Pratum Blog

Somewhere along the road of technology integration into our daily business process, the role of information owner and data custodian become confused. Data only has value when there is meaning wrapped around it. The combination of data and meaning creates information. A business unit, and therefore business unit leadership, is the rightful owner of almost all, if not all of the information a business generates. The data owner is the person or entity for which the data has value. They are the ones who can open a spreadsheet and make sense of the rows and columns of numerical data. It's informational to them.

In contrast, the data custodian can't make heads or tails of most of the data they are asked to maintain. A spreadsheet of last month's sales numbers isn't any more valuable than next month's customer newsletter. It's just data to them. They are charged with making sure the data is secured and available to the owner when needed.

In many organizations, information owners have abdicated their responsibilities to manage and protect their information investments. They rely on IT to determine backup schedules, off-site rotations, disaster recovery, retention schedules, access controls and other things which impact the confidentiality, integrity and availability (CIA) of their information. In many cases the business unit leadership is markedly absent from any discussions or decision points regarding information CIA. They simply want to pass this on to IT to worry about as a "technical" issue.

By default, most IT organizations accepted this responsibility as they knew at some point data would be compromised and the business unit would look to them to fix it. Unfortunately, instead of pushing the responsibility back to the business unit to get involved in the process, they simply shouldered the burden and did what they thought was best.

If you take in a stray puppy and care for it, you might become attached to that puppy over the years. When the rightful owner comes back to claim it later, there could be some tension in those discussions. The same thing is happing with regards to our business information. IT has been caring for and feeding our data for years while the business units have largely neglected their responsibilities as information owners. IT has been doing the best they could with limited resources and knowledge of the constraints on the information.

Now under the gun due to regulatory environments, data owners are finding themselves on the hook and under scrutiny in regards to information security and privacy. Business unit leadership is suddenly very interested in what's happening with their information. They want to know the who, what, when, where, why and how.

We in IT need to embrace this newfound interest. Don't look at it as challenging your authority over the information. You never had any authority. It was an illusion. Take a deep breath and exhale a sigh of relief. No longer do you have all the responsibility with none of the authority. You can now provide recommendations to the business on appropriate safeguards but ultimately will take direction from them in regards to protecting their data. This is going to feel weird at first. Really weird…almost wrong. But trust me, in the end everyone will be happier and things will run smoothly when information owners and data custodians understand and embrace their roles in collaboration with each other.

To round out my recent postings regarding the impact of the American Recovery and Reinvestment Act of 2009 (ARRA) on healthcare organizations, I wanted to touch on the enhancements to the enforcement rules. I spoke about the mandatory reporting of a breach in one of earlier posts. Now HHS doesn't need to wait for a complaint or audit to find the breaches. Offending organizations have to tattle on themselves, and then get hit with the penalties. I wish this was how it worked at my house. I've got 4 kids and I'd love to institute mandatory self incrimination. Doubt it will work that well in either scenario, but we can always hope.

Some of the caps on willful negligence have also been raised or removed. This is important as it changes the risk model some organizations have been operating under. Knowing the most a penalty for non-compliance could cost them has allowed organizations to factor this into their risk models. If mitigating the risk is close to or more than the potential penalty, the risk may be deemed acceptable and nothing is done to mitigate it. This is great risk management for the company but bad for the patient. Eliminating a cap for willful negligence should help organizations take a harder look at the true risk they are facing, not just the financial risk.

The final interesting tidbit in the enforcement modifications is the delegation of authority to the state attorneys general. Unless there is a pending federal action, the attorney general of a state now has the authority to seek civil damages for violations of HIPAA. The limitations of these damages are lower than the federal level however there is a much greater chance of a zealous state attorney general taking action against an organization on behalf of the residents of that state than any enforcement action being taken by the federal government.

All in all, I believe these changes help strengthen HIPAA and will force some organizations that have looked for any and all loopholes to reconsider their approach to security and privacy. There is no perfect solution and I'm the last person who wants more federal regulation on any industry. However, I like to see regulations that may actually help us move toward an end state we all agree should be reached rather than one that leaves us scratching our heads from the get go.

P.S. I'm not commenting on the need, usefulness, benefits or detractors of ARRA as a whole. Simply the sections I've mentioned in these posts. Please no flaming rants about the role of the federal government, corporate responsibility or other hot topics of the day. Respectful and intelligent comments both in favor of or in contradiction to my posts will be responded to. All others will be ignored…respectfully.

 

Under ARRA, covered entities and their business associates are now compelled to disclose breaches of protected health information (PHI) to the Secretary of Health and Human Services (HHS). If the breach involves 500 or more individuals the notification must be immediate. If less, a log must be kept of all breaches and submitted annually to HHS. HHS will then post on their website a list of all organizations which had a breach, the nature of the breach and the number of people involved.

The organization must also attempt to make individual notifications to those affected. If the breach involves 500 or more individuals or just TEN individuals for whom there is no current contact information, the notifications must also include broadcasts through mass media in the markets where people are affected.

The one get out of jail free card that was granted is for PHI which is rendered unusable, unreadable or indecipherable. In the past many organizations believed they could anonymize data and it would be safe. Typically though in order to truly anonymize data you have to strip out so much relevant information that the remaining data is no longer useful for any sort of analytical purposes. So…unusable is out.

What about unreadable and indecipherable? Encryption seems to be our only real option at this point. HHS will soon be releasing the final guidance on this topic but I don't expect anything shell shocking. There has been lots of press over the past few years regarding the encryption of data both at rest and in motion. I'm a big proponent of both. Should you lose a laptop and the hard drive is fully encrypted, you're covered. No breach. If someone attacks a database server and your database tables are encrypted you're probably covered there too. However, if your web application which accesses the database is breached, you are up that proverbial creek without a paddle.

At some point in every process or application we need data to be readable. Otherwise why would we need it in the first place? By encrypting data in motion or at rest all we are doing is funneling the attacks to one focal point. Our applications. They must be secured. They are the key weakness in this new equation. We can implement SSL for the socket connections and encrypt a hard drive or database table but if our applications are weak, we're toast.

Application security has grown by leaps and bounds over the past several years. The problem is we continue to see the same mistakes in code. Buffer overflows, unvalidated input, unprotected file access and other flaws continue to get written into our applications. Applications must go through a more rigorous security testing process whether they are written by a team of a thousand over the course of years or a team of two over a case of Red Bull. Oh…and we need to be teaching security at our colleges and universities, but that a topic for another day.

If we have any hope of protecting our data we must secure our applications. While encryption and other security technology will prevent data leakage or thefts in some instances, they can't protect against them through approved applications. We can, and should do more.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.