The 5 biggest risk and compliance issues healthcare organizations need to address today

  • September 01, 2023

From a recent global pandemic to the many new expectations of patients and stakeholders, the healthcare market is experiencing unparalleled disruption. This has been exacerbated by several pertinent regulatory developments, which have combined with the uncertainty in the healthcare ecosystem to drastically increase the complexity of providing healthcare nationwide.

With all this in mind, what can healthcare organizations expect to see from a risk and compliance perspective today and in the months to come, and which of these will turn out to be challenges that need to be urgently addressed? Here are the five biggest risk and compliance issues that health organizations need to focus on today:

1. Increased scrutiny from regulators
HIPAA-covered entities are a renewed focus for regulators harping on increased security and privacy compliance. In the wake of events such as misappropriated COVID-19 relief funds and multiple data breaches across the industry, regulators are increasing pressure on organizations receiving federal funds through Medicare to prevent fraud, abuse and waste. The infrastructure to demonstrate materiality along with providing documentation will be a key component for increased scrutiny.

Healthcare cybersecurity solutions such as our HIPAA Security Risk Assessment Consulting ensure that organizations can protect patient privacy and remain compliant with fast-changing regulations.

2. Scrutiny over using private data in healthcare advertising
It is no secret that targeted advertising has exploded over the past decade, but the Federal Trade Commission (FTC) has signaled their intent to invoke the Health Breach Notification Rule to rein in health tech companies that share sensitive personal identifiable information (PII) with advertisers.

For example, the FTC indicated there will be increased surveillance on the treatment of sensitive health information through the Health Breach Notification Rule (2009). This is in response to using safeguarded patient information to implement targeted advertising. In December 2022, a bulletin from the HHS announced that using Ad Tech by HIPAA-covered entities may violate HIPAA rules, including cookies, web beacons or tracking pixels.

Non-HIPAA entities will be held accountable for breaches that disclose sensitive health data. The punishments could be severe, including millions of dollars in fines. In February of 2023, for example, the FTC settled an enforcement action against a digital healthcare platform for violating the FTC’s Health Breach Notification Rule.

3. New compliance rules in 2023
New HIPAA rules were implemented more than a decade ago but are expecting a major change in 2023. Substance use disorder (SUD) records have been covered under its own confidentiality policy, but healthcare professionals seek to change this to give health professionals the full view of their patient, especially when there's a risk that a patient may be prescribed opioids while in recovery.

The CARES Act passed in 2020 to fight the COVID-19 pandemic, expanded the ability of providers to share the records of individuals with SUD but tightened the requirements in the event of a breach of confidentiality. An in-depth list of changes can be found here. In short, the requirements have become tighter while the punishments have gotten more severe.

4. Healthcare cybersecurity and compliance issues
In the age of digitization, ransomware and other system intrusions and breaches by malicious external actors continue to be at the forefront of healthcare data security, clinical operability, patient care and regulatory compliance.

Ransomware attacks targeting healthcare delivery organizations have doubled over the past five years. This rise in malicious attacks has left organizations facing an increased downtime of about 20 days, which can result in serious impact to clinical operability and patient care. According to IBM Security, the average cost of a healthcare ransomware attack in 2021 was $4.82 million.

Technology issues in telehealth and telemedicine platforms continue to provide more opportunities for bad players to access PII and other critical information. Attacks targeting telehealth platforms have skyrocketed, especially with commonly targeted vulnerabilities in patient-accessed websites, desktops/end points and file transfers between a client and network server.

5. Third Party Risk Management (TPRM)
The issue of third-party risks is exacerbated with the increased reliance on third parties who have privileged access or run core business processes including patient care. An average hospital relies on more than 1,300 vendors, with 72% of third parties having advanced permissions. Hackers are increasingly targeting third parties while expanding their attacks to include cloud ransomware as well.

Regulatory scrutiny is growing on third-party security and compliance and unfortunately, too many healthcare providers lack the digital infrastructure for tracking and monitoring their third-party vendors and service providers. Other common issues about third-party risk management are insufficient budgets/resources, heavy reliance on manual processes/lack of automation, sampling strategy in risk assessments and a general check-the-box attitude.

Even negative assessment findings rarely lead to remedial action or disqualification of the vendor. Less than 30% of organizations take actions such as collaborating with a third party on remediation, risk transfer using insurance or termination of the third party.

Healthcare providers find it difficult to verify the performance and effectiveness of their third-party controls in mitigating risks. In short, organizations are failing to find value from their current third-party risk management programs.

Healthcare-focused solutions to manage risk and compliance

Nobody wants to pay additional money for risk management. However, it’s absolutely required today. Would you rather become compliant and monitor/protect your clients, vendors and business, or chance it and pay an insurmountable fee after ruining your reputation?

The NTT DATA Risk & Compliance Consulting team provides expert guidance and tools to help leaders across IT, risk, audit and compliance departments more effectively manage the complex risk and regulatory landscape. Contact us now to find out how our end-to-end experience in regulatory compliance audits and cybersecurity enables us to lead and deliver current state security and privacy assessments, identify gaps and assist organizations through the remediation process to ensure a strong cybersecurity posture and regulatory compliance.

Subscribe to our blog

Eli Grossman High Res Headshot.JPG
Eli Grossman

Eli Grossman is a consultant in the Financial Services & Insurance practice at NTT DATA. Currently, Eli is combining his knowledge and skillset in both the wealth and risk management space. Internally, Eli is developing Third Party Risk Management solutions, specifically in the healthcare and insurance space. In his free time Eli enjoys reading and exploring all that Charlotte has to offer.

Nutan Pandit

Nutan leads the Insurance Risk and Compliance practice at NTT DATA Services. She has extensive experience helping insurance organizations create their future-state risk and compliance function, implement risk technology, core business digital transformation, and create next-generation information security programs.

Related Blog Posts