Handling Sensitive Data

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP Certification Course
00:00
with Cybrary, Handling Sensitive Data.
00:00
I'm Schlaine Hutchins, your instructor today.
00:00
In this video, we will cover
00:00
data classification and disparate data,
00:00
personal and health information protected by law,
00:00
sensitivity mitigation,
00:00
and categories of sensitive data.
00:00
The primary purpose of
00:00
data classification is to
00:00
indicate the level of confidentiality,
00:00
integrity, and availability that
00:00
is required for each type of information.
00:00
It involves recognizing what information is critical to
00:00
a healthcare organization and assigning value to it.
00:00
The goal of classifying data organizes it
00:00
according to its sensitivity to loss or disclosure.
00:00
Each sensitive classification should have
00:00
separate handling requirements and
00:00
procedures pertaining to how data is accessed,
00:00
used, and destroyed.
00:00
To properly implement data classification,
00:00
the healthcare organization must first decide
00:00
upon the sensitivity scheme they're going to use.
00:00
Healthcare organizations generate an increasing amount of
00:00
disparate data from heterogeneous sources
00:00
provided on different platforms by different vendors.
00:00
For example, through e-prescribing,
00:00
electronic medical records, digital imaging scans,
00:00
pharmacy data, lab data, insurance claims data,
00:00
and regional health information exchanges,
00:00
are all examples of disparate data.
00:00
Disparate data can be
00:00
categorized by three major problems.
00:00
The data exists in silos,
00:00
meaning there's no single source of truth or
00:00
single inventory for all of the data.
00:00
The data is highly redundant throughout the organization,
00:00
meaning the same data exists in
00:00
several systems and files that are not linked.
00:00
Number 3, the data is variable in format and content.
00:00
When information isn't standardized,
00:00
the organization cannot combine datasets or
00:00
compare them either internally or externally.
00:00
As previously discussed in regulatory requirements,
00:00
the HIPAA Privacy Rule protects
00:00
most individually identifiable health information,
00:00
held or transmitted by
00:00
a covered entity or
00:00
its business associate in any form or medium,
00:00
whether electronic, on paper, or oral.
00:00
The privacy rule calls this information,
00:00
protected health information, or PHI.
00:00
PHI relates to the individual's past, present,
00:00
or future physical or mental health or condition.
00:00
The provision of healthcare to
00:00
the individual and the past,
00:00
present, or future payment for
00:00
the provision of healthcare to the individual.
00:00
That identifies the individual or,
00:00
for which there is reasonable basis to believe,
00:00
can be used to identify the individual.
00:00
Protected health information includes
00:00
many common identifiers as
00:00
previously discussed in the regulatory module, the name,
00:00
address, birth date, social security number,
00:00
etc when they can be associated with
00:00
the health information, just mentioned earlier.
00:00
HIPAA addresses privacy concerns of
00:00
health information systems by
00:00
enforcing data exchange standards,
00:00
as well as a guideline to analyze risk.
00:00
The overall objective of
00:00
a HIPAA risk analysis is to document
00:00
the potential risks and vulnerabilities
00:00
related to confidentiality, integrity,
00:00
and availability of electronic PHI
00:00
and to determine the appropriate mitigation safeguards,
00:00
to bring the level of risk to
00:00
an acceptable and manageable level.
00:00
Two methods for preventing unintentional disclosure of
00:00
PHI or de-identification and anonymization.
00:00
There are two methods for de-identifying data,
00:00
the expert determination, and safe harbor.
00:00
Expert determination is used to
00:00
identify the level of risk that the information can be
00:00
used alone or in combination with
00:00
other information to identify
00:00
an individual using various statistical methodologies.
00:00
Please note, that on the issue of who is an expert,
00:00
the OCR advises that there is
00:00
no specific or required professional degree or
00:00
certification for a person to be
00:00
an expert at determining whether PHI is de-identified.
00:00
Experts may come from statistical, mathematical,
00:00
or other scientific fields,
00:00
and maybe gained through
00:00
various means of education and experience.
00:00
The OCR will consider
00:00
the relevant professional experience and
00:00
academic training of the expert using the methodologies.
00:00
Safe harbor is the removal of
00:00
certain identifiers of the individual or relatives,
00:00
employees, or household members of the individuals,
00:00
where the covered entity does not have
00:00
actual knowledge that the information could be
00:00
used alone or in combination with other information
00:00
to identify the individual who
00:00
is the subject of the information.
00:00
The OCR guidance state that the disclosure
00:00
of parts or derivatives of the list of identifiers,
00:00
such as the dataset containing
00:00
the patient's initials or the last four digits of
00:00
a social security number is not
00:00
consistent with the safe harbor method.
00:00
Additionally, dates that include the day, month,
00:00
and any other form more
00:00
specific than the year of an event,
00:00
are not permitted under safe harbor.
00:00
Data anonymization is the process of destroying tracks or
00:00
the electronic trail on the data that could
00:00
lead in each dropper to its origins.
00:00
An electronic trail is the information that is
00:00
left behind when someone sends data over a network.
00:00
Forensic experts can follow
00:00
the data to figure out who sent it.
00:00
This is often done in criminal cases,
00:00
but sometimes company use
00:00
similar techniques in order to track user data.
00:00
This may be a concern to people who value their privacy
00:00
and makes a good case for
00:00
using data anonymization techniques.
00:00
One aspect of anonymization that may worry
00:00
individuals who value their privacy
00:00
is that the process can be reversed.
00:00
Many current techniques associated
00:00
with anonymization can be
00:00
bypassed as there are many ways to
00:00
reveal strip PHI from datasets.
00:00
One way this information can be rebuild is with
00:00
cross-referencing any sets of records still available.
00:00
This is called de-anonymizing.
00:00
There are limitations to anonymization approaches,
00:00
data aggregation, data mining,
00:00
and predictive analysis,
00:00
all have their limitations for data anonymization.
00:00
HIPAA has extended the medical information category
00:00
to include mental health information from past,
00:00
present, or future mental or physical health,
00:00
including oral, written, and electronic record.
00:00
It even extends to payment for services rendered.
00:00
Federal law and regulations
00:00
protect the confidentiality of
00:00
alcohol and drug abuse patient records
00:00
maintained by a program.
00:00
Under HIPAA, health insurers
00:00
cannot consider pregnancy a preexisting condition.
00:00
Health insurers cannot deny
00:00
coverage when a pregnant woman
00:00
goes from one job to another and switches health claims.
00:00
Before the Affordable Care Act or Obamacare,
00:00
women in this situation could be denied health care.
00:00
The Ryan White Comprehensive AIDS
00:00
Resources Emergency Act, CARE,
00:00
grantees are funded in
00:00
significant part by formula base grants that
00:00
use disease data from
00:00
the CDC to determine how the funds will be allocated.
00:00
The personal health information held by
00:00
many Ryan White grantees has long been covered by
00:00
a diversity of state confidentiality laws and in
00:00
many cases is now covered
00:00
by privacy protections of HIPAA.
00:00
HIPAA covers a wide array of
00:00
services in support of healthcare,
00:00
including information such as legal,
00:00
actuarial, accounting, consulting, and financial.
00:00
In short, everything can be tied to
00:00
the business relationship of the healthcare delivered.
00:00
For DNA, the most famous DNA database is CODIS.
00:00
A significant problem is that not all states and
00:00
countries have issued privacy legislation
00:00
to protect DNA records.
00:00
On July 1st, 2020,
00:00
Florida became the first state to
00:00
enact the DNA privacy law,
00:00
prohibiting insurers from genetic data.
00:00
The real concern is that individuals can
00:00
be denied insurance or be charged
00:00
increased premiums and other costs
00:00
based on DNA obtained or
00:00
shared by popular companies like 23andME or Ancestry DNA.
00:00
Let's do a knowledge check.
00:00
What are the two methods for de-identifying data?
00:00
[MUSIC] Safe harbor
00:00
and expert determination.
00:00
Great job. What is the process of
00:00
destroying tracks or electronic trails
00:00
that could lead to the origin of the data?
00:00
[MUSIC] You guessed
00:00
it, Anonymization.
00:00
Last question, true or false.
00:00
PHI refers to an individual's past,
00:00
present, or
00:00
future physical or mental health or condition?
00:00
[MUSIC] That answer is true.
00:00
Good job. We talked about a lot today.
00:00
We talked about data classification and disparate data.
00:00
Personal and health information protected by the law,
00:00
sensitivity mitigation,
00:00
and categories of sensitive data.
00:00
Remember to review the supplemental materials
00:00
and flashcards for further study.
00:00
Next step is module six,
00:00
enterprise risk management. See you soon.
Up Next