Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.
By Joshua Aguiar, RHIA
Data classification is a fundamental component of any information security (IS) program and should be considered a top priority for any organization processing or using sensitive data that they are required to safeguard to meet compliance and contractual requirements.
Why Is Data Classification So Important?
Classifying data is a fundamental step in ensuring adequate controls are in place to protect the confidentiality, integrity, and availability of data. Today more than ever, with advances in technology, organizations are processing and storing more and more data by different means and by using different technologies. An organization needs to classify its data in order to assess the appropriate controls needed to safeguard the data. Security of data must remain a main concern for any organization wishing to remain in business in today’s market, as organizations are seeing more and more compliance and regulatory laws being passed governing the protection of data, and as we continue to experience a dramatic increase in the number of cyberattacks.
Healthcare organizations should make data classification a top priority because civil and monetary penalties for unauthorized disclosures or breaches of protected health information (PHI) are increasing and the value of personal health data on the black market makes it a target for hackers.
Definition of Data Classification
Data classification involves separating data into specific categories (e.g., public, confidential, highly confidential, etc.). It is important to note that this classification is separate from classifying data by its specific traits (e.g., gender, sex, geographical region, etc.). Classifying data for the purposes of data security is a useful tactic for assessing and assigning baseline and tailored security controls that can be applied to all data classified into a specific category.
Sounds Easy, Right?
Not necessarily. Data classification for data security should be comparable with the risk of the data were it to be exploited or misused, and the likelihood of the risk coming to realization based on several factors:
- Environment in which the organization operates
- Custodians/owners of data
- Who has access to the data
- Where the data is stored/located
- Compliance/regulatory requirements
- Type of data being assessed (name, SSN, birthdate, college/university attended, email, etc.)
Consider the harm to the organization, harm to the person whose data is being collected or processed if it were to be used maliciously, and the value of that data to hackers when assigning a data classification category. Contemplate the following example:
A healthcare organization has classified data and information within the electronic health record (EHR), which can be used to identify an individual, as highly confidential. The same healthcare organization has classified data and information contained within their service feedback portal as confidential. An organization may have the following security controls classified for this example.
|Safeguard/Control||Confidential Information||Highly Confidential Information|
|Printing/faxing/copying||1. Scan/print/fax copies only of necessary information
2. If faxing, a cover sheet must be included with the appropriate confidentiality statement and instructions for deleting/returning information if the information was sent to an authorized individual
3. Equipment should be configured so that information is not saved
|1. Strictly prohibit the scan/print/fax of information unless absolutely required
2. If required to fax a cover sheet, it must be restricted to specific roles and must be done so in the designated printing areas as outlined in the Information Security Policy
3. Equipment must be immediately disposed of when no longer required
There should be a minimum level of security controls applied to all data, which are often referred to as baseline security controls. However, as data is assigned a higher data classification level, additional controls should be applied to ensure adequate protection.
The National Institute of Standards and Technology (NIST) offers many resources and guidance on data classification and security controls. Specific publications to review include:
- NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
- NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
- FIPS 200 Minimum Security Requirements for Federal Information and Information Systems
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
Information governance (IG) provides the framework and standardized approaches for viewing IS more holistically. By identifying and categorizing all information assets (e.g., systems, domains, record types, etc.) into one centralized inventory, organizations will have a more accurate view of the IS landscape. This view will allow organizations to classify data and information as is appropriate and ensure that vulnerabilities or “cracks” in the system are addressed immediately before a breach or attack occurs. IG enables healthcare organizations to more proactively classify and protect data and information so they can focus on the day-to-day clinical and business operations knowing that the information is secured.
Joshua Aguiar is a compliance specialist at Huron Consulting Group, LLC.