer Data - Privacy Automation
Under certain legislation — such as GDPR — companies can only hold onto data for six years. Make sure you know what you need to collect and how long you should retain this data, especially when someone is no longer a customer. Push that data into a separate database where it will automatically erase after a fixed timescale, while also letting customers or next of kin know this will happen.
Under modern data protection legislation, customers have automatic access to any data a company has on them. It's important you make this easily accessible should a customer ask to see their records and data.
Put Someone in Charge of Data and IT Security
It's crucial that you appoint someone with overall responsibility for data protection compliance and IT security. Depending on budgets, this could be a senior leader with a small team, or several departmental heads or C-level executives.
Remember, IT security and data compliance is not the job of IT teams and leaders. IT plays a role in data security and implementing data privacy tools. However, this is a much bigger job and shouldn't simply be pushed onto IT teams. The following are needed to properly take responsibility for cyber security and customer data:
- An experienced professional
- Support team
- Separate budget
- Senior leader
- Cross-organizational support
Assess Software Vendor Security
Do you know how secure software vendors actually are?
Many might claim "high-levels of security and encryption", but what does this mean in practice?
For example, many newer Software as a Service (SaaS) companies simply rely on the security provisions of cloud storage providers, such as Amazon AWS, Microsoft Azure, Google Cloud Platform, and numerous smaller vendors.
Most of the time, this reliance on third-party cloud vendors works without a problem. But not always. It's essential to assess a software vendor's security certifications and policies, otherwise you put your entire organization at risk. One weakness is all cyber criminals need to access your systems and steal customer data.
Use a Strong Authentication Process
And finally, another data privacy management tool in the toolbelt, you need to ensure a strong authentication process is set up, internally and when customers need to access your systems or their data.
Federal Trade Commission investigations have found that cyber attack victims often have weak security and passwords.
Passwords such as "Password" are not strong enough in this day and age. As a healthcare or other organization, you need to ensure there are internal data security controls. Passwords need to be strong, applying cyber security best practices, including two-factor authentication (2FA), and even biometrics.
Key Takeaways: 7 Ways to Protect Customer Data
- Test For Security Vulnerabilities
- Get HIPAA and other Certifications, and Make Sure to Tell Customers
- Limit Customer Data Intake
- Limit the Time You Hold Customer Data
- Put Someone in Charge of Data and IT Security
- Assess Software Vendor Security
- Use a Strong Authentication Process