Risk Considerations for Healthtechs Managing PHI Data
In healthcare organizations, leaders need to make decisions carefully to balance acceptable cybersecurity risk management and innovation when using Protected Health Information (PHI). Clampdown too hard on cybersecurity, and you stymy innovation and revenue growth. But if you give innovation free reign, you risk data breaches, cyberattacks, or other expensive mistakes that can damage your brand and your bottom line.
Balancing these competing needs among three major roles within healthcare organizations – the protectors, innovators, and drivers – is key.
Protectors adhere to a risk management strategy
The Protectors’ mission (CSO, cybersecurity and compliance teams) is to guard company technology infrastructure to comply with federal and state patient data regulatory standards around HIPAA, PHI, and Personally-Identifying Information (PII), and defend from cyber threats.
Protectors want zero risk, so they prefer highly constrained product development and data security environments. They often view product teams as working in the “wild west” and riding roughshod over rules. As a result, Protectors may seem over-controlling when they reject new ideas and requests that could lead to new products.
There is a lot on the line for Protectors. A cybersecurity incident involving sensitive data being released can cause an organization to be fined for non-compliance with federal or state regulations. Executives could be the subject of enforcement activities. The health organization’s reputation could suffer. Bad actors might share sensitive patient health information with employers, the public, or others. If data integrity is damaged in a breach, patient safety could be at risk.
Innovators rely on access to data
On the flip side, Innovators (product leaders, data scientists, software developers) are charged with creating new products, making updates that meet novel marketplace and customer needs, and staying ahead of the competition to drive revenue.
Innovators explore coding tools and libraries that are new to the enterprise. They seek to use third-party applications and plug-ins. Often, they need access to PHI data to train machine learning models and to measure the performance of models.
These tasks naturally conflict with the Protectors’ priority to guard PHI data. Innovators are under high pressure to meet product go-to-market deadlines and are often frustrated when Protectors say “no” without offering solutions to achieve these needs.
Drivers lead the go-to-market strategy
Finally, Drivers (business and financial executives, CEO, CRO, sales leaders, CMO) are focused on generating revenue and driving growth goals while supporting Innovators.
Drivers often set highly aggressive goals for Innovators. They may complain about delayed go-to-market deadlines for new products, lost revenue, and missed growth goals. Understandable, since late product update releases impact revenue, customers, and brand reputation. Long product development times have a significant impact on market share and competitive advantage. In response, Innovators point to all the limitations placed on them by Protectors. This conflict may slow down innovation, or even shut it down entirely.
In the end, Drivers must negotiate a careful balance of security, innovation, and revenue generation. Healthtechs that successfully master this balance will achieve faster growth.
4 Risk Considerations to Balance Security and Innovation
Business leaders can and should make decisions that carefully balance innovation, cybersecurity risk management, and the PHI data needed for product development. Let’s break this down into four risk considerations to inform a mitigation strategy.
1. Establish a governance framework for PHI data
Agreeing on how to govern PHI data is a complex process that requires a governance framework. The ideal framework establishes risk limitations, access, staff training, and security and compliance oversight.
A governance framework should include:
- Standards: Define the why and establish what you shall do
- Policies: Outline the what for the standards and detail what you must do to adhere to the policy
- Procedures: Documentation that states how you achieve the policy and provides the step-by-step process. They also include instructions or guidelines for how an individual or team can make a request to the standards or control board to modify or update a policy or procedure.
When creating this framework, tension will likely arise between Protectors and Innovators related to who can access PHI data. It’s difficult to streamline what access is allowed without creating technical or procedural speed bumps. Define procedures too narrowly, and you may inadvertently create hurdles for certain roles or employees who need to regularly access PHI data to do their job.
To avoid this scenario, put in place a data labeling policy that defines and labels data based on sensitivity level, PII, PHI, and PCI data. Establish a decision tree that clearly states which roles and employees are allowed access to the data on an ongoing basis. Once in place, the information security team should closely monitor how those approved roles use the data.
What is PHI data?
Protected health information (PHI) covers a range of demographic information for an individual:
Past, present, or future physical or mental health or condition
Healthcare delivery and treatment
Payments for healthcare treatments
Protected health information includes many common identifiers (e.g. name, address, birth date, social security number). The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.
Source: HHS.gov Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
2. Speed time to market by optimizing data access for key roles
Most companies have a lockdown approach to data and access to information systems. Not only does this make it hard for Innovators to do their jobs, but it also pumps the brakes on time to market. In a competitive environment, those delays can lead to a loss of revenue and market share.
Healthcare organizations can mitigate this by optimizing access to PHI data for key roles that have a true business need: evaluate product development tools, maintain data and training sets, and access new tools or algorithm libraries.
For example, Susan, Head of Data Science, needs wide visibility into PHI data so her team can create training data sets for machine learning models. If Susan was forced to justify why her team needed access to confidential patient data for each case, innovation, efficiency, and productivity would suffer.
Determine whether there is a need for PHI data that contains full PII? If identity-linked PHI is required, consider anonymizing the PII fields. Tokenization can preserve an indirect link to identity within the data set, without having identity information in the data set.
A more tolerant risk procedure would allow Susan to manage data access levels for each member of her team. Working with PHI data can be limited to environments hardened for handling PHI. Access logs would add an extra layer of security by automating reporting on systems that model the data sources and granting access to that data for a specified time.
3. Set up PHI data restrictions so you are in compliance, but not overly restrictive
PHI and PII data are protected by HIPAA, state and federal privacy laws, and laws governing digital transactions. Failure to comply with the rules and guidelines carries great risk, as it can result in criminal and civil liabilities, fines, and damages. Individuals whose data is revealed could potentially lose health insurance or the ability to work – and would have grounds to sue the healthcare organization that revealed their information.
A PHI protection framework is laid out in HIPAA regulations, which specifies what you can and can’t do with raw data. For example, it should be de-identified and stripped of certain data points, like medical diagnosis codes.
Within this regulatory and legal environment, Innovators must carefully access and manipulate real PHI data. If they are creating training data sets for machine learning models and artificial intelligence features, raw or de-identified data samples need to be large enough that individual patients cannot be identified. And best practices dictate that Innovators should update training data sets with infusions of real data to avoid drift and bias over time.
When trying to strike a balance between cybersecurity risk management, compliance, and access, a PHI protection framework can easily become overly restrictive for Innovators’ needs.
Let’s say clinical researchers need to use both de-identified data and source data from a third-party entity to more fully develop a product. As part of the workflow, Protectors can outline confidentiality policies for who is allowed to use PHI data and when. The partition of data needs to be clear, and guidelines for permissions need to be specified so that when Innovators want to access raw data, they provide the proper justifications.
4. Protect product usability by defining acceptable access
For any technology company, data elements are the “features” of product intelligence. Innovators work with a lot of data, and without access to clean, valid, and enough data, product usability is at stake.
Keeping that data safe is of utmost importance for Protectors. If data is tampered with, changed, lost, inappropriately used, released, or accessed by the wrong people, products or services may be compromised, research studies halted, and the healthcare company’s reputation damaged.
For example, a clinical research firm is working on applying behavioral science to opioid addiction to address the reasons patients are using the drugs to begin with. Information may be passed between several partners in the study and monitoring may be shared across organizations. In this case, Protectors define acceptable use of the data and access protocols to keep the raw data safe and the study on track.
7 Questions to Guide Your Cybersecurity Risk Management Strategy
As business leaders begin the complex process of balancing security and innovation, we recommend these key questions to drive decisions that arrive at an acceptable risk tolerance – taking into account security vulnerabilities, eliminating identified risks, and allowing necessary access to PHI data.
- What level of access control is reasonable to prevent a data-access free for all? Who needs access and at what level? Who doesn’t need access?
- What data can only be accessed from a company-owned device (and not from a personal device)?
- Can high-security access be solved with virtual desktops?
- What level of access makes it difficult for data science teams to use traditional analytical tools in these environments?
- What level of access do clinical researchers need? What third-party tools do they need to use?
- What is the best way to continually monitor data access and usage? Can you balance the risk through monitoring? Can monitoring be automated?
- How can inappropriate data use be detected versus prevented? Who needs to be alerted? Will there be an acceptable level of risk if alerted of inappropriate data use?
What to Do When Innovation Has Stalled
When innovation has stalled, we recommend conducting a gap analysis and simplifying your processes and guidelines.
Conduct a gap analysis of current cybersecurity processes
Look at your current cybersecurity measures and processes for accessing data. Then ask, what are your business, revenue generation, and product development needs? Where is the friction and pain? Define and focus on the gaps in data handling and identify where business, product, technology, and information security teams align.
For example, a healthtech’s current process requires that a data scientist ask for permission and provide justification before he can access the data set. It takes 14 people and three weeks for all permissions and justifications to be evaluated and approved. Since the data scientist needs frequent access to this data set, this onerous process is clogging the new product pipeline and stifling new ideas.
After conducting the gap analysis, the healthtech decides to give the Head of Data Science access to this data set and let her approve which data scientists on her team can have access, for which reasons, and when. The access to the data is logged, monitored, and the data science team is held accountable for compliance with the data access controls. This change greatly streamlines the healthtech’s data handling requirements and allows new ideas and products to move forward.
Start with new processes focused on who needs access
Sometimes you need to start fresh with new processes that are laser-focused on who needs access to data. Innovators, such as data scientists and analysts, usually need access to the data at specific, limited times. Then, you can disallow access to information systems by anyone else.
Another tactic for creating new processes is to create detailed guidance for when and for what reasons someone can access the confidential data. Set up role-based permissions in your information security plan. What are their specific needs? Narrow who has access and give them the right level of access. Create a streamlined process for people who need frequent access, such as your data scientist.
Finally, build in continual monitoring of the data. Watch who accesses the data and what they do with it. This process need not be unwieldy, as this type of monitoring can be automated.
How we help healthtechs navigate PHI data compliance
Ten Mile Square’s team has a depth of experience working with dozens of healthcare organizations to accelerate innovation and time to market while navigating PHI data compliance and cybersecurity risk management issues. We’ve worked extensively with PHI data and cybersecurity frameworks to meet security and business needs as well as partner with our clients to streamline processes to balance security requirements, data handling requirements, and product development needs.
Are you struggling with speed to market? Have you missed product release deadlines? Is highly restricted data access slowing down innovation? Security is the greatest friction for healthtech teams. Contact us today to bring your team together to drive innovation and revenue generation.