Facing privacy and security challenges
Two headlines this week highlight the challenges regarding the privacy and security of personal health data, especially as healthcare debates the interoperability of that very data and the systems they are stored within.
A report on the HITRUST Cyber Threat XChange (CTX) found that only 5 percent of organizations contributed indicators of compromise (IOCs), while 85 percent consumed them. Additionally, of the IOCs contributed to the HITRUST CTX in the sampling period, only 50 percent were considered “actionable,” defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive.
The findings also show that many organizations are not effectively identifying cyberthreat indicators internally and, therefore, are unable to contribute them to the HITRUST CTX. When comparing indicators contributed by participants using current cyber discovery methods versus what was detected using breach detection systems during the reporting period, it was found that 286 times more IOCs were identified. Also, 24 percent of those identified IOCs were new and not previously submitted by any source to the HITRUST CTX.
Meanwhile, the National Institute of Standards and Technology (NIST) released the final draft of its report on de-identification of personal information.
NIST reviewed various de-identification techniques for removal of personal information from computerized documents. De-identification techniques are widely used but existing techniques are insufficient to protect personal privacy because certain remaining information can make it possible to re-identify individuals, according to privacy experts.
“Privacy protection improves as more aggressive de-identification techniques are employed, but less utility remains in the resulting dataset,” according to the report.
The report concludes that although not perfect, de-identification is “a significant technical control that may protect the privacy of data subjects.” Also, there's a need for “standards and assessment techniques that can measurably address the breadth of data and risks” of de-identification.
These are just some of the myriad issues facing healthcare's ongoing effort to protect patient data. Here's hoping the stakeholders make progress and soon.
Beth Walsh
Clinical Innovation + Technology editor