Last week, we had the opportunity to co-host an engaging roundtable session with Digital Health Insider (DHI) on a crucial yet often overlooked topic: "HealthTech Privacy: Actionable Strategies for Data Protection and Compliance." In an era where digital health technology is rapidly evolving, ensuring the privacy and security of sensitive data is not just a necessity.

Throughout the session, our experts covered a wide range of essential topics, from key security considerations that every startup needs to understand from day one, to steps to building a comprehensive security plan and then how to plan for an effective Disaster Recovery if needed.

This session was moderated by Dael Stewart, Managing Director for North America at Light-it, and we were honored to be joined by a distinguished panel of experts, including Balaji Gopalan, Aaron Maguregui, Gary Pritts, and Jim St. Clair.

• Balaji Gopalan, CEO and Co-Founder of MedStack, has nearly a decade of experience building a privacy-first digital health ecosystem, where he supports creators of digital health products across healthcare sectors, ensuring they can meet data security and privacy compliance standards.
• Aaron Maguregui, Partner at Foley & Lardner LLP, specializes in digital health law, patient engagement, and health data protection. He works with healthcare innovators, from Series A startups to large enterprises, helping them modernize patient experiences through secure digital interfaces.
• Gary Pritts, President and Founder of Eagle Consulting Partners, Inc., a privacy and security firm with over 23 years of experience, focused on the healthcare industry that has worked with over 1,000 organizations on HIPAA compliance.
• Jim St. Clair, CEO of MyLigo, has 20 years of experience in health information security, currently focused on patient identity as part of the Federal Zero Trust Strategy. He has served as an Information Security Officer at the Department of Health and Human Services, worked in IT auditing and supported state agencies.

Why should digital health startups prioritize security from the start?

Startups, especially in the digital health space, often have a lot on their plate—figuring out product-market fit, building revenue streams, marketing, and scaling teams. With so many things demanding attention, companies can easily overlook things that don’t show immediate returns or are not immediately visible—like security. So, why should digital health startups prioritize security from the beginning?

Compliance is a Path to Get Paid

As Maguregui explained during our discussion, compliance is often seen as just another checkbox, but it’s actually a critical factor in getting paid. For example, if you’re a startup offering an AI-powered solution to a healthcare provider, your first client will likely ask about your security practices before they even think about signing a contract. The conversation usually begins with a security audit, based largely on HIPAA requirements, and if you don’t pass, that potential client could walk away. In this sense, compliance is much more than a formality—it’s a way to prove you’re trustworthy and can handle sensitive data, ultimately securing deals.

Beyond HIPAA, startups also need to keep an eye on emerging regulations from the FTC, FCC, and various state laws. But in healthcare, HIPAA remains the primary concern, and being able to demonstrate your compliance gives you a significant advantage when dealing with large clients like health systems and insurers. As Maguregui put it, security is "table stakes" for getting a seat at the table.

Building Trust and Credibility

The first knock on your door won’t come from regulators—it’ll come from your customers. They want to know if their data is safe with you. For digital health startups, data is often the lifeblood of the product, and ensuring that data is secure is essential for building trust with customers.

Potential consequences of overlooking security

In healthcare, the significance of security cannot be overstated. As Gopalan highlighted, overlooking security can have severe consequences that extend far beyond compliance issues. While there are many benefits to developing innovative solutions, the potential risks of neglecting security must be front and center in any product strategy.

Gopalan noted that the typical startup mentality encourages entrepreneurs to double down on differentiation from competitors. While this focus is essential for gaining market entry, it can lead to significant pitfalls if security considerations are delayed. One of the most substantial mistakes a healthcare startup can make is to prioritize innovation over security.

The repercussions of not addressing security adequately can be dire. As Gopalan explained, the worst-case scenario is not just failing to pass a security review but not even considering making one at all. Such an outcome can endanger patients, jeopardize the business, and pose risks to the providers or payers involved.

A quick glance at recent news stories underscores the far-reaching implications of security failures in healthcare. While many industries face security challenges, healthcare leads the pack due to the sensitive nature of its data. Digital health often deals with issues related to chronic conditions and mental health, making the stakes even higher.

Gopalan also emphasized that managing legacy technology and various moving parts in healthcare adds to the difficulty. Healthcare professionals are already facing considerable risks, and introducing additional vulnerabilities is the last thing they need. Unexpected problems can arise from a lack of proper data backup or careless handling of sensitive information. These issues aren’t limited to malicious actors; unintentional mistakes can have significant consequences as well. With healthcare professionals spending a large part of their day logging into various systems, the absence of proper audit logs complicates error resolution.

Moreover, the rise in cyberattacks targeting the healthcare sector highlights the urgency of addressing security concerns. In recent years, healthcare has become a primary target for international malicious actors. Without appropriate encryption and key management, organizations expose themselves to serious risks.

Practical Strategies for HIPAA Compliance and Risk Mitigation

Maguregui shared valuable insights into practical strategies and frameworks that organizations should adopt to ensure compliance and mitigate legal risks.

1. When addressing questions about HIPAA compliance, Maguregui emphasized the importance of conducting a security risk assessment. He explained that this assessment serves as a gap analysis, allowing organizations to evaluate their current state against HIPAA requirements. Understanding where an organization stands is crucial, as it highlights vulnerabilities that need to be addressed. Maguregui, who has guided numerous clients through the HIPAA compliance journey, underscored that risk assessment is the most critical piece of information an organization can possess. It reveals existing gaps and informs the necessary steps to fill them. Not only is this assessment a foundational requirement of HIPAA, but it is also the first step toward developing a robust compliance strategy. If clients inquire about an organization’s HIPAA risk assessment and none exists, it can lead to significant problems.
2. To establish a solid compliance framework, Maguregui recommends starting with recognized standards, such as those provided by NIST (National Institute of Standards and Technology). He is a strong proponent of the NIST framework, which is typically sponsored by the federal government. Understanding compliance requirements is essential, with HIPAA often being the first regulation organizations encounter.
3. Practically speaking, Maguregui likens HIPAA compliance to a marathon without an endpoint. He warned against the use of HIPAA compliance badges on vendor websites. Organizations often believe that displaying these badges will enhance credibility, but Maguregui cautioned that HIPAA does not recognize third-party credentialing services. Many organizations that have used these badges have faced enforcement actions for misrepresentation, highlighting that this practice can lead to significant legal repercussions.
4. Maguregui pointed out the free tool available on the ONC (Office of the National Coordinator for Health Information Technology) website to help organizations understand their compliance status. Additionally, many reputable vendors are available to assist organizations in navigating the security requirements necessary for advancing their compliance journey.

Real-World Examples of Data Breaches and Their Impact on Organizations

Pritts provided compelling real-world examples of breaches, highlighting the significant repercussions for startups and established companies alike.

A crucial requirement of HIPAA regulation is that organizations self-report any data breach to the Department of Health and Human Services (HHS). If the breach affects 500 or more individuals, the details become public, landing on what is often referred to as the "Wall of Shame." In 2023 alone, there were 739 significant breaches reported, averaging about two per day.

Change Healthcare Ransomware Attack

One high-profile case Pritts discussed was that of Change Healthcare, a leading electronic claims clearinghouse in the United States. Change Healthcare experienced a massive ransomware attack that disrupted claims processing for countless healthcare providers, including doctors and hospitals that relied on their services. This breach had far-reaching consequences, resulting in cash flow issues for clients and extensive turmoil across the healthcare industry. Ultimately, the financial fallout from the incident was estimated at approximately $2.4 billion. Although the company is part of UnitedHealthcare and likely has the resources to recover, the impact of such a breach is undeniable.

Breach at a Berkshire Hathaway Division

Pritts also highlighted a less-publicized breach involving a division of Berkshire Hathaway, Warren Buffett's conglomerate. This incident affected around 60,000 patients and was described by the executive overseeing the division as the most stressful experience of his career. The breach required extensive communication with concerned patients, further emphasizing the emotional and operational toll that data breaches can inflict on organizations.

IT Managed Services Company Ransomware Attack

Another example Pritts provided was an IT-managed services company that served the healthcare sector. This company, which had recently acquired three smaller firms, fell victim to a ransomware attack that targeted thousands of servers. The fallout was severe, leading to customer defections and necessitating the dismissal of senior staff, which significantly derailed their business plans.

SQL Injection Vulnerability in Ohio Government Agency

In a different context, Pritts recounted a security assessment conducted for a county government agency in Ohio. During an external penetration test, they discovered a SQL injection vulnerability in a web application provided by a vendor. This vulnerability allowed the team to access the entire database, raising serious concerns about the security of sensitive data. While the agency identified the issue before it escalated, the incident had far-reaching implications, potentially jeopardizing its relationship with its largest client.

These examples illustrate that the impacts of data breaches extend beyond financial losses. They encompass personal stress, reputational damage, customer attrition, and operational disruptions, making it imperative for organizations to prioritize compliance and security measures.

Pritts outlines the need for proactive measures to safeguard sensitive data and to ensure that the right expertise is in place to address potential vulnerabilities.

Hiring Security Expertise: Internal vs. External

In the context of startups and product development, the question often arises. This conversation is crucial for ensuring effective security measures from the onset of a business's journey.

St. Clair emphasizes the importance of integrating security and compliance considerations early in the startup process. Initiating security measures at the MVP stage is far easier than retrofitting them later. For startups, conducting a basic risk assessment and leveraging external consultants on a part-time basis can help establish a solid security foundation.

He also highlights the benefits of utilizing major cloud providers, which often offer startup programs that include tools and resources for security and compliance at little to no cost. This proactive approach allows startups to address potential issues while their operations are still manageable, fostering a security-centric culture from the beginning.

When considering which roles to prioritize in terms of hiring, St. Clair suggests that companies need to consider what is best for their customers and the feasibility of adding security measures later on. Security within software products generally encompasses three key areas:

1. Security in applications and cloud environments.
2. Processes for managing software and personnel.
3. Documentation and response mechanisms for compliance inquiries.

One of the first steps is to appoint someone responsible for orchestrating these security measures. This individual acts as a bridge between different departments, providing guidance and prioritizing security across all operations. St. Clair advocates for hiring a dedicated security and compliance lead, which can significantly alleviate stress for other team members by providing a clear point of contact for security-related inquiries. Having a designated individual for security matters alleviates pressure on other team members and ensures that security gets the attention it deserves.

This security lead role is not to be adversarial but rather to collaborate with other team members, offering feedback on both internal developments and third-party integrations. This collaborative approach can foster a culture of security awareness and compliance within the organization.

Also, St. Clair mentioned that while utilizing tools and frameworks from providers like AWS is beneficial, it's crucial to recognize that compliance is a multifaceted process. Organizations should engage with their customers to understand their specific compliance needs before starting development.

Lastly, St. Clair introduces the Cybersecurity Maturity Model Certification (CMMC) as an example of a structured approach to security. This program, developed by the Department of Defense (DOD), outlines security expectations for businesses ranging from small operations to major contractors and provides a scalable framework for compliance.

Understanding Security Risk Assessments for Digital Health Startups

Securing sensitive patient data is crucial. As Gopalan mentioned during our recent discussion, conducting a comprehensive security risk assessment (SRA) is a vital first step for startups to identify vulnerabilities and implement effective security measures.

What is a Security Risk Assessment?

Pritts explained that a SRA involves several key steps to evaluate an organization's security posture:

1. Asset Inventory: First, you need to catalog all your IT assets and applications, including their configurations. As Pritts pointed out, knowing what you have is essential for effective protection.
2. Threat Analysis: Next, you should assess the external environment to identify potential threats. Pritts emphasized that understanding these threats is critical for the next steps.
3. Control Evaluation: Examining your existing security controls against established frameworks like the HIPAA Security Rule or the NIST Cybersecurity Framework is important. This evaluation helps determine how well these controls mitigate identified threats.
4. Risk Calculation: Pritts highlighted the importance of evaluating the probability of security incidents occurring and their potential impact. Ideally, this assessment should be quantifiable, allowing you to express risks regarding potential financial losses. This is where the FAIR (Factor Analysis of Information Risk) method comes into play. FAIR allows organizations to quantify risk in financial terms by considering the frequency of potential events and their impact on the organization. This structured approach to risk assessment enables startups to express risks in an understandable and actionable way.
5. Corrective Actions: Finally, prioritize necessary actions to reduce risks. As Pritts suggested, determining appropriate insurance coverage for worst-case scenarios is also essential.

Best Practices for Compliance and Data Safety

Once startups complete their security risk assessment, maintaining compliance and ensuring data safety becomes crucial. As Gopalan and Aron pointed out, here are some best practices to follow:

1. Continuous Monitoring: Regularly revisit your risk assessment to address new vulnerabilities and threats. You should conduct assessments periodically or whenever significant changes occur in your organization, always with the same measure.
2. Communication: Creating an open environment regarding security is essential. Ensuring all stakeholders, including executives and staff, understand the importance of data protection is vital.
3. Engagement with Legal Counsel: Collaborating closely with legal advisors ensures that your security measures align with regulatory requirements. Being transparent with legal counsel allows you to receive accurate guidance and support.
4. Investor Relations: Communicating your security practices and compliance measures to potential investors is key. They will want to understand how you safeguard sensitive data and mitigate risks before committing resources.
5. Preparedness Exercises: Engaging in tabletop exercises and penetration testing helps simulate security incidents. These drills familiarize your team with protocols, ensuring readiness in the event of an actual breach.

By proactively identifying risks and implementing robust security measures, as Pritts and Gopalan suggested, startups can instill confidence in their stakeholders and ensure the long-term success of their operations.

Creating an effective Disaster Recovery Plan: What every health tech company should have in place

As Gopalan emphasized, discussing the essential elements of an effective Disaster Recovery (DR) plan is crucial. Throughout the roundtable, important aspects like risk assessments, compliance, and the inherent value of these measures were addressed. Still, we must not overlook the darker side—many organizations face significant challenges without a solid DR Plan. This is often due to a lack of internal commitments regarding recovery procedures, which can lead to dire consequences, especially during security incidents. The staggering statistics on ransomware attacks show that many organizations end up paying the ransom because they lack viable recovery options.

To ensure a robust Disaster Recovery Plan, it’s vital to address several key factors:

• Clear protocols: Golapan explained that organizations must have clear data backup and access management protocols. A structured approach to data management—backups should be frequent and retained for varying periods, and roles and responsibilities must be documented and communicated effectively. This not only prepares the organization for internal recovery but also informs customers about their roles during a disaster recovery simulation.
• Documentation of potential risks: According to St. Clair, while disaster recovery insurance can be beneficial, especially for small businesses facing natural disasters, there’s a dangerous trend of conflating cyber insurance with inadequate cybersecurity practices. Businesses often fail to consider the broader implications of disruptions, such as the impact on patient care in the healthcare sector. Thorough documentation of potential risks is key, and organizations need to think through worst-case scenarios proactively.
• Evolving DR plans: Pritts noted that while companies may initially have rudimentary plans, evolving these as the business grows is essential. Startups might start with basic recovery objectives, but their plans should become more comprehensive and actionable as they mature. An effective Disaster Recovery plan is not merely a checklist but a critical component of a responsible and resilient organization. It requires ongoing commitment, regular updates, and a culture that prioritizes preparation for the unexpected.

Organizations have legal responsibilities toward their users, particularly in healthcare. Transparency regarding data usage is critical, especially as patients become more informed about how their data is handled. Organizations must be aware of their obligations under regulations like HIPAA and understand that breaches can lead to severe reputational damage, far exceeding the immediate financial penalties.

How can companies create a culture of data privacy and security awareness?

As Golapan noted, creating a data privacy and security awareness culture is essential for any organization, particularly for startups. This topic is likely near and dear to many professionals in the field, making it worth exploring.

When building a digital health company, it's crucial to recognize that everyone who joins the team is invested in the impact the organization is making on patients. Emphasizing that without trust, there is no adoption. If trust is lacking, companies cannot fulfill their mission of helping patients, their providers, and their families.

Trust will be the first consideration for stakeholders before committing to a company's solutions. Therefore, organizations must instill a value system prioritizing robust security technology and privacy processes. This foundation strengthens the organization's integrity and paves the way for faster adoption of its services.

Key Takeaways:

While innovation is crucial for growth in the digital health space, it should never come at the expense of security. Without a strong foundation of security and compliance, even the most groundbreaking companies can face serious setbacks. As we’ve discussed, many tools and strategies are available to help startups navigate the path of secure and compliant innovation, ensuring both success and sustainability in the long term.

Security and compliance with regulations such as HIPAA are crucial for unlocking revenue opportunities in healthcare. Many providers require a thorough security audit before establishing a business relationship, and being compliant opens doors that would otherwise remain closed. This can mean the difference between securing or missing out on key contracts for startups.

In addition to revenue potential, establishing robust security protocols early builds trust and credibility. Handling sensitive patient data comes with immense responsibility, and clients are more likely to engage with a startup they view as reliable and secure. A well-implemented security framework positions the business as a responsible partner in a highly regulated industry.

Moreover, neglecting security can lead to serious consequences. Failing security reviews or being excluded from contract negotiations due to non-compliance can hinder growth and jeopardize the company’s long-term success. In healthcare, where patient safety and data protection are paramount, such oversights can be detrimental.

Healthcare is a major target for cyberattacks. The sensitive nature of healthcare data makes it a prime target for cybercriminals. Implementing strong security protocols early minimizes the risk of breaches, safeguarding both the startup and its clients.

Practical Strategies for HIPAA Compliance and Risk Mitigation:

• Start with a Security Risk Assessment (SRA): Conduct a thorough risk assessment using recognized frameworks like NIST to evaluate vulnerabilities and define corrective actions.
• HIPAA Breach Reporting: Organizations must self-report breaches to the Department of Health and Human Services (HHS), and breaches affecting 500+ individuals are made public. In 2023, 739 major breaches were reported, emphasizing the importance of compliance and breach preparedness.
• Develop a Solid Disaster Recovery Plan: This plan should include data backup, access management, and clear communication with customers in case of an incident. It’s essential to ensure that the organization can quickly restore operations and protect sensitive data in the event of a breach.
• Foster a Strong Security Culture: Prioritizing security from day one not only ensures compliance but also cultivates a culture of data privacy and trust. By establishing robust security measures and promoting awareness, digital health startups can protect sensitive data, build lasting client relationships, and ensure long-term business success.

In an era where data privacy and security are more critical than ever, healthcare organizations must be proactive in safeguarding their patients and their businesses. The insights shared during this roundtable underscore the importance of building a solid security foundation from day one, implementing practical strategies for HIPAA compliance, and being prepared for the unexpected. Whether it’s through hiring the right expertise or fostering a culture of security awareness, the future of healthtech depends on our ability to protect sensitive information and build trust. By prioritizing security, we comply with regulations, build trustworthiness, and drive innovation and long-term success.

Subscribe to DHI and stay tuned for the next discussion:

It was a fantastic experience to engage with leading industry experts who shared their diverse perspectives on disaster recovery planning! A huge thank you to all attendees who joined us virtually. We also extend our gratitude to our speakers for providing such valuable insights and collaborating with DHI and Light-it to explore these crucial topics. Stay tuned for our next roundtable discussion with DHI and Light-it!