1

Achieving Better

Privacy and

Cybersecurity

Through Data

Classification and

Rights

Management

2

Presenters

IMMERSIVE

STEPHANIE CRABB

PRINCIPAL

UNIVERSITY OF VERMONT HEALTH NETWORK

RICHARD WYCKOFF, MS, CISSP

REGIONAL INFORMATION SECURITY OFFICER

PEPPER HAMILTON LLP

ALEX NISENBAUM, JD, CIPP

ASSOCIATE

3

Today’s Agenda

KEEP IN TOUCHLESSONS LEARNEDGETTING STARTEDTHE BUSINESS CASE

CALL TO ACTION: RIGHTS

MANAGEMENT

CALL TO ACTION: DATA

CLASSIFICATION

PRIVACY AND SECURITY

IN THE NEW HEALTHCARE

DATA ECONOMY

THE HEALTHCARE DATA

LANDSCAPE

4

BASELINE INTENT WHAT KEEPS YOU UPEXPERIENCE

Frustrations

Barriers

Positive?

Negative?

Lessons Learned

Where are you

headed?

Current state of

adoption and

implementation

Breaking the IceSetting Context

5

The Healthcare DataLandscape

An emerging economy unto itself

6

3 4 51 2

Value through insights we

learn and value in the

data/information assets

themselves

VALUE

Diversity of data

VARIETY

Speed of data

VELOCITY

Scale of data

VOLUME

Trustworthiness/Certainty of

data

VERACITY

Healthcare’s Data EcosystemA New Economy

7

LOCATIONSDEFINITIONS REGULATORY COMPLIANCE

FORMATCOMPLEXITY STRUCTURE

structured vs unstructured -

despite best efforts to leverage

the EMR as a platform for

consistent data capture

claims data, clinical data,

myriad variables related to an

amalgam of systems, shifting

business rules and conflicting

definitions

text, numeric, paper, digital,

images, multimedia,

video…and the same data can

exist in different systems in

different formats

inconsistent, variable and

subjective definitions based on

the source, and new

knowledge keeps this target

moving

healthcare data tend to be

created and reside in multiple

places

despite the shift to reduce

reporting burdens, the rise of

data and analytics will likely

translate into different

regulatory requirements

Data are ChallengingWhy are healthcare data so difficult to manage?

8

What the Surveys Say

• Data are no longer viewed as

”nice to have” but critical to

competitive advantage

• The competitive landscape in

healthcare is being shaped, in

part, by a new data and digital

economy

2018 Global Data Management Benchmark Report

- Experian

9

What the Surveys Say

• Healthcare views its data-enabled

opportunities similarly to those of other

industries

• Real-time processing is critical to

timely decision-making, patient safety,

etc.

• DaaS is more than just offloading data

to the cloud – it is about data quality

and data access – both paramount as

healthcare moves increasingly to self-

service analytics

• IoT/Connected Devices are

healthcare’s primary path to patient

engagement/experience and

personalization

2018 Global Data Management Benchmark Report

- Experian

10What is Driving Growth in Healthcare’s Data Ecosystem?

Lofty ambitions. Tactical urgency.

Serious challenge to most privacy and security program

constructs.

11

In the New Healthcare Data Economy

Privacy and Security

12

Challenges to Privacy and SecurityIn the New Healthcare Data Economy

OPTION

06 Regulatory “moving target” – not

only privacy, but information

blocking, interoperability, etc.

REGULATORY CHANGEOPTION

04 Insatiable demand for data coming

from every part of the organization

and the expectation of access

DATA DEMOCRATIZATIONOPTION

05 Cyber talent shortage, user

unintentional error and/or

adherence to policy

HUMAN FACTORS

03 Health data not subject to HIPAA

(largely direct to consumer) being

gathered, accessed and analyzed

NON-HIPAA HEALTH DATA

01 Incessant threats, more devices,

channels, and interconnectedness

THREATS/ATTACK SURFACE

02 Legacy systems, and outdated

info/cyber security technology

DATED TECHNOLOGY

13

• First, it was the firewall that shielded the

perimeter of our networks from outside

intrusion

• As more data access has come from

beyond the internal network, the

perimeter shifted to endpoints

• The intersection of people, devices and

applications created because of digital

transformation now requires security that

is based on identity

Identities and Endpoints are the New

Perimeter

14

• We need a better understanding of our organizational

data footprint – particularly what we create and what we

acquire

• We need to better understand the needs of our users,

our organizations and our partners in care

• We need to better understand the nature of data sharing

relationships – internally and externally

• We need to know what we’re trying to protect and why

Getting Control of the Data

15

A data-centric strategy uses classification and encryption to protect data wherever it moves. Where it

resides becomes less important. Critical to data-centric security is that content is analyzed at the point of

creation to determine its sensitivity. Then it must be restricted appropriately so that only those individuals

with the proper business need can use it. This mindset marks a significant maturity in the approach to

information security. We must pay more attention to identifying sensitive data so that it remains secure

no matter where it goes.

DESTINATION: DATA-CENTRIC SECURITY

16

Call to Action

Data Classification and

Rights Management

17

RIGHTS MANAGEMENTDATA CLASSIFICATION

Data Classification & Rights ManagementDefined

Information rights management (IRM) is a discipline that

involves managing, controlling and securing content

from unwanted access. Based on/extension of access

control. Most effective when technologically-enabled.

The organization of data into categories based on

similar characteristics or criteria so that they may be

used, shared, managed, and protected effectively.

Most effective when technologically-enabled.

18

Why Classify?Data protection drivers

DATA

CLASSIFICATIONMANAGE DATA/INFO COMPLEXITY

UNDERSTAND ORGANIZATIONAL DATA FOOTPRINT

PROMOTE INTEROPERABILITY/ENABLE DATA USE

RESPOND TO/COMPLY WITH REGULATIONS AND LAWS

IMPLEMENT EFFECTIVE DATA/INFO LIFECYCLE MANAGEMENT

19Barriers to Data Classification Implementation

Tone from the Top

Walk the Talk

Sponsorship

CISO/CPO/CCO Enablement

Authority

Adoption Failure

Complex Scheme

Enabling Tech and User Training

CostPerfection is the enemy of the

good. A scheme that is perfect

in theory, but is too complex

for the workforce to implement

is destined to fail. KISS. Enabling technology is an

accelerator, particularly to

classifying legacy data. It also

automates the enforcement of

the target scheme. Even still,

we need to train the workforce

as human factors are in play.

As with any program,

sponsorship and follow

through are critical.

The right team of tactical

leaders have to be given the

proper authorities to execute.

20

BEYOND ACCESS CONTROL

Access control specifies

who can read, modify or

delete a document but

does nothing to inform,

guide or prevent authorized

users from disclosing

information contained in

documents.

DATA-SHARING CONFIDENCE

IRM offers greater control

over who can view

data/information and where

information can go.

CONTENT LIFECYCLE MANAGEMENT

Shifts the focus from

network and systems to the

data/info content assets

themselves. Enables and

reinforces the data-centric

approach. Complementary

to data classification.

Why Rights Management?Data protection drivers

21Barriers to Rights Management Implementation

Tone from the Top

Walk the Talk

Empowerment

Sponsorship/Authority

Asking the Hard Questions

Changing Mindset

What to Protect

Enabling Tech and User Training

CostProtecting the all content is

not. the same as protecting

the right content.

Enabling technology is an

accelerator, particularly to

classifying legacy data. It also

automates the enforcement of

the target scheme. Even still,

we need to train the workforce

as human factors are in play.

As with any program,

sponsorship and follow

through are critical.

The right team of tactical

leaders have to be given the

proper authorities to execute.

The conversations are more

detailed and may take longer

to resolve. Who can use

information and for what

purpose? When and where

they can use that information?

Data governance can help.

Analysis Paralysis

22

Benefits to the CISO, CPO,

CCO and the organization

23

How do institutions ensure researchers are provided

with “just enough” data for research and address

potential points of failure in the request process or data

delivery processes

MINIMUM NECESSARY

Each side of the institution may think about data through

a different regulatory lens

REGULATORY DIFFERENCES

Siloed research and acute care functions can result in

losing track of restrictions that are tied to particular data

sets

AUTHORIZED USES

The Academic

Environment Unique Challenges

Consistent execution across the enterprise,

conformance to technical standards and general

compliance challenges

DE-IDENTIFICATION

24

Getting Started

Implementing data classification and rights management

25

Plan the work.

Engage corporate communications.

Train the workforce.

05CREATE/

COMMUNICATE PLAN AND TRAIN

From now forward (new data)?

Retro to legacy data?

One department at a time?

Enabling tech?

04DETERMINE “HOW”/REVIEW AND DEVISE STRATEGY

TO MEET INSTITUTIONAL AND TECHNICAL CHALLENGES

Work the plan.

Measure and report progress

and impact.

06IMPLEMENT, SUSTAIN AND MEASURE

The simpler the better.

02

Fundamental to success.

01SECURE SPONSORSHIP/DESIGNATED AUTHORITIES

AND IDENTIFY STAKEHOLDERS

Put it in writing.

03DOCUMENT POLICY

Data ClassificationImplementation Considerations

DESIGN SCHEME

26

2 31Must be guarded due to proprietary,

ethical, privacy or business process

considerations

RESTRICTED/SENSITIVE

May or must be freely available to

the public

PUBLIC

Protected by law, government

regulation, statutes, industry

regulations, contractual obligations,

or specific institutional policies

CONFIDENTIAL

The complex scheme that is ”perfect” in theory is almost always impossible to implement successfully.

Resist complexity. Apply lessons learned from access management experiences.

Most Valued Dimensions: Sensitivity, Value and Criticality

Success in the SchemeCommonly Adopted Scheme #1

27

Success in the SchemeCommonly Adopted Scheme #2

4

2

Data that may be disclosed to any person and

do not require any level of protection from

disclosure

PUBLIC

Data that, if made available to unauthorized

parties, may adversely affect individuals or the

organization

CONFIDENTIAL

3

1

Data that are potentially sensitive and not

intended to be shared with the public

INTERNAL USE

Any data that the organization has a

contractual, legal or regulatory obligation to

safeguard in most stringent manner

RESTRICTED USE

28

INTEGRATIONSPERSISTENT CONTROL POLICIES

AUTHENTICATION USEABILITYSECURE SPONSORSHIP/

DESIGNATED AUTHORITIES

Rights ManagementImplementation Considerations

29

START SIMPLE AND SCALE CLEARLY DEFINE ROLES AND AUTHORITIES

SENIOR LEADERSHIP/ STAKEHOLDER

BUY-INCULTURE AND EDUCATION

STRICTLY DEFINE SCOPE HEALTHCARE/LAW ALREADY CLASSIFIES AND WILL EVOLVE

Lessons Learned

30

DiscussionSharing and Problem-Solving

ENABLING TECHNOLOGYGETTING STARTED BUY-IN/ENGAGEMENT

Enabling technologies are proven

accelerators.

Should tech investment be pre-

requisite?

Consensus that these initiatives

“make sense” but cannot seem to

get them off the ground.

How deep do support and

engagement need to be seeded?

Is data governance/stewardship a

pre-requisite?

31

KEEP IN TOUCH

HOW TO FIND US

nisenbauma@pepperlaw.com

213.928.9800

ALEX NISENBAUM

richard.wyckoff@uvmhealth.org

518.314.3889

RICH WYCKOFF

stephanie.crabb@immersivellc.co

m

850.387.5766

STEPHANIE CRABB