Privacy’s and Cybersecurity’s Common Cause
Health information management (HIM) professionals in privacy and cybersecurity functions have some of the most difficult jobs in the healthcare industry. The privacy role is challenged to balance electronic health information (EHI) accessibility with patient protection, made more complex by the information blocking rules.
Those charged with cybersecurity roles work to protect their organizations and the patients they serve against the reality that every new year brings more medical record breaches. There was an approximately 66 percent increase in the number of patient records exposed between 2018 and 2019. There were more records breached in 2019 alone than the period between 2009 and 2014, according to the HIPAA Journal. These breaches challenge privacy professionals who are also currently dealing with the privacy and security challenges of telemedicine and enabling a remote workforce amidst the COVID-19 pandemic.
In addition to these daunting tasks, there is also a need to balance the cybersecurity concerns regarding unauthorized access to health data with the privacy concerns related to protecting a user’s identity. To manage the overlap of these competing concerns, it is important to understand the answers to five fundamental questions:
- What’s in the data?
- Who touched it?
- Where did it come from?
- How did it change?
- Where did it go?
Finding answers to these questions is a common cause for cybersecurity and privacy professionals. For cybersecurity purposes, those answers are needed to ensure that proper controls are in place to protect the organization. For privacy needs, that knowledge can provide context for nuanced understanding of the data given that user identity has different considerations for access based upon purpose.
Understanding Data Foundationally
Due to that shared interest and the fact that privacy functions often rely upon cybersecurity teams to help execute its duties, how can they best work together to deliver for their companies and patients? To do so, they must do two things:
- Gain visibility into their data in a scalable and sustainable way
- Understand that data’s lineage
Gaining visibility to answer the first question is a well-known part of information governance that can be challenging to implement. When undertaking this task, cybersecurity must understand that privacy may require more detailed understanding of data to operationalize what and when specific information can be accessed.
That need for specificity should be kept in mind when the two groups collaborate on how best to define sensitive information to be identified and develop a categorization framework to aggregate similar data that can be used by both groups.
A best practice to gain that level of insight and make the process reliable and repeatable is for companies to leverage dynamic technologies that can customize and automate identification and categorization of sensitive information to the particulars of that company. If done correctly, the ability to tailor identification allows cybersecurity and privacy teams to find and classify information at the data element level. That knowledge can then serve effectively as building blocks for the different solutions both groups need.
Data Lineage Differentiator
While sensitive data identification and categorization is the key to answering the first question, data lineage is the key to the remaining four. Unfortunately, most companies do not know how data flows through their business: who’s touched it, how it has changed over time, and where it’s come from and gone both physically and logically. Without that knowledge, cybersecurity and privacy groups are making decisions about access and technical controls without understanding how data is being used. Having actual insight on data lineage helps cybersecurity teams understand the operational reality of the company and implement controls that prevent the type of activities that create risk. Understanding data lineage for privacy purposes assists with that important question of context—under what circumstances is access to certain data elements acceptable? That also helps to tune security controls to allow the type of flexibility that patients desire while delivering the type of patient protections that HIPAA demands.
Blockchain Data Lineage
Data lineage can be an incredibly powerful amplifier to the effectiveness of HIM privacy and cybersecurity programs and can tighten the connection between the two functions. The challenge is determining a way to understand data lineage that is efficient and cost-effective. Although the concept of data lineage has existed for some time, it has largely been addressed via interviews and surveys. Those methods often capture data flows at a point in time and are subject to the judgment and recollections of those questioned. More recently, technologies have attempted to transcend those challenges by leveraging machine learning and artificial intelligence to create a more informed view of data flows on certain data sets. While that can be a better solution, it is still limited to a date range and can be expensive. Most recently, some technologies are using blockchain principles to provide high-fidelity data lineages that track the history of changes and access to provide a complete view of a data element’s lifecycle.
By doing so, those lineages can provide immutable data flows that HIM professionals can use to support both security and privacy needs at a reasonable cost for most companies.
Future-Proof Against Change
The complexity of laws, rules, regulations, and operating environments will continue to increase for the healthcare industry. By architecting solutions that harness agile sensitive information identification, categorization, and data lineage to answer the five questions, HIM professionals can future-proof their organizations for change. Doing so will go a long way to provide complete visibility into cybersecurity and privacy’s threat landscape so they can rise to meet those challenges together.
Greg Sheaffer (greg.sheaffer@clairvoyatech.com) is a founder of Clairvoya, a data management software platform.