Improve Security Through Information Governance
By Elizabeth S. Goar
For The Record
Vol. 29 No. 6 P. 20
Smart organizations will take these discrete concepts and connect them to form a synergistic relationship.
Breaking free of the "analytics and integrity" box in which it was once pigeonholed, information governance (IG) has emerged as a powerful weapon in the quest for heightened data security. In fact, some HIM experts consider IG to be the "next evolution of security for health care" as organizations seek to protect critical clinical claims and patient data against a steady influx of new access points.
"Organizations are dealing with an increasingly more complex web of legislation, external threats, and complex data uses. Privacy and security are overlapping disciplines that need to address information challenges through expansion of their compliance programs to an enterprisewide initiative," says Kathy Downing, MA, RHIA, CHP, PMP, director of HIM practice excellence at AHIMA. "IG is a framework that includes key concepts from privacy, security, compliance, risk management, data governance, and life cycle management. Expanding security efforts through IG includes a broader view of information from the HIPAA-required electronic protected health information [ePHI] to all of the organization's information."
Stephanie Crabb, cofounder and principal of Immersive, which provides health data lifecycle management solutions, says IG "calls us to think about the data/information lifecycle differently, which impacts the way we think about information security. A tenet of IG, enterprise information management, specifically its information lifecycle management aspects, gets us thinking about the protections across time and across all of the repositories where information lives and where it flows.
"In a mature and high-performing IG program, data and information have a clear value. That value may change over time," she adds. "As that value changes, so do the levels of security protection that we put around the information and often depending on where it is stored—onsite vs long-term digital preservation vs easy-access cloud."
A Synergistic Relationship
Crabb says security exists solely to protect an organization's primary assets: the structured and unstructured data that are the building blocks for information and the technologies that enable the creation, transmission, utilization, and retention of those data. Too often, ePHI consumes the entirety of an organization's focus. And while ePHI is "hugely important," that singular focus comes at the expense of other intellectual property that, if lost, stolen, or compromised, would cripple the organization—which is where IG comes into play.
"IG elevates our consciousness, strategically and tactically, to consider all our information assets. Therefore, it elevates our thinking around information security beyond just our ePHI," Crabb says. "When we marry ePHI with [intellectual property] with company-sensitive and company-proprietary [information], we get a very different call to action for security. We start to think about security from a true business point of view well beyond compliance. We think about aligning security with the value and lifecycle of these information assets. When we start to appreciate how much our information is really worth, monetarily and strategically, then we will see the kinds of investments in information security that should have been happening all along. Greater investment in people, process, and technology always gives security a boost."
Downing notes that, because it is an enterprisewide initiative, IG is uniquely positioned to shore up an organization's data security efforts. The concept brings the collective intellectual capital of a multidisciplinary team to the process of identifying, documenting, and mitigating risks, which enables a more comprehensive risk assessment that extends beyond EHR and clinical information systems.
For example, securing mobile devices is best managed through a multidisciplinary approach—both for identifying risks and for determining how far an organization can go with the restrictions it places on end users. Records retention also benefits from inclusion in IG, in part because it taps the expertise of security officers, in addition to IT, for information on needs and risks—information that is crucial to any long-term digital preservation strategy.
"This is especially important in today's world, where cyber threats are so common. Cyber threats are often not directed at the EHR but instead less secure, external-facing systems such as e-mail, portals, and mobile devices," Downing says, adding that "an IG program will begin to dig into the lifecycle of information, and there are not only cost savings from implementing an enterprise record retention program but also reduced security risk. The more data you have, the more data you need to back up, secure, have disaster [and] business continuity plans for, and train the workforce on."
Noting that security is all about protecting and maximizing the value of critical assets and intellectual property, Susan Biddle, Fortinet senior director of health care, says effective IG requires collaboration between departments to ensure every component is considered. While one group is identifying and managing data and setting policies governing their use, another can be looking at the secure input, access, and update of those data.
"IT and security have the responsibility to distribute, back up, and protect that data. And the C-level team and board have to determine things like resources available for security and compliance, or to set lifecycle policies that can determine when and how data that are old or no longer useful can be purged," she says.
The Greatest Impact
When it comes to IG's impact on security, Biddle identifies the following five specific points of influence:
• accountability, which includes processes to help inventory data and access;
• integrity, which focuses on ensuring that critical data are not tampered with, including immediately flagging changes to information on drug allergies or blood types in a medical record;
• protection, including a comprehensive data loss prevention strategy to defend data against breaches and leaks;
• compliance, or the organization's ability to conform to various regulatory requirements; and
• availability, to ensure data are accessible when and by whom they are needed.
"If data aren't available to medical staff, administrators, or even patients, it can have a devastating effect on the entire health care system," Biddle says. "DDoS attacks and ransomware can bring down servers or lock down critical data, and organizations need a plan to deal with these challenges."
Crabb points to AHIMA's Information Governance Framework and Adoption Model to identify where IG can have the most significant impact on security. Four of the model's 10 competencies stand out in particular: strategic alignment, data governance, enterprise information management, and awareness and adherence.
"With the amount of new information being created in health care today, and the speed at which we expect to have critical information at our fingertips to support decision making, health care needs to rethink the way we manage information," Crabb says. "IG provides that framework and AHIMA has created the model and toolkit to make IG accessible to all of health care."
Strategic alignment, which values information as a strategic asset, supports an information-driven decision-making culture and ensures that all members of a workforce have access to the information they need to make good decisions in real time. By putting forth a structured approach to ensure that data are fit for required business purposes, IG establishes an operational environment and cultural commitment to a high-quality data environment.
Enterprise information management is the process by which all information is classified and managed across an organization throughout its lifecycle. It also establishes enterprise practices for information sharing, release and exchange, chain of custody, and digital preservation.
"These information-sharing, release, exchange, and chain-of-custody considerations have a very strong connection to the information security program and demand high-performing, auditable security processes and safeguards," Crabb says. "As the demand for information sharing grows, security safeguards like identity and access management, transmission protocols, third-party risk management, etc must grow in sophistication."
Finally, the awareness and adherence competency seeks to ensure that a workforce learns, understands, and is compliant with information management principles, policies, practices, processes, and procedures. This is crucial because human error and failures in judgment, whether unintentional or malicious, are the root cause of the majority of data breaches.
"IG strongly emphasizes and encourages deliberate and purposeful guidance and training on information creation, use, handling, access, sharing, storage, retention, and disposition," Crabb says. "This goes well beyond the content and structure that we see in most information security workforce education programs today. Commitment to IG means a commitment to wholly redesigned and far more purpose-driven workforce education and training. If we increase the 'information IQ' of our workforce, we create more security around our information."
Making It Work
The key to establishing IG initiatives—or retrofitting existing ones—that elevate security efforts is purposeful planning. It requires examining the overall governance framework—from policies and procedures and inventory and issues management to due diligence and termination policies—to determine where IG can best mitigate risk by closing security gaps.
"It is very much a planning process. There's a rigor and an entire structure that must be put together that is all about managing vulnerabilities and risk," says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission. "When we talk about stratification [or] the inherent risk methodology, it means looking at all aspects of organizations, then evaluating each of those areas against the stratification matrix to determine how each area fits into it. How are we going to respond to each of those in the event any one area is compromised? That's the rigor and structure that organizations need to have" when designing security-boosting IG initiatives.
Barrett notes that the push to address security within the constructions of IG should come from the highest levels, ideally someone who not only can provide the C-suite stamp of approval but also has the ear of the board and audit committee, if appropriate. This ensures a certain level of independence while still retaining the need to be accountable for any exposure.
"As we look at the infrastructure and how it's organized, it's really about three specific lines of defense, the first of which is at the business unit level and how sponsors and risk managers are managing third parties and subcontractors. That's major," Barrett says. "The second is looking at [security] from the standpoint of governance, compliance, and oversight—how sourcing is handled and how the various relationships with business partners are being handled. … And the third is internal auditing [that] independently tests internal controls."
The best ways to mitigate risk are by contractually mandating that any vendor partners undergo third-party accreditation or certification to "set the bar in relation to the level of review they are going through as far as HIPAA compliance, protocols, and standards," Barrett says. "It's not going to eliminate risk or breadth, but it will mitigate or minimize it overall. … You also need some quantifiable metrics. You can't just take their word for it."
Biddle says IG programs must be flexible to stay current against networks that are in a constant state of flux with shifting user demands. As such, IG must include a dynamic security posture. This makes it difficult to effectively retrofit an existing IG program for more than a static, short-term policy.
"That is only a patchwork solution," Biddle says. "At some point, every organization will need to strategically build or rebuild security from the ground up to meet the demands of their evolving networks, devices, and users. For example, while IoT [Internet of Things] devices and traffic can be secured using solutions from Fortinet or other security vendors, a more permanent solution will be to build security right into the IoT devices themselves. That will require a combination of effective security planning and design on the part of security and IT teams, and holding IoT device manufacturers accountable for improving the security of the devices they sell."
Staying IG Aware
Crabb doesn't believe retrofitting an existing IG program should be necessary as long as it was implemented correctly in the first place. Security, she says, figures prominently in program design. That said, Crabb notes that security drivers and use cases may be prioritized to allow the IG program to be more security oriented for a certain amount of time.
"If anything, we encourage organizations to look at their security programs and find opportunities to make them more IG aware, to better align security with IG principles and key performance indicators," she says. "This process is often very illuminating for an organization in that it is both educational and tactical, particularly for organizations that have not initiated IG programs. Looking at security through an IG lens, which by design is very business driven, is far different from the typical compliance lens that security is viewed, perceived, and/or evaluated."
— Elizabeth S. Goar is a Tampa, Florida-based freelance writer specializing in health care and HIT.
STAY IN-HOUSE OR OUTSOURCE?
Health care organizations considering the implementation of an information governance (IG) program don't have to go it alone. Should they eschew an in-house effort, there are independent third parties ready to fill the void. As with any outsourcing decision, there are pros and cons that must be carefully weighed.
"Many organizations have extremely talented subject matter experts who, as they look to evaluate and conduct their own internal reporting and controls, will do a good job. However, in many cases they're looking at it through their own lens. A third-party assessor can take an objective look," says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission. "They will [typically] validate some of what you've been doing, but the bigger opportunity is to identify major gaps to remediate and reduce vulnerabilities."
Enlisting the help of an independent third party "is like an insurance policy," he says. "It won't eliminate the risk you'll have in the case of a breach or cyberattack, but as part of a mitigation strategy and preparedness plan, it's prudent to have a third party coming in to do that level of review and make recommendations."
Susan Biddle, senior director of health care at Fortinet, concurs, noting that health care organizations are not in the security business. As such, few IT or security teams can bring to the table all the expertise required for comprehensive IG. Furthermore, many companies, including large enterprises with deep staff resources, still use managed security service providers to oversee the development and implementation of their security posture.
"When it comes to security, a second pair of experienced eyes is always valuable as they can often see things or propose solutions that the primary team might miss. Third-party specialists can assist with strategy, tactical implementation, and threat response," Biddle says.
Stephanie Crabb, cofounder and principal of Immersive, says there are resources available to help those that prefer to do their own self-assessment, such as AHIMA's IG HealthRate, which offers a standardized, structured approach to evaluate IG capabilities and adoption. The tool also can be used to set a baseline to measure any future progress.
However, Crabb says a lack of industry experience in IG and security may be reason enough to outsource. "The health care industry, generally, has very little experience with information governance. It is a very new discipline in health care. We have not built up our IG wisdom or IG operational experience that make us good strategists or practitioners just yet," she says. "For these reasons, an organization might benefit greatly from the support of an expert third party to perform a review of any of its governance policies, charter, working documents—anything that can shed light on its efforts to date.
"Organizations that are very committed to IG may want to go a step further and have a third-party environmental/current capabilities assessment performed to help identify practices that provide evidence that IG is in action, albeit in a siloed or limited way, and determine how to best move forward to advance a formal IG program," she continues. "We encourage organizations to carefully vet any prospective third party for demonstrable qualifications in IG for health care. As I shared, there are not many of us that do this work specifically for health care."