The following is a guest article by Harold Byun, Vice President at Baffle.
In October 2019, the Center for Strategic and International Studies (CSIS) ran three simulated scenarios to map how nations, organizations and economies would respond in the face of a global crisis. The three scenarios were: a nation-state cyberattack and a disinformation campaign against the U.S.; a foreign military implementation of artificial intelligence; and a global pandemic of a highly transmissible coronavirus. The effort was aimed to inform policymakers of methods that could improve prevention and response, and highlight gaps or hindrances that could weaken our ability to respond to such a crisis.
Two of the major insights gathered from the scenario were that early and preventative actions are critical, and communication and cooperation across disparate parties and stakeholders are vital in improving response. While this might seem obvious, especially in hindsight, it highlights a parallel between distinctly different types of crises and the need to accelerate detection and the dissemination of critical information. It also brings to light questions around why information is often not shared and what can be done to make it easier or more secure.
Faster analysis and faster detection are critical to prevention and containment during a pandemic, and the sharing of data is key. This necessary data transfer can be facilitated by making healthcare data available between providers and using remote access while keeping certain best practices in mind to reduce risks related to data privacy.
To create the structure necessary to reduce data transfer friction, it is important to acknowledge privacy concerns related to the free flow of information over disparate systems, identify process inefficiencies that can stall data sharing, and explore solutions that can maximize the power of data in times of crisis.
Perhaps the biggest barrier to quick response is that there is often a reluctance to share intelligence. For example, in the security threat intelligence community, there’s a saying: “Everyone consumes, but nobody participates.” In other words, people want the benefit from shared information provided by others but are often unwilling to share their own data due to fear of attribution or identification. The hesitation to share information, even in times of crises, is understandable, and this is rooted in any or all of the following motivations:
- A need to restrict proprietary information
- A desire to hide attribution and sourcing of the information
- Fear of revealing data covered by regulations such as HIPAA
- A general distrust of other entities who may access such information
The second challenge in information sharing is related to the many well-intended checklists that must be adhered to throughout the process. Such challenges to data sharing can be associated with any of the following factors:
- Regulations governing storage, transmission and residency of data
- Performing legal reviews and establishing agreements between multiple sharing parties
- Security concerns over data access and handling
- Lack of infrastructure to facilitate a common data repository
Balancing Data Utility With Privacy
Creating an environment for more seamless data sharing requires an approach that protects the data as soon as it is created while maintaining its utility. The challenge remains how to communicate and cooperate at a faster speed across multiple stakeholders while maintaining data privacy. Any organization involved in the transport of healthcare data should consider the following suggestions:
- Start with structure. Collecting data in a structured way is a logical first step. Each document should identify important patient metadata such as name, address, birthdate, symptoms and diagnoses.
- Implement clear classification. Data that is deemed sensitive should be clearly classified as such, based on regulatory mandates, which can be tricky. Under the recently implemented California Consumer Privacy Act (CCPA), patient health information (PHI) is exempt, while health information embedded in an employee’s file is covered. Understanding and keeping up with the specifics of compliance regulations is key to knowing what can be shared and what cannot.
- Implement the right technology. We are seeing great strides in solutions that give organizations better control and privacy over data, which facilitates more confident sharing. For example, solutions exist that allow the data owner to protect PHI at field-level granularity. We are also seeing an increase in secure data sharing tools that can process data and allow for anonymous sharing in environments that protect what needs to be protected while offering insight into information that can offer valuable insight during critical situations like COVID-19.
- Restrict access. Only authorized parties should see certain data, so it is critical to ensure restriction tools and policies are implemented to avoid accidental exposure.
Within the context of the COVID-19 crisis, making healthcare data available between providers and using remote access is critical, but it is still important for organizations to keep certain best practices in mind to reduce risks related to data privacy, especially for those experiencing an influx of new patient data as the result of the pandemic.
There is no value that can be placed on data in times of crises, which can sometimes supersede privacy as a top priority. But with the right methods and tools, we can strike a balance between the immediate need to address emergencies and maintaining the privacy each person deserves.