Privacy is not security, this is what Jerry Smith, senior information security and privacy analyst at the University of Utah Health Sciences in Salt Lake City, Utah, wants people to know.
“A lot of people … get lost in the idea that the two can be used in the same conversation and that the tools are the same, when in actuality they really are not,” said Smith, speaking at the 26th annual National HIPAA Summit in Washington, D.C. on Thursday.
Often, those securing information are indifferent to privacy, despite the fact that in healthcare the two are inextricably linked, according to Smith.
“The information security side doesn’t really think about privacy. It doesn’t even really enter into their realm of consciousness. They think about information security, and privacy just floats out the window,” said Smith.
What Does Privacy Mean for Healthcare Data?
Smith lays out information privacy as the proper use of data, ensuring for patients:
- Transparency for the consumer patient
- Individual participation • Purpose specification — “We want to make sure the patient understands just what their information is being used for.”
- Data minimization, or only using the necessary amount of data
- Use limitation — “Don’t surprise the patient, they really don’t like that.”
- Data quality and integrity
- Accountability and auditing
- Risk analysis
- Breach outcome
“Make sure that people understand that privacy can wrap around your data. It is an investment in controlling and returning investment to the organization,” said Smith.
How Can Privacy and Security Meet in the Middle?
So how can healthcare organization CTOs begin to incorporate privacy into the information security conversation?
“You’ve got to get them to start thinking about privacy. You’ve got to get them to start thinking about the aspects of privacy … There are things they have to think about when they are using the privacy compliance pieces that they need to understand. And they need to understand the nuance of privacy,” Smith offers.
Most importantly, both parts of the organization need to be on the same page when developing or tweaking a security strategy.
“Get your information security team and privacy team to think together. Get them synchronized. Try to get them to think in the same terms and think in the same ideas,” said Smith.
And this unity starts at the top, according to Smith.
“If you can get out there with a unified approach with your leadership in the C-Suite, it makes a lot better approach when you go for budget,” he said.
This unanimity should pull through several elements of the security strategy, including constant and quick education and training for physicians and healthcare staff, proper destruction of equipment, the creation of an accurate and enforceable information security policy, and above all, encryption.
“If you’re not doing encryption at rest [and] on the wire, do it,” said Smith.
Moreover, a united front can be particularly important as healthcare organizations begin to migrate records to the cloud to increase interoperability and save costs.
“When people are talking about cloud service providers, try to get privacy into that conversation, it’s really important. Ensure that privacy is involved in the service-level agreements with the cloud service providers and the [business association agreement] BAA. Be sure that you’re all part of that discussion because it’s really important how that all dovetails into the [service-level agreement] SLA,” said Smith, adding that organizations should ensure they have ownership of the data once it enters the cloud.
The key to making this sort of teamwork possible, however, could be to remind employees exactly what a security strategy is meant to achieve for patients.
“You have to get a hold of people’s hearts and their minds to get people to understand what the data is about and what they’re trying to protect,” said Smith. “Get them to recognize that in those bits and pieces of data, there’s a person there, that’s someone’s life.”