News Stay informed about the latest enterprise technology news and product updates.

Lack of records management maturity puts PHI, PII at risk

Records management is more vital than ever to business success, but not enough organizations care about it, according to Rick Tucker.

To prove it, Tucker, vice president of sales and marketing at Doculabs, presented a question to the audience attending the “Trends in Data Lifecycle Management and Information Governance” session at the recent SIM Boston Technology Leadership Summit in Newton, Mass.

“Does everybody have a records management program in their organization?” Tucker asked.

“Yes,” the audience answered in unison.

“Does everybody follow their records management program on a regular basis?”

“No,” most of the audience replied.

This could pose a problem for organizations as business and customer data is increasingly digitized, Tucker said, and especially those companies that handle personally identifiable information (PII) or protected health information (PHI): These businesses need to use records management programs to gain better control over their data by moving it to more intense document management systems and repositories, or by disposing of content that’s no longer required, Tucker added.

A lack of foresight could prove costly:  The recent Cost of Data Breach Study by the Ponemon Institute that showed the average cost incurred for each lost or stolen record containing sensitive information continues to increase.

“Organizations see that and still go, ‘It’s not going to be me. I’m not going to be hit like that and not going to have that problem,’ until they do,” Tucker said.

Doculabs — a document management consulting company — partnered with Executive Functions Management and conducted two surveys to find out how well InfoSec manages PII and PHI. One surveyed information security leaders and the other surveyed IT leaders.

Fifty two percent of the InfoSec professionals said they had no automated capability to prevent PHI and PII from leaving the company. InfoSec professional reported that they were aware of the risks that can result from unmanaged PII and PHI data, but “reported a lack of maturity in high-risk areas such as network drives.”

“That means when information is created that has PHI or PII, it is not automatically detected or put into the right repository,” Tucker said. “The fundamental problem in information management is that the tools have not matured yet to a point where automation is automatically applied to all the systems.”

Two-thirds of the 550 IT leaders surveyed reported that their organizations are not purging data regularly, which signifies that they are not complying with recordkeeping practices, Tucker said. Half the organizations surveyed said they had no idea where information like trade secrets, HR data and client data lives in their organization, and 65% said that their data was not aligned with their InfoSec policies.

Rick Tucker during his session at the SIM Boston Technology Leadership Summit in Newton, Mass.

Not purging data regularly also increases storage costs and makes it a huge challenge to find data in an organization, Tucker said.

“The most important thing that records management has done in the past 20 years is identifying that information has an end of life, that it should be disposed of at certain point of time,” he added.

The lack of these records management best practices dramatically increase information risk: 34% of the 144 InfoSec professionals surveyed said that within the last 12 months they had an audit discover a breach of PHI/PII data, Tucker said.

“Having a good correlation between data hygiene and governance, developing an orphaned data policy, decommissioning legacy applications, and assessing and remediating access rights can help InfoSec reduce PHI and PII risks,” he said.