Value of business information incorrectly estimated by IT security departments

New research indicates that healthcare IT security departments are incorrectly estimating the value of business information, leading to insufficient investments to ensure availability of provider data.

The research from Ponemon Institute and data management vendor DocAuthority included a survey of 2,827 professionals in the United States and United Kingdom.

What they found is that IT security departments undervalue research and developmental reports, as well as financial reports, while excessively prioritizing less sensitive personally identifiable information (PII).

The focus on prioritizing PII increases the chance of a major data breach, mishandling access for employees, and application of incorrect levels of security to low-value documents, according to Larry Ponemon, founder of Ponemon Institute and Ariel Peled, chief technology officer at DocAuthority.

Ponemon-Larry2-CROP.png
Larry Ponemon

Among missteps on the value of data, IT security departments estimated the value of research and development documents at less than 50 percent of what the business would estimate their worth, with security professionals predicting it would cost more than $300,000 to reconstruct an R&D document—compared to a $700,000 estimate by the R&D department itself.

Also See: CMS needs to ensure reliability of Medicaid encounter data

To a large degree, IT also underestimates the impact of a financial report being leaked, compared to the impact that the financial department would occur. In contrast, surveyed IT departments considerably over-value monthly salary lists compared to those values from human resources departments.

“Typically, the security and protection of business data is considered to be the responsibility of the IT security department,” Ponemon says. “Yet it is clear from this research that IT security does not have the vitally important context required to understand the true nature of the data and in turn create an effective strategy for defending it.”

Rather than being relegated to the IT department, the protection of data should concern not only management but the business as a whole, he adds.

Because only 5 percent of retained data is crucial to running the organization, healthcare and other organizations need to get away from a “one size fits all” level of security to data assets, advises Steve Abbott, CEO at DocAuthority.

“Obscurity around data could have far-reaching ramifications,” Abbott adds. “Despite company data being a hugely valuable business asset, organizations rarely have a clear view of what they own and what it is worth. As a result, within the context of a sale, for example, data assets are likely to be overlooked as part of a business’s valuation.”

The complete report, including a framework of six criteria to more accurately assess the value of healthcare and other corporate data, is available here.

For reprint and licensing requests for this article, click here.