Health Management Technology asked nearly a dozen IT executives for tips on how to improve data security to ensure accurate analytics.
What are some key best-practice strategies IT execs should employ for Big Data security?
-
Make data security a top executive priority by employing a Chief Security Officer who is responsible for infrastructure, data security and implementing the best industry practices on data control and safety. Give him/her the proper resources, continuing education and staff necessary to do this. Security is everyone’s shared responsibility.
-
Make it company policy to minimize access to PHI data and the production environment whenever possible. Be vigilant about controlling and auditing access to physical and digital data assets.
-
Protect and monitor your data network in real time so your staff is able to detect and quickly address any security issues as soon as they arise.
-
Update your security software continuously. Implement new practices when they make sense for your organization. Ensure selection of security software that can keep up with the massive data traffic.
-
Work with business partners who value and share your practices around data security.
– Ahmad Kasmieh, Chief Technology Officer, Alere Analytics
Big Data footprints give bad guys a potentially large target, but in reality, Big Data is simply little data aggregated by some software and hardware mechanism. All the little data needs to have all the aforementioned security policies applied.
The aggregation mechanism e.g., a data warehouse or analytics engine is the new wrinkle. This is usually a user-friendly application that needs to be managed as any other application.
-
Authorized and audited logins for users.
-
Limit how data can be extracted; defining and enforcing the methods by which data can get out helps you audit when it happens and who did it.
-
To the extent possible, centralize the data in a central data location. This gives you the benefit of all the data-center-enforced security practices.
– Steve Matheson, Vice President, Product Management, BridgeHead Software
-
Review the governance model.
-
Review vendor acquisition (and business acquisition) models and practices.
-
Make sure risk is evaluated.
-
Review business associate agreements as they relate to organizational security requirements.
-
Review HIE relationships.
-
Create security/privacy/compliance KPIs and link them to organizational business requirements.
– Frank Negro, Practice Leader, Global Healthcare Consulting, Dell Services
-
Take on the thorniest Big Data challenges that, when solved, have the most business value. This gets more of the data out into the open, so it can be better evaluated and understood. It’s easier to protect what you can see.
-
Closely study the Big Data feeder systems, your data supply chain, and look for opportunities for application and data-silo consolidation.
-
Acknowledge and engage the biggest analyzers of data across the organization. This is where spreadsheets become “spreadmarts.” Give them structured and unstructured data on tap for analysis so they don’t build pockets and silos of data.
-
Implement tools for information rights management. This forces organizations to better understand who the stewards are of their data. This allows them to develop and manage policies needed to implement “border patrols” on the flow of Big Data to prevent episodic breaches of personally identifiable information and PHI.
-
Take the demands for the liquidity of data as a given. It’s either happening today or will in the very near future. Use this movement to build a strategy for data governance while starting to evaluate your governance, risk and compliance tools. When the business experiences the value of Big Data, they should be right there with funding for keeping it on tap and funding things like emerging capabilities, including GRC.
– David Dimond, Chief Technology Officer, EMC Global Healthcare Business
-
Ensure that Big Data vendors are performing regular audits of their security prior to data exchange.
-
IT execs should also perform regular and comprehensive security audits of their systems that will ensure compliance with HIPAA and other regulations.
-
Mandate that all mobile devices that contain protected health information when using Big Data solutions are password/pin protected and are encrypted. Start with the devices posing the greatest risk, and maintain careful records of the process.
-
Use roles-based access control to ensure that individual users have access only to Big Data that is needed for their role.
-
Educate key organizational stakeholders that cloud-based solutions are no less safe from a privacy and risk perspective than premise-based solutions.
– Anil Jain, M.D., FACP, Chief Medical Officer, Explorys Inc.
-
There is no single solution. You need a layered approach to security.
-
Limit access.
-
Be concerned about external threats, but be doubly concerned about internal threats.
-
Do not publish raw data. Use properly de-identified, aggregated data to limit exposure.
-
Find a trusted partner who can handle as much of this as possible.
– Jason Williams, Vice President, Business Analytics, McKesson
-
Define the data.
-
Businesses should comply with legal requirements in the collection and use of data.
-
Businesses should assess, beyond legal requirements, whether their use of data will be within customers’ expectations.
-
Businesses should use data and analytics in a responsible manner, then review their practices to ensure they are delivering benefits to consumers, not just the business.
-
Data security should be assessed on the basis of the kinds of information collected and used, and the relative risks associated with that.
– Donald Spinelli, Information Security Officer, SCIO Health Analytics
-
IT executives should hire outside consultants, separate from the company, who provide the monitoring software and solutions. These consultants should have experience in healthcare IT, specifically with regard to SOC and HIPAA best practices.
-
Audits of network traffic should be performed for peaks in usage, abnormal traffic flows and other non-pattern activity.
-
Hospital-wide password policies should be implemented so no departments are exempted.
-
Annual network exploit testing should be contracted with a company focused on that task.
-
IT executives should encourage the industry to provide this data in an anonymized format for free. If the data is available, the exploits will have less value and be attempted less frequently.
– Steve Deaton, Vice President, Sales, Viztek
There are a number of security controls established by organizations specializing in security that can help guide healthcare executives on where to invest time and energy. At ZirMed, we have implemented SANS 20 critical security controls because they are based on the forensic analysis of real-world breaches. Every healthcare organization needs to find and deploy a security guidance policy that is appropriate to the organization and do an internal risk assessment to see if it has the controls in place to mitigate risk and protect data.
– Chris Schremser, Chief Technology Officer, ZirMed