Using the cloud data life cycle to protect patient privacy
In an ideal world, technology would maximize individual benefits while also protecting privacy.
But in practice, the pivot to digital-first healthcare has sometimes left personal information vulnerable to attack – as evidenced by the recent spike in targeting of health systems.
One example of this paradigm, says Dr. James Angle, product manager for IT services in information security, at Trinity Health, involves the migration of increased amounts of data to the cloud.
“Before the use of cloud, PHI was stored either in the [health delivery organization’s] data center or a third-party data center,” noted Angle, who will be presenting on the subject at HIMSS21 in August.
“With cloud, data is stored in multiple data centers in multiple jurisdictions,” Angle continued. “The increase [in] data storage locations gives attackers more targets.”
“In addition, having multiple jurisdictions means more, as well as different, requirements. This adds complexity, which is the enemy of privacy and security,” he added.
During his HIMSS21 presentation, Angle will discuss the process of analyzing how an organization collects, uses, shares and maintains personal identifying information, as well as how to best protect that information.
“Ensuring privacy for our patients is a process that starts with privacy engineering and includes conducting privacy risk assessments and understanding the data life cycle,” he said. “If these processes are followed, we will enhance our ability to protect our patients’ information.”
Angle will also explain how HIPAA’s privacy rule functions in the context of security and information sharing.
“The purpose of the privacy rule is to give patients more control over their health information. The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other protected health information,” he said.
“Additionally, the privacy rule defines and limits the circumstances in which an individual’s PHI can be used or disclosed by a covered entity or its business associates,” he continued.
Returning to the matter of the cloud, Angle notes that the data life cycle gives the analyst a structured way to look at privacy.
“There are six phases in the cloud data life cycle: create, store, use, share, archive and destroy. Each phase has different requirements and issues that must be addressed,” he said.
The “create” phase, which involves the generation or acquisition of new data or the modification of existing data, can be a useful example of this.
“When personal data is collected, it is important to remember that the individual whose data is being collected has the right to know what data is being collected, what the data will be used for, and if it will be shared,” Angle said. “The collector must obtain consent, which means asking users for permission to process their data.
“Healthcare delivery organizations must explain their data collection practices in clear and simple language, and then users must explicitly agree to them. Additionally, it defines who can collect PHI/PII data and map the data to access rights for everyone who has access,” he added.
Even as the cloud has enabled innovation, Angle notes that it also adds complexity to an organization’s data protection plan.
“Data must not only be protected inside the HDO’s network but also in transit and in the cloud,” he said. “The HDO needs to know where the data will be stored, who has access to the data, and what controls are in place to protect the data.”
“Using the data life cycle, the analyst can look at the requirements for each phase and ensure the correct controls are in place to protect the patient’s privacy throughout the entire data life cycle,” he continued.
“By using the data life cycle, you are answering who, what, when, why, and how the data is treated in each phase. This will give you a clear picture of the data and, in turn, how to protect the data.
