Do you know the difference between data privacy and data security and how different requirements affect the collection and storage of healthcare data? It’s a complex and interesting topic and one that’s becoming more important and healthcare organizations become more globally oriented. To help navigate the complexities of this field we called Sheila FitzPatrick, a data governance expert and NetApp’s Chief Privacy Officer to talk through some of the most important issues that healthcare CIOs are facing. Below, Sheila shares her insights on one of the most important subfields of healthcare IT.
GovDataDownload (GDD): Sheila, thank you for sitting down with us today. Can you tell us about your role at NetApp?
Sheila FitzPatrick (SF): I’m NetApp’s Chief Privacy Officer and in this role I ensure that the solutions we create for our customers and the way in which they are deployed comply with data privacy regulations, not just in the United States, but in all the countries in which NetApp does business. I started out in this field about 35 years ago as an international employment attorney. Much of the work I was doing in this capacity intersected with issues of data privacy and security and I found myself drawn to the intricacies and nuances of the field. For me data privacy isn’t work; it’s my vocation.
GDD: Data privacy is an issue that’s garnered a lot of attention in recent years, especially in healthcare why is this? Can you share with us how does data privacy differs from data security?
SF: From the nature of the data that is stored, to the volume of data that is collected, to the ways in which healthcare data are used, to the evolution of our IT systems there are good reasons that data privacy garners a lot of attention.
Frustratingly, many organizations approach data privacy as a subset of data security, however they are distinct issues. An organization can have the most secure data management and storage environment and yet still not be in compliance with data privacy regulations. And, equally an organization can be in compliance with data regulations, but be lacking fundamental information security, which exposes the organization to different, but equally serious, forms of risk. I think about data privacy as the compliance wheel that encompasses the full lifecycle of personal data from collection through destruction. The wheel has different spokes – and data security is one of the spokes on that wheel. You can’t move the wheel if you don’t have all the spokes. Even if I’ve got industry-leading data security in place, but have data in my systems that shouldn’t have been collected or stored in the first place, I may be violating privacy regulations, and I am at risk.
Steps have been taken to provide more protections for data with regulations like HIPAA. And, while there’s still much that can be done to bolster data privacy and educate consumers, there’s at least some obligation on the part of healthcare providers to protect the privacy of your information and some awareness of your rights as a consumer. This regulatory environment has done a great deal to bring data privacy in healthcare to the fore.
However, scope creep is too often the downfall of healthcare organizations when it comes to data privacy. The basic rules of data privacy require that there is structure around what information is collected, an understanding of why that information is being collected, with whom the information is being shared and why, and how the information will be used. This issue is becoming particularly salient in the era of big data and analytics – not only for patient care groups, but also biometric and pharmaceutical companies. There is a strong temptation for organizations to collect and retain the greatest amount of data possible. However, in expanding the scope of data to be collected or keeping it for just a little bit longer, organizations can quickly find themselves out of compliance and facing fines.
GDD: As healthcare providers become more globally oriented, what are some of the challenges that they will face?
SF: Healthcare is the next frontier of globalization. Not only are more patients traveling to other countries for treatment, but there’s a great deal of merger and acquisition activity across national borders at all levels of healthcare – from hospitals to insurers.
From a patient care perspective, because PHI belongs to the patient the hospital providing treatment needs to ensure that the data privacy standard for the patient’s country of origin governs their medical records. When you’re an internationally recognized medical center, like the University of San Francisco, or the Cleveland Clinic and providing care to a global patient base, this could result in confusing morass of privacy regulations that affect everything from what data can be collected, to what data can be stored – and for how long – and how data destruction is handled.
So, the most practical way to approach this problem is for healthcare providers to be cognizant of the strictest data privacy laws, which at present are those in Germany, Hong Kong, and New Zealand, and use those as the guidance for all patient data. We use this guidance at NetApp as part of data privacy governance best practices that we apply to ourselves, but also share with our customers.
GDD: How can healthcare organizations build a culture of governance around protected health information?
SF: Building a culture of governance requires the adoption of a questioning mindset first and foremost. For CIOs and Chief Privacy Officers (CPOs), it’s creating a culture where everyone within the organization thinks about the data that they’re collecting and questions why it’s being collected from both an ethical and legal standpoint. Obviously, education about regulations is very important, but as we discussed earlier, with more patients coming from outside the U.S. it’s not enough just to be aware of HIPAA and HITECH, but also to educate teams on global regulations and integrate requirements into all part of the data lifecycle from collection, to processing, storage, and destruction, as well as into agreements with third parties for data sharing.
One of the most complicated areas of building a culture of governance within a healthcare environment is in leveraging new storage technologies and embedding tools at an IT-level that can help companies manage their compliance obligations. Being able to assess new storage environments and how they can support data privacy regulations when they build new systems, through actions and policy choices, such as tiering data, can help an organization create a culture of governance. The problem here is that most technology companies now incorporate security into solution design, but are yet to make a similar investment in privacy by design. At NetApp, we’ve invested heavily in building culture of governance within our organization and ensure it flows into the solutions we build, so we can support our customers not only as they build their data management environments, but also as they create their own culture of governance.
Interested in learning more about how data management technologies can help your organization’s compliance with data privacy regulations and help bolster data security against ransomware attacks? You can listen to a recent webinar featuring Sheila FitzPatrick here or download a ten step guide here.