The digital health market was rocked by the recent announcement that HR services darling Zenefits has gone from ‘rock star’ to a symbol of Silicon Valley excess in a matter of weeks. The company, which has risen from a startup to being valued at $4.5 billion inside of two years, is clearly trying to get ahead of the issue. Zenefits cofounder and CEO stepped down amid “compliance concerns.”
The reality is that Zenefits story is indicative of many digital health success stories. It should not be a surprise. Here are 4 reasons why:
Most founders build a company to solve a particular issue and the successful ones have a single-minded focus on achieving that core objective. And if they are successful, they are not going to waste time on issues like compliance. Revenue covers many ills, and I have spoken to the founders of many successful digital health companies who don’t feel the need to pay much more than lip service to cyber security and risk management - they are being successful without it.
Regulators only care about the big guys
OCR’s recent audit list is made up of mainly covered entities and large business associates. The government has not yet woken up to the impact of mobile and cloud based digital services companies. With very little up front outlay, these companies can grow quickly. More importantly, they can have access to and even host terabytes of sensitive data. I can guarantee that Zenefits has never even been threatened with a state or federal audit never mind had to undertake one.
Traditional health organizations have not adjusted to the cloud
Providers and payers are faced with a tough choice. Ignore the innovative digital health companies and be at a competitive disadvantage, or embrace them and potentially increase their risk of a data breach. But working with these new companies means changing how you view vendor risk. Relying on traditional contract indemnification as protection when working with a 50-person startup may not be wise. Although more large healthcare providers have embraced the cloud, they have been slow to update their vendor risk assessment strategy to adequately ensure smaller vendors are acting responsibly.
Investors don’t include compliance risk into their calculations
I have spoken to a number of VCs and the digital health companies who have received money from them, and see that due diligence often stops at the founder/CEO completing a self-assessment on compliance. Investors need to realize the significant risk to their investment if the company has a major data breach or falls foul of a regulator.
So while Zenefits CEO Parker Conrad may be the one paying the price today, he is by no means alone. It will be interesting to see whether this revelation leads to better due diligence by all parties mentioned, or whether we are going to have to see many more examples before sustainable change takes effect.
To discuss best practices when developing and implementing a comprehensive risk management and compliance program , contact us at 1877 668 5658 or visit Ostendio.com.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.