Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report
Dec 10 2025
Security

Data Clean Rooms Support Healthcare Security and Innovation

Secure environments for using and sharing data make sense for healthcare organizations looking to augment cybersecurity as well as research — provided they’re set up properly.
Brian Eastwood
by

Brian Eastwood is a freelance writer with more than 15 years of experience covering healthcare IT, healthcare delivery, enterprise IT, consumer technology, IT leadership and higher education.

A data clean room is a secure environment for partners to collectively use data without exposing underlying data elements. As the Federal Trade Commission points out, a data clean room differs from a traditional data transfer due to the constraints partners set to determine how data is shared, analyzed and subsequently exported.

The data clean room’s value proposition for innovation is clear. Multiple entities can collaborate on research or technology initiatives without compromising governance controls, says Lee Kim, HIMSS senior principal for cybersecurity and privacy.

“It preserves each party’s data ownership and operates in accordance with applicable privacy, security and data protection requirements,” she says. Instead of viewing raw data, entities “can see aggregated outputs, statistical results, the results of approved queries or privacy-preserving derivative information.”

The ability to address modern privacy and security challenges has put the data clean room in the spotlight for healthcare organizations for another important reason: more effective — and less disruptive — recovery from cyber incidents.

Click the banner below to discover the building blocks for a secure and efficient infrastructure.

ht-foundationsofcare-q225-animated-desktop ht-foundationsofcare-q225-animated-mobile

 

How Data Clean Rooms Are Used in Healthcare Cyber Recovery

In late 2024, the Office for Civil Rights within the Department of Health and Human Services proposed changes to the HIPAA Security Rule that would, among other things, “strengthen requirements for planning for contingencies and responding to security incidents.”

The motivation is strong. A recent survey from EY and KLAS Research found 60% of healthcare organizations experienced operational disruptions following a cybersecurity incident. Another 59% faced “clinical consequences” such as delayed treatments or an erosion of patient trust in the organization.

Were the proposed rule to become official regulation, organizations subject to HIPAA regulations would need written procedures for restoring systems and their data within 72 hours of an incident. The data clean room, as a controlled environment, would be well positioned to meet this requirement. “It can help validate the integrity of restored data, support forensics and maintain essential operations, research and analytics until the primary systems are back online,” Kim says.

READ MORE: Healthcare organizations need a cyber resilience strategy that supports success.

Data Clean Rooms and HIPAA Compliance

That said, Kim notes that a new HIPAA Security Rule on its own isn’t driving data clean room adoption. After all, the proposed rule isn’t yet official, nor does it explicitly specify that organizations must adopt a data clean room. What’s more, the proposed rule would require many security steps that forward-thinking organizations have already taken, including documented incident response plans, multifactor authentication, network segmentation, and encryption of data at rest and in transit.

More broadly, says Brandon Reilly, partner and leader of the Privacy and Data Security Group at Manatt, Phelps & Phillips, the data clean room may assist with meeting HIPAA requirements to prohibit information blocking.

“As new and proposed HIPAA rule changes work to enhance patient access to protected health information and patient ability to request that PHI records be more freely transferred between parties and applications, data clean rooms may be the ideal mechanism to facilitate regulated data sharing and transfers,” Reilly says.

Lee Kim
“It can help validate the integrity of restored data, support forensics and maintain essential operations, research and analytics until the primary systems are back online.”

Lee Kim Senior Principal for Cybersecurity and Privacy, HIMSS

Additional Benefits and Use Cases for a Data Clean Room in Healthcare

While the data clean room is an increasingly important component of modern data center security and recovery strategy, healthcare organizations can benefit from the setup in a few other ways.

Privacy-Enhanced Collaboration Across Institutions

The nature of the data clean room makes it valuable for collaboration among multiple organizations, as they contribute copies or views of data in accordance with their own data governance principles, Kim notes.

“As a matter of principle, no party can see another party’s raw data set, identifiers or proprietary data,” she says. This positions organizations to work together on medical research and population health analytics, as well as clinical and operational improvement initiatives, while preserving the privacy of patient data.

Accelerated Development of Drugs and Other Treatments

Kim describes the data clean room as a “force multiplier” for life science organizations, as they’re able to bring together rich yet sensitive data sets from clinical records and real-world evidence to genomic sequences. Reilly agrees, saying that data clean rooms are “both more efficient and more privacy protective” than traditional data-sharing methods.

Without this environment in place, organizations would be subject to long, complex approval processes for data transfer requests to sufficiently ensure identifiable, proprietary or sensitive information isn’t exposed. “The innovation pathway to new discoveries and clinical insights is now shorter and much more efficient with the use of data clean rooms,” Kim says.

RELATED: Healthcare organizations must prioritize clinical care resiliency.

Considerations for Deploying a Data Clean Room

According to the FTC, when “constraints are appropriately designed, implemented, and monitored,” a data clean room “can limit the use and disclosures of the data of the people represented in the datasets.” Such constraints aren’t automatic, the agency adds, and must be intentionally configured and deployed to preserve privacy.

With that in mind, Kim notes, any organization implementing a data clean room must consider:

  • How data will be used, disclosed and processed
  • How use broadly aligns with clinical, research and/or operational workflows
  • How access controls will be configured
  • Who has permission to run queries
  • How audit logs track activity within the data clean room

The FTC notes that granting more entities access to a data clean room can have the unintended consequence of expanding the perimeter that requires defense. As a result, organizations hosting a data clean room environment must be aware of their partners’ overall security practices, data governance policies, and storage and permission configurations. The agency notes that one partner with lax policies, such as not requiring multifactor authentication to grant access, could be enough to expose the data clean room to an attack that compromises privacy and puts organizations at risk.

“Data clean rooms do not magically make your data collaboration fully compliant,” Reilly says. “Clean rooms are capable of making a data collaboration fully compliant if deployed properly, but this will depend heavily on many factors — the specific use case, the data involved, the privacy protections applied and the contract terms that are negotiated.”

Kobus Louw/Getty Images

More On

Related Articles