Protecting Health Care Data through Shared Responsibility for Data Security
Tetra Tech’s Nolan Morrison, who supported the implementation of the Data Guardian program for the U.S. Department of Health and Human Services (HHS), discusses the importance of collaboration and shared responsibility for protecting personal health information.
We all entrust personal data and information about our health to health care providers and public health organizations. This data is sensitive, private, and protected by statute. However, it is highly coveted by malicious actors and cyber criminals. Health information technology (IT) organizations are challenged to vigorously defend this data against persistent threats while making it available to those who need it. This can include medical personnel at the point of care, researchers, administrators, policy makers, and others.
Collaboration to understand individual responsibility
Tetra Tech helped HHS to address this challenge by establishing the Data Guardian program. Data Guardian and similar programs succeed by making the human factor a foundation for both privacy and security. The program concentrates on effort and attention across a wide range of stakeholder roles towards the protection of data and systems.
The traditional approach to data protection engages each stakeholder without their consideration of other roles within the organization. The Data Guardian program brings together leaders and practitioners across organizational functions on a regular basis to establish and maintain a common understanding of the following:
- Type of protected information in the organization’s control
- Logical and physical location of the data
- Threats to the data
- High-level security measures that must be taken to protect the data
From here, other initiatives, such as role-based security training, help each stakeholder understand their role in the broader landscape of the data protection strategy.
Embracing shared responsibility for data security
Data Guardian established a culture of shared responsibility for data. This applies to consumers, custodians, and processors of data; IT personnel who maintain and operate systems; and organizational leaders who drive the mission forward. Everyone in the organization is a Data Guardian. Representatives from all stakeholder groups collaborate proactively to develop, implement, and adjust the data protection strategy. Everyone shares what they see, hear, and perceive, enabling the data protection strategy to consider a wide set of perspectives from throughout the organization rather than being driven from by a top-down approach. The benefit is not only more effective management of cyber risk, but also a balanced approach to managing risk in a manner that enables the mission. The Data Guardian program also collates the perspectives from the stakeholder community, information from security-relevant events, and developments in the evolving threat landscape to enhance ongoing security training and awareness campaigns.
At HHS, the program has resulted in greater awareness of threats following meetings at which varied perspectives were centralized and discussed. The Data Guardian program also informed enhancements to the Authority to Operate process through facilitated discussions between the privacy and cybersecurity functions at the agency. These achievements have a direct positive impact on the protection of data within the department’s care and custody.