achieving better privacy and cybersecurity …...content lifecycle management shifts the focus from...
TRANSCRIPT
1
Achieving Better
Privacy and
Cybersecurity
Through Data
Classification and
Rights
Management
2
Presenters
IMMERSIVE
STEPHANIE CRABB
PRINCIPAL
UNIVERSITY OF VERMONT HEALTH NETWORK
RICHARD WYCKOFF, MS, CISSP
REGIONAL INFORMATION SECURITY OFFICER
PEPPER HAMILTON LLP
ALEX NISENBAUM, JD, CIPP
ASSOCIATE
3
Today’s Agenda
KEEP IN TOUCHLESSONS LEARNEDGETTING STARTEDTHE BUSINESS CASE
CALL TO ACTION: RIGHTS
MANAGEMENT
CALL TO ACTION: DATA
CLASSIFICATION
PRIVACY AND SECURITY
IN THE NEW HEALTHCARE
DATA ECONOMY
THE HEALTHCARE DATA
LANDSCAPE
4
BASELINE INTENT WHAT KEEPS YOU UPEXPERIENCE
Frustrations
Barriers
Positive?
Negative?
Lessons Learned
Where are you
headed?
Current state of
adoption and
implementation
Breaking the IceSetting Context
5
The Healthcare DataLandscape
An emerging economy unto itself
6
3 4 51 2
Value through insights we
learn and value in the
data/information assets
themselves
VALUE
Diversity of data
VARIETY
Speed of data
VELOCITY
Scale of data
VOLUME
Trustworthiness/Certainty of
data
VERACITY
Healthcare’s Data EcosystemA New Economy
7
LOCATIONSDEFINITIONS REGULATORY COMPLIANCE
FORMATCOMPLEXITY STRUCTURE
structured vs unstructured -
despite best efforts to leverage
the EMR as a platform for
consistent data capture
claims data, clinical data,
myriad variables related to an
amalgam of systems, shifting
business rules and conflicting
definitions
text, numeric, paper, digital,
images, multimedia,
video…and the same data can
exist in different systems in
different formats
inconsistent, variable and
subjective definitions based on
the source, and new
knowledge keeps this target
moving
healthcare data tend to be
created and reside in multiple
places
despite the shift to reduce
reporting burdens, the rise of
data and analytics will likely
translate into different
regulatory requirements
Data are ChallengingWhy are healthcare data so difficult to manage?
8
What the Surveys Say
• Data are no longer viewed as
”nice to have” but critical to
competitive advantage
• The competitive landscape in
healthcare is being shaped, in
part, by a new data and digital
economy
2018 Global Data Management Benchmark Report
- Experian
9
What the Surveys Say
• Healthcare views its data-enabled
opportunities similarly to those of other
industries
• Real-time processing is critical to
timely decision-making, patient safety,
etc.
• DaaS is more than just offloading data
to the cloud – it is about data quality
and data access – both paramount as
healthcare moves increasingly to self-
service analytics
• IoT/Connected Devices are
healthcare’s primary path to patient
engagement/experience and
personalization
2018 Global Data Management Benchmark Report
- Experian
10What is Driving Growth in Healthcare’s Data Ecosystem?
Lofty ambitions. Tactical urgency.
Serious challenge to most privacy and security program
constructs.
11
In the New Healthcare Data Economy
Privacy and Security
12
Challenges to Privacy and SecurityIn the New Healthcare Data Economy
OPTION
06 Regulatory “moving target” – not
only privacy, but information
blocking, interoperability, etc.
REGULATORY CHANGEOPTION
04 Insatiable demand for data coming
from every part of the organization
and the expectation of access
DATA DEMOCRATIZATIONOPTION
05 Cyber talent shortage, user
unintentional error and/or
adherence to policy
HUMAN FACTORS
03 Health data not subject to HIPAA
(largely direct to consumer) being
gathered, accessed and analyzed
NON-HIPAA HEALTH DATA
01 Incessant threats, more devices,
channels, and interconnectedness
THREATS/ATTACK SURFACE
02 Legacy systems, and outdated
info/cyber security technology
DATED TECHNOLOGY
13
• First, it was the firewall that shielded the
perimeter of our networks from outside
intrusion
• As more data access has come from
beyond the internal network, the
perimeter shifted to endpoints
• The intersection of people, devices and
applications created because of digital
transformation now requires security that
is based on identity
Identities and Endpoints are the New
Perimeter
14
• We need a better understanding of our organizational
data footprint – particularly what we create and what we
acquire
• We need to better understand the needs of our users,
our organizations and our partners in care
• We need to better understand the nature of data sharing
relationships – internally and externally
• We need to know what we’re trying to protect and why
Getting Control of the Data
15
A data-centric strategy uses classification and encryption to protect data wherever it moves. Where it
resides becomes less important. Critical to data-centric security is that content is analyzed at the point of
creation to determine its sensitivity. Then it must be restricted appropriately so that only those individuals
with the proper business need can use it. This mindset marks a significant maturity in the approach to
information security. We must pay more attention to identifying sensitive data so that it remains secure
no matter where it goes.
DESTINATION: DATA-CENTRIC SECURITY
16
Call to Action
Data Classification and
Rights Management
17
RIGHTS MANAGEMENTDATA CLASSIFICATION
Data Classification & Rights ManagementDefined
Information rights management (IRM) is a discipline that
involves managing, controlling and securing content
from unwanted access. Based on/extension of access
control. Most effective when technologically-enabled.
The organization of data into categories based on
similar characteristics or criteria so that they may be
used, shared, managed, and protected effectively.
Most effective when technologically-enabled.
18
Why Classify?Data protection drivers
DATA
CLASSIFICATIONMANAGE DATA/INFO COMPLEXITY
UNDERSTAND ORGANIZATIONAL DATA FOOTPRINT
PROMOTE INTEROPERABILITY/ENABLE DATA USE
RESPOND TO/COMPLY WITH REGULATIONS AND LAWS
IMPLEMENT EFFECTIVE DATA/INFO LIFECYCLE MANAGEMENT
19Barriers to Data Classification Implementation
Tone from the Top
Walk the Talk
Sponsorship
CISO/CPO/CCO Enablement
Authority
Adoption Failure
Complex Scheme
Enabling Tech and User Training
CostPerfection is the enemy of the
good. A scheme that is perfect
in theory, but is too complex
for the workforce to implement
is destined to fail. KISS. Enabling technology is an
accelerator, particularly to
classifying legacy data. It also
automates the enforcement of
the target scheme. Even still,
we need to train the workforce
as human factors are in play.
As with any program,
sponsorship and follow
through are critical.
The right team of tactical
leaders have to be given the
proper authorities to execute.
20
BEYOND ACCESS CONTROL
Access control specifies
who can read, modify or
delete a document but
does nothing to inform,
guide or prevent authorized
users from disclosing
information contained in
documents.
DATA-SHARING CONFIDENCE
IRM offers greater control
over who can view
data/information and where
information can go.
CONTENT LIFECYCLE MANAGEMENT
Shifts the focus from
network and systems to the
data/info content assets
themselves. Enables and
reinforces the data-centric
approach. Complementary
to data classification.
Why Rights Management?Data protection drivers
21Barriers to Rights Management Implementation
Tone from the Top
Walk the Talk
Empowerment
Sponsorship/Authority
Asking the Hard Questions
Changing Mindset
What to Protect
Enabling Tech and User Training
CostProtecting the all content is
not. the same as protecting
the right content.
Enabling technology is an
accelerator, particularly to
classifying legacy data. It also
automates the enforcement of
the target scheme. Even still,
we need to train the workforce
as human factors are in play.
As with any program,
sponsorship and follow
through are critical.
The right team of tactical
leaders have to be given the
proper authorities to execute.
The conversations are more
detailed and may take longer
to resolve. Who can use
information and for what
purpose? When and where
they can use that information?
Data governance can help.
Analysis Paralysis
22
Benefits to the CISO, CPO,
CCO and the organization
23
How do institutions ensure researchers are provided
with “just enough” data for research and address
potential points of failure in the request process or data
delivery processes
MINIMUM NECESSARY
Each side of the institution may think about data through
a different regulatory lens
REGULATORY DIFFERENCES
Siloed research and acute care functions can result in
losing track of restrictions that are tied to particular data
sets
AUTHORIZED USES
The Academic
Environment Unique Challenges
Consistent execution across the enterprise,
conformance to technical standards and general
compliance challenges
DE-IDENTIFICATION
24
Getting Started
Implementing data classification and rights management
25
Plan the work.
Engage corporate communications.
Train the workforce.
05CREATE/
COMMUNICATE PLAN AND TRAIN
From now forward (new data)?
Retro to legacy data?
One department at a time?
Enabling tech?
04DETERMINE “HOW”/REVIEW AND DEVISE STRATEGY
TO MEET INSTITUTIONAL AND TECHNICAL CHALLENGES
Work the plan.
Measure and report progress
and impact.
06IMPLEMENT, SUSTAIN AND MEASURE
The simpler the better.
02
Fundamental to success.
01SECURE SPONSORSHIP/DESIGNATED AUTHORITIES
AND IDENTIFY STAKEHOLDERS
Put it in writing.
03DOCUMENT POLICY
Data ClassificationImplementation Considerations
DESIGN SCHEME
26
2 31Must be guarded due to proprietary,
ethical, privacy or business process
considerations
RESTRICTED/SENSITIVE
May or must be freely available to
the public
PUBLIC
Protected by law, government
regulation, statutes, industry
regulations, contractual obligations,
or specific institutional policies
CONFIDENTIAL
The complex scheme that is ”perfect” in theory is almost always impossible to implement successfully.
Resist complexity. Apply lessons learned from access management experiences.
Most Valued Dimensions: Sensitivity, Value and Criticality
Success in the SchemeCommonly Adopted Scheme #1
27
Success in the SchemeCommonly Adopted Scheme #2
4
2
Data that may be disclosed to any person and
do not require any level of protection from
disclosure
PUBLIC
Data that, if made available to unauthorized
parties, may adversely affect individuals or the
organization
CONFIDENTIAL
3
1
Data that are potentially sensitive and not
intended to be shared with the public
INTERNAL USE
Any data that the organization has a
contractual, legal or regulatory obligation to
safeguard in most stringent manner
RESTRICTED USE
28
INTEGRATIONSPERSISTENT CONTROL POLICIES
AUTHENTICATION USEABILITYSECURE SPONSORSHIP/
DESIGNATED AUTHORITIES
Rights ManagementImplementation Considerations
29
START SIMPLE AND SCALE CLEARLY DEFINE ROLES AND AUTHORITIES
SENIOR LEADERSHIP/ STAKEHOLDER
BUY-INCULTURE AND EDUCATION
STRICTLY DEFINE SCOPE HEALTHCARE/LAW ALREADY CLASSIFIES AND WILL EVOLVE
Lessons Learned
30
DiscussionSharing and Problem-Solving
ENABLING TECHNOLOGYGETTING STARTED BUY-IN/ENGAGEMENT
Enabling technologies are proven
accelerators.
Should tech investment be pre-
requisite?
Consensus that these initiatives
“make sense” but cannot seem to
get them off the ground.
How deep do support and
engagement need to be seeded?
Is data governance/stewardship a
pre-requisite?
31
KEEP IN TOUCH
HOW TO FIND US
213.928.9800
ALEX NISENBAUM
518.314.3889
RICH WYCKOFF
m
850.387.5766
STEPHANIE CRABB