Case Study: Strategy for Improved Data Governance

Doculabs helps healthcare insurance provider improve the security of its sensitive, high-risk data by developing an Enterprise Data Retention Governance and Archiving Program to be implemented across the organization.

Information governance is now top of mind for all organizations, but it’s especially critical to organizations in the healthcare sector. Consider that providers and payers are custodians of their customers’ confidential health information, and it’s clear: Any breach of security which compromises protected health information (PHI) and/or personally identifiable information (PII) has serious consequences—for both customers and the company entrusted with protecting that information.

Yet many healthcare organizations have been rather slow to commit to improving how they manage this information. Whether because of a lack of executive support, or the absence of a policy-driven approach, or a less-than-optimal relationship between IT and the business, the sector as a whole has been lagging in this area. (See our post on this topic, “Information Governance in the Healthcare Industry.”)

A breach is a catalyst for improved information governance.

It’s an unfortunate fact of life, but sometimes it takes an actual data breach to get the attention of executive management—and to commit the funding required to develop, and implement, an effective information governance program. That was the case with one Doculabs client.

This healthcare insurance provider was serving more than 1.5 million insured customers. Following a serious data breach, the company had a mandate to improve its practices and technology for data governance. But neither the business nor IT was at all sure where to start on what was certain to be a major undertaking -- one that would span people, process, and technology. Ultimately, the company hired Doculabs for our expertise in information governance as it applies to all three of these areas. Here’s how we helped develop the strategy for improved data governance.

Analysis laid the foundation for strategy and remediation.

Stage 1. First, we gathered information to get the “lay of the land”—i.e. to understand how information was currently being stored and secured, and where the gaps were in the company’s existing practices:

  • We reviewed the structure the company already had in place for managing structured and unstructured data, including its existing records management policy and any existing taxonomies for classifying content.
  • Then we conducted a content scan to assess the data stored in the company’s repositories. We assisted IT in configuring and operating content analytics software to identify redundant, outdated, and trivial (ROT) data, as well as how they should scan for PHI and PII. The findings from the scan allowed us to identify gaps in the company’s approach to data governance. In this scan, we identified that over half their documents were of junk or low value and that over half their files hadn’t been accessed in over three years as well.
  • Finally, we conducted an inventory of the business-critical documents in the company’s repositories, capturing format, associated business process, and ownership by functional area. This helped us define requirements for how various types of data should be stored—both for appropriate security and records management and to optimize search.

Stage 2. The basic information-gathering now complete, Doculabs then applied its expertise to recommending what the company should do to improve its information governance going forward:

  • We developed a strategy for Data Retention Governance, with recommendations to address the gaps in records management policies and taxonomy, data access, data repository formats, and archived data storage.
  • We also developed a strategy for Data Deletion and Archiving, recommending which data to retain, which to archive or purge, how and where to maintain the data, and how users would access archived content. A total of over 30 TB of data was recommended for either deletion or for archived storage.
  • Next, we defined the tactical and strategic projects required to implement the two strategies above and created an Implementation Roadmap for rolling out the projects. The roadmap was a graphic representation, showing all initiatives, both tactical and strategic, along with timelines, staging, and estimated durations, as well as cross-project dependencies. This roadmap would prove to be a valuable tool in communicating progress against the strategies.

Stage 3. The last stage of Doculabs’ consulting engagement was designed to assist in planning for the implementation of the project recommendations:

  • We developed a high-level Business Case Analysis for implementing the projects and initiatives on the Implementation Roadmap, using both the company’s cost data and industry benchmark data to calculate estimates of the costs and the benefits, to help the company justify its investment in the information governance improvements.
  • We then worked with the company to define a workable structure for a program to provide ongoing support for data retention governance and archiving, with defined frameworks and roles and responsibilities for operationalizing key data management processes.
  • Finally, using the Implementation Roadmap as a starting point, we built a detailed project work plan for Year 1 of the company’s implementation, including task-level project plans and resource and staffing plans.

Project results included capacity building, funding, and support for an internal information management team.

The project was a major undertaking for this organization—but one that stakeholders clearly recognized as mission-critical. We used our methodology to take the company, step by step, to an understanding of the gaps in its existing information governance capabilities and practices, and then to an actionable plan for how to remedy the situation.

Our work enabled the client to get the funding needed to build out their team so they could become more self-sufficient in information management. They also developed a cross-functional executive oversight group that enables the information management team to have the authority to make changes in the organization.

Our approach involved key stakeholders from both IT and the business at every juncture, helping to ensure understanding and buy-in at all levels. Most important, it allowed the company to leverage Doculabs’ subject matter expertise in all aspects of information management, including our specific experience with the protection and management of PHI and PII data, to ensure future protection of the company’s data.

Download the Transforming Information Security with Information Management White Paper

Rich Medina
Doculabs consultants offer in-depth expertise in information management and information security across a number of industries, including financial services, insurance, energy, manufacturing, and life sciences. Our recommendations are based on our experience and empirical data from hundreds of consulting engagements over more than 25 years. As trusted advisors, we provide our clients recommendations that are completely objective.