Today, the main topic on the radio happens to be the news regarding gathering the private data of citizens. There has been some talk about what is and isn’t secret. In some ways, we liken our data security to the ability to keep a secret. There’s sometimes a lot of discussion about how to keep secrets. Some people will ask questions such as, “Who do we tell? How do we distribute it?”
Here’s the first tip on keeping a secret – if you want to keep a secret, you don’t tell anybody. Once you tell someone, it’s no longer a secret. Secrets can’t be distributed or, by the way, they’re no longer a secret.
Not Telling Anybody
If we were to keep all our data secret – if we didn’t tell it to anybody, at all, then it would be useless to gather. If the data can’t be used within the concept of “knowledge management” in order to create strategic business information, then it’s not of any value. Data that can’t be shared for analysis is just that – it’s just data. That “stuff” that we gather is just data – it’s not information. It doesn’t turn into information until we “do” something to it or with it. Until it becomes information, it’s about as useful as any other random thing we might collect and never use.
Customers I’ve worked with who seem to keep their data secure don’t do it with secrecy – they do it with process and methodology. They train people to share the right information with the right people at the right time. They make it clear what they mean by “right.” In the spirit of “it’s not a threat – it’s a promise!,” they make it clear that those people who ignore the rules will be: fired/prosecuted/thrown into the deepest, darkest pit. For those who make a genuine mistake, it becomes a training issue – if a person didn’t understand, they weren’t properly trained, which means there is a possibility the training wasn’t sufficient, to begin with.
Most of this works only for data and information that can be justified. When companies cheat, lie or steal, those actions are difficult to justify – that information might be able to be kept under wraps for a while by creating an environment of fear, but it usually eventually emerges in one form or another. Illegal actions and improper conduct is not the type of data that I’m addressing, here.
Here, I’m writing about proprietary testing data on products or business knowledge gained through that testing. However, if the data shows the product to be dangerous and that danger is not disclosed to its users, please re-read the last paragraph for my opinion on that.
One Thought to “Securing Data Isn’t The Same as Keeping a Secret”
HIPAA is a good example of data that must be secure but is far from secret. HIPAA is all about sharing PHI (Personal Health Information) data with entities who need to know, use or administer the data such as the insurance company, doctor, nurse, Physician Office admin, the lab, the LIS vendor who supports the lab, the EHR company that supports the physician…. the list goes on and on. Many of these entities don’t need to know about the data but they must access the data as part of ongoing support and maintenance and administration of systems. These outside entities, BA (Business Associates) must have a BAA (Business Associates Agreement) in place with the CE (Covered Entity).
The CE and the BA and all the employees and contractors who have access to the data must enter into a standard BAA and they must follow a long checklist of items that they must all adhere to in order to secure data. Further, each and every person involved must have training and proof that the training actually took place, when and test results.
Bottom line is that other industries outside of Healthcare can learn much from Healthcare on securing of data.
Comments are closed.