Healthcare struggles to protect privacy of PHI
Panelists at SC Congress Toronto 2016 said privacy and risk must be managed when sharing PHI.
As the healthcare industry strives to bring data from different sources together to create longitudinal patient records and that data moves to the cloud, organizations must find ways to accomplish data minimization and de-identification to better protect the privacy of this most sensitive information, panelists told an audience at SC Congress Toronto 2016 Wednesday.
Noting how an “ecosystem within healthcare data” that pulls data together from multiple sources in the process “raises risk,” Pamela Buffone, vice president of product management at Privacy Analytics, urged organizations to evaluate then minimize risk.
Data minimization is one way to reduce the chance of exposure and risk. “Once you use data for its intended purpose, get rid of it,” said Ann Cavoukian, executive director of the Privacy and Big Data Institute at Ryerson University and a former Information and Privacy Commissioner in Canada's Ontario province.
Another way to mitigate is de-identifying data, which many organizations do by uncoupling names from information. But that's only a starting point. “Many data security folks think of mainly [masking names] to de-identify data, but [even information like] price points” or hospital admittance dates, for example, “can be identifying when linked with other data,” said Buffone.
Flagging security, too, can put privacy at risk. “If you don't have a strong base of security, you won't have privacy,” Cavoukian said, though the panelists agreed that security is not enough to shield data.
“Data can be highly secure, not necessary private,” said Buffone.
Nor does compliance, of course, translate into privacy. “Legal compliance is a floor,” said Anita Fineberg, privacy lawyer and consultant at Anita Fineberg & Associates.
Even meeting existing regulatory requirements can be trying in the current environment. “Organizations are challenged to meet multiple different and often inconsistent regulatory regimes that apply to data,” said Fineberg, particularly as lawmakers and enterprises grapple with the requirements that should be made on data that resides or is accessed in different countries.
While with “two minor exceptions there are no privacy laws in Canada that legally prohibit the storage of and access to PHI and other sensitive data outside the country,” Fineberg noted “a move toward data localization” that she finds “ominous.”
To avoid privacy and regulatory issues, many companies are placing restrictions on where their data resides by “writing geolocation clauses into their contracts with cloud providers, to provide [a] whitelist of countries where data can be stored in cloud,” she said.
But Cavoukian contended that the cloud is almost meaningless – the real issue is protecting information no matter where it's stored. “Put data on cloud or another planet, but [you] have to do it responsibly and securely,” she said. “The onus is on you” to protect it.
Cavoukian's Privacy by Design approach, which became an international framework in 2010, aims to improve privacy by knitting it into design specifications of business practices, physical infrastructures and technologies.