By David Thomas / Special to Healthcare Facilities Today

It seems innocent enough. Collect email addresses and birthdays so you can reach out to your most loyal patients on their special day. But where is this data stored? Who has access to it? How is it protected?

In the digital economy, customer experience is paramount. Data lets us deliver a personalized experience in real time. But making the patient record richer and more valuable to your organization also makes it more valuable to others.

Data is the new oil. It’s the fuel powering growth and innovation, and bad actors can’t wait to get their hands on it. Even a seemingly innocuous piece of information such as an email address or birthdate can be used in identity theft. Today, all personal data is sensitive and there’s more of it all the time.

If you’re in the healthcare industry, you handle sensitive personal data about customers, employees, and partners, and you’re about to handle much more of it. As digital transformation expands across new areas of our lives, increasingly sensitive types of data will need to be shared and accessed by more entities, more frequently. We may not mind our ride-sharing service knowing our favorite destinations, but we care who sees our medical, legal, and financial records.

The days when organizations could be casual about personal data are officially over. It’s time to assess the situation and put technologies and practices in place to ensure your patients can trust you with their personal data. Building that trust will reinforce a positive view of your brand, and protect you against the damaging effects a high-profile breach can have on your organization’s reputation.

It’s also a matter of regulatory compliance. All over the world, regulations are evolving to address growing concerns about protecting personal data. Complying can be complicated and consequences for missteps serious. Europe’s new GDPR (General Data Protection Regulation) for 2018 includes fines of up to four percent of global annual revenue. A fine of $10 million on $250 million in earnings is a significant incentive. Technologies and regulations will continue to change, requiring companies to be vigilant and proactive about protecting personal data.

Find your data

The first step to improving security is discovery. You’ll need to ask a series of questions to determine the extent of the personal data you collect and hold. What types of personal data do you ask for? Where is this data held? What systems and processes handle it? Who has access to it? What security measures are in place to protect it? Which partners need access to this data, and how do they ensure its handled securely? How might personal data assets expand in the future?

Craft your data security strategy

For many organizations, data is fragmented and spread across multiple divisions and partners, with varying degrees of security in place to protect it. To prepare for the rapid expansion of data and access that digital transformation is bringing about, you need to craft and implement a strategic plan for governing and protecting personal data. Every partner contract, for example, should spell out requirements for data security standards and practices.

Consult with IT

As marketing becomes more involved with data-driven analytics and personalization, it’s important to look to the IT organization for guidance, expertise, and best practices. The right data protection policies, processes, and training need to be prioritized and fully ingrained in organization functions. At a minimum, baseline security technologies and capabilities such as encryption need to be selected, deployed and routinely tested.

Choose your partners wisely

Given the complex and dynamic nature of protecting personal data, it makes sense to minimize what you hold. For most organizations, the right course will be to partner with a technology provider focused on streamlining the handling of personal data. Some new API-based services can help deliver the information you need without saddling you with keeping and protecting sensitive data. The right solution should ensure that data is dispersed, not held centrally. It should pull information from authoritative sources. It should depend on permission from the individual for access. And it should be continuously refreshed with the latest updates.

We need these solutions in order to support the expansion of digital business. Last year's Equifax breach exposed 145 million Americans to identity theft. That was followed by, Yahoo's three billion customer accounts being compromised. Still, significant progress is possible. Equifax not withstanding, the financial services industry has long pioneered leading-edge data security strategies and technologies, making online banking and credit card transactions reliable and secure. And, now healthcare is in the personal data hot seat as they transition to digital. So, get ready.

New and more serious threats, rising patient expectations, the expansion of our digital lives, and new technologies such as artificial intelligence and the Internet of Things mean that protecting personally identifiable data will be an ongoing challenge in the healthcare industry. Now is the time to find ways to protect your organization and your patients from data breaches, and to build relationships with the technology partners who can help you implement effective security strategies now and in the future. Giving your patients the confidence to share the details of their lives with you may already be a competitive differentiator.

David Thomas is CEO of Evident, a data security company.