On Tuesday, Aug. 10 at the HIMSS21 conference in Las Vegas, James Angle, product manager IT services-security for the Livonia, Mich.-based Trinity Health presented an educational session titled “Protecting the Privacy of Healthcare Data in the Cloud.”
Angle began the session by saying that “Security and privacy can, and should be, be treated as distinct concerns. Privacy is about selecting how various rights should be implemented and security is about implementing those choices.”
He explained that the value associated with healthcare technology is connected to the collection of personal health information—including protected health information (PHI), personal identifying information (PII), and payment card industry (PCI)—and much of that data resides in the cloud and must be protected.
“In healthcare, all of our IT heath systems collect information from patients or personnel, and it is PII,” Angle said. “PCI and PHI and the value of our health systems are directly linked to the data we pull.”
According to Angle, organizations in 2018 had 33 zettabytes of data stored in the cloud. By 2025 it is estimated that number will increase to 175 zettabytes. Thirty-five percent of healthcare organizations surveyed held more than 50 percent of data or infrastructure in the cloud. “We have to protect this information,” he said. “Most organizations run one-third on the cloud, the ease makes it easier to lose the data.”
Next, Angle spoke about privacy engineering. He said that “The privacy engineer identifies privacy requirements and implements privacy by design (PbD). PbD is an approach to systems engineering that seeks to ensure protection by integrating considerations of privacy issues from the very beginning of the development of products. It was developed back in the 90s to address the ever-growing and systemic effects of information and communication technologies.”
He then laid out seven principles of privacy by design:
- Proactive not reactive; preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality—positive-sum, not zero-sum
- Full lifecycle protection
- Visibility and transparency
- Respect for user privacy—keep it user-centric
Angle then brought up LINDDUN Threat Modeling. LINDDUN is a privacy threat modeling methodology that supports analysts in systematically eliciting and mitigating privacy threats in software architectures. LINDDUN is a mnemonic for the privacy threat categories it supports: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.
Angle then continued to lay out several different tactics, models, assessments, and frameworks that can all be used to protect the privacy of healthcare data in the cloud—threat modeling with STRIDE (another mnemonic standing for Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege), privacy risk assessments and processes, NIST Privacy Framework, and more.
Although all the information given in this session can be considered invaluable to organizations using the cloud, perhaps the most vital was the questions to ask your cloud service provider (CSP). Angle succinctly ran off questions “Does the CSP describe the purposes for which PHI is collected, used, maintained, and shared in its privacy notices? Does the CSP have, disseminate, and implement operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PHI? Has the CSP conducted a privacy impact assessment and are they willing to share it? Has the CSP conducted data protection impact assessment for data stored, processed, or transmitted in the EU or on EU data subjects? Does the health delivery organization have privacy roles, responsibilities, and access requirements for contractors and service providers?” There were two more slides of questions in the presentation as well, as Angle insisted you should have all your bases covered and all your questions answered by your CSP to ensure your organization’s data is being truly protected in the cloud.
After the questions to ask your CSP provider, Angle brought up some additional measures to protect privacy. “Passwords themselves should be lengthy, and complex. Organizations should also practice secure storage, meaning material containing personal private information must be stored in a secure manner and digital data must be encrypted. Organizations should also ensure mobile devices are secured as well as ensuring that they have a secure transmission of data. Additionally, secure disposal of data, including removable data that contains private data,” he said.
Angle concluded the session with a quote from Edward Snowden, which summed up his feelings on how we all need to care about privacy: “Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”