November/December 2019
Embedding IG to Optimize Cybersecurity
By Elizabeth S. Goar
For The Record
Vol. 31 No. 10 P. 22
Want to keep health information out of the wrong hands? Then it’s best to adopt an information governance strategy for managing data.
In the first half of 2019, health care organizations suffered 216 data breaches impacting nearly 10 million people. That’s according to Optimum Healthcare IT, which classified 127 of those breaches as hacks and 62 as unauthorized access or disclosure incidents. More than one-half (163) occurred at provider organizations.
Data breaches were long ago classified as “if, not when” events. As a result, most health care organizations have deployed at least some cybersecurity protections. According to a recent whitepaper from KLAS and the College of Healthcare Information Management Executives that examined how well provider organizations are aligned with the Health Industry Cybersecurity Practices (HICP) guidelines, most organizations have established at least an initial layer of defense against internal and external threats by deploying e-mail and endpoint protection systems.
HICP identifies 10 overarching cybersecurity practices that health care organizations should focus on, including e-mail and endpoint protection systems; network, vulnerability, and access management; incident response; data protection and loss prevention; medical device security; and cybersecurity policies.
Falling under the “cybersecurity policies” umbrella is what many consider to be the secret sauce to optimized cybersecurity strategies: information governance.
“One thing I’ve learned about information security is that locking things up is easy, but in health care, and frankly in any business today, it isn’t as easy as [just] locking it up,” says David Finn, CISA, CISM, CRISC, executive vice president of strategic innovation for CynergisTek. “Who owns [the information]? Who accesses it? How is it classified? You can’t just let the IT or security people make those decisions, or no one will have it when they need it. That’s why having a governance body and someone in charge is so important.”
Finn adds, “Data governance is important. You have to do security correctly.”
An Information Governance Primer
According to AHIMA, information governance is a strategic approach to maximizing the value of an organization’s data while minimizing the risks associated with their creation, use, and exchange. It is an organizationwide framework for managing information throughout its lifecycle and for supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.
It is also “crucial to any cybersecurity system implementation,” says Dan Rode, MBA, CHPS, FHFMA, FAHIMA, principal at Dan Rode & Associates. “If an organization’s cybersecurity program is to work, it has to be enterprisewide and applied to all data and information flowing in and out of an organization as well as within. These stationary and moving elements have to then be addressed for security risks.”
Rode prefers the term “enterprise information governance,” or EIG, to reflect the fact that information governance impacts more than just clinical data and information. He says an EIG program should identify all data—paper based and electronic—within the organization and all the transaction paths, including data maps in and out of the organization.
“An organization utilizing an EIG program should be building an EIG strategy that governs the acquisition, modification, etc, of incorporating technology as the organization moves forward—again, across the organization. This sets the stage for the organization to incorporate enterprisewide cybersecurity programs, policies, and technology in future years,” he says, adding, “I should note that EIG programs must incorporate privacy and security policies, procedures, and activities within the program.”
Why It’s Important
One of the reasons information governance plays such a crucial role within a cybersecurity strategy is that it allows organizations to know exactly what data assets they hold, and who needs access to them and why. Surprisingly, many organizations don’t have this level of understanding about the types of data they are storing regardless of whether it is administrative or clinical.
“Therefore, they can’t devise a proper protection strategy around their data,” says Joe Ponder, founder and owner of InfoCycle Group. “Many organizations provide a one-size-fits-all approach to information security without giving much thought to where the crown jewels of the organization are located and how security needs to be conducted differently in those areas.”
When the inevitable breach occurs at these organizations, the race is on to figure out what data were compromised. “That’s where the summation of data mapping within data governance comes in,” Ponder says. “A well-rounded IT strategy has to have a solid understanding of where those data assets live so you’re able to answer that question more quickly and prepare for future risks the organization may be faced with.”
A well-defined information governance framework is also beneficial to health care organizations that participate in any initiatives that require the exchange of data. Finn says it can also support the massive increases in data volume health care organizations are faced with when they participate in such initiatives as population health and social determinants of health—data that must be addressed across the full spectrum of care.
He says it’s the increased complexity of the data associated with these types of initiatives that has driven the renewed interest in governance.
“It isn’t just the data created within our own four walls, but also the data created by patients, outside organizations like insurance companies, and referring physicians,” Finn says. “We tend to forget about all of those sources of data, so data governance will become more critical in terms of privacy as we see more regulations rolling out and more breaches. Data governance can address all that.”
In addition to data sources and ownership, strong governance addresses the need to control and monitor data usage, as well as the technical components, including installation of access controls. These elements are particularly useful at stopping unauthorized access, Rode says.
Governance platforms can drill down to the level of what data or information can be released via a specific system, such as e-mail. It also includes processes for auditing data and information uses on a regular basis, which will alert organizations to current or potential threats associated with cybersecurity, how to avoid them, and the process for reporting suspicious activity.
Integrating Governance
Creating an information governance framework and integrating it into a cybersecurity strategy is a complex process, one that requires support from the highest levels and cooperation from every department that owns or accesses data. It also needs to be undertaken at an enterprise level, by people who “understand at a high level who needs what and how they can get it depending on the role they’re playing,” Finn says.
The best place to start is by looking at those who own the data to be governed, including finance, human resources, AP/AR, medical, and clinical research. A little detective work may be necessary. “It’s all about finding those key stakeholders. Maybe they don’t remain on the committee consistently or maybe you have working subgroups,” Finn says.
Rode recommends including HIM, which will bring significant knowledge of clinical and revenue cycle data, HIPAA, and other federal and state regulations related to data and information. Don’t forget to invite IT, which will have the data maps and knowledge of all the systems involved in the various functions surrounding data and information.
Legal, risk management, safety, quality assurance, compliance, privacy, and security personnel should round out the core team.
“Then we need to have a variety of teams to address data and information in each unit of the organization,” Rode says. “As the core team moves to incorporate an EIG program throughout, individuals from the units need to be trained and brought in to address all aspects of the data and information and privacy and security pertaining to that unit. As you can see, this is a significant task.”
Ponder suggests outsourcing at least part of the development process to someone with the expertise to carve out information governance goals and present them in a way that allows the organization to start realizing value more quickly. A consultant can help define and manage the scope while setting the program up for success—something that can be extremely challenging if attempted all at once.
In addition, a consultant can bring an unbiased eye and won’t be hampered by preexisting relationships that can make identifying problem areas uncomfortable when handled internally.
“People are reluctant to point that finger and tell someone they haven’t been managing the data in a way that’s consistent or compliant with policy. The outside view can also give it a fresh perspective,” Ponder says. “This is also a mountain of work to tackle. If you don’t start out with a clean and crisp approach to getting some ROI [return on investment] quickly, it can be a dangerous place because information governance can create a lot of scope creep and quickly become unmanageable.
“I always recommend focusing on areas that are most sensitive or perhaps contribute the most to the risk profile. Start there. Oftentimes, people try to boil the ocean when it comes to information governance, and it’s just not feasible. Claim the small victories and continue moving it forward.”
A Fluid Platform
Just as cyberthreats are continuously evolving, so, too, must a health care organization’s cybersecurity strategy and the information governance framework embedded within it. They are dynamic programs that not only address today’s issues but also are constant and ongoing because data and information are always being formed and used, according to Rode.
While issues and threats are constantly changing, new types of data and how they are used are being discovered. As a result, the need to develop more understanding of information governance is growing.
“Organizations have to take control, or ‘govern,’ all the new data or information that is being created. This means that technology system implementations also must be controlled across the enterprise, because data and information are flowing back and forth across the organization and in and out as well,” Rode says. “Use of new technology, such as smartphones, must be considered. How do we capture all the data or information being created? How do we ensure that crucial or private information is not leaving the organization in a smartphone or a thumb drive? These are the sort of ongoing issues” that information governance must address.
— Elizabeth S. Goar is a freelance writer based in Wisconsin.