The BC Health data breach: How can healthcare organizations avoid risk, but still use patient data to improve care?
It’s amazing that just a few days into 2013 we see another potentially massive data breach on day 15! This time it’s in Canada, with healthcare related data at BC Health. Maybe 5 million records involved. This could be huge.
You can read about it here.
There are many unanswered questions springing up as this story emerges. However, I have to ask the obvious: Why is a major government department entrusted with oversight over millions of sensitive records unable to protect them from compromise and misuse when the tools to easily and quickly protect data are readily available? I suspect the 38,000 people about to get the first round notification letters offering basic credit protection will be asking exactly the same question.
Clearly a new approach to data privacy is needed in organizations like BC Health to avoid these kinds of huge and impactful data breaches. Data breaches undermine citizens trust, lead to potential identity fraud, and involve complicated, costly remediation. It’s one thing for attackers to steal data with sophisticated malware, but to simply share vast quantities of private data inappropriately is inexcusable – and it’s also easily avoidable.
Data sharing and analysis is an essential business process, especially in healthcare. It’s invaluable to be able to extract trends in health data or pharmaceutical studies. It’s essential to be able evaluate seasonal changes across a region or the nation for planning and distribution of medical supplies. Data analysis may enable pro-active measures for patient treatment to improve quality of care or to manage of emerging health risks. The net is that healthcare data analysis has a direct value in potentially saving millions of dollars in health costs, but more importantly it can save lives.
However, when this kind of data is shared and processed in this way, it’s also essential to securely de-identify the live data to ensure that the personal details and sensitive fields of patients and citizens aren’t exposed in low trust system. These might include Big Data platforms like Hadoop, researcher’s computer systems including spreadsheets or even USB sticks. Of course, there's also the ever present privacy compliance mandates to meet too: the data protection regulations that exist to force organizations to manage the high impact risks to data this breach illustrates. These apply wherever the data goes – including the research and analysis side.
So how do we fix this problem? How do we easily meet or even avoid compliance mandates and costs, and see a return from the data analysis without risk?
The good news is that the tools are already here to make this a snap. Many large scale organizations are already seeing the benefits, especially in healthcare but across all verticals. Today, leading organizations have taken the simple but powerful steps to protect their sensitive data everywhere it goes: in applications, in databases, to outsourcers, to the cloud, in Big Data, in and out of the enterprise – in a consistent, secure and scalable way.
Through powerful breakthroughs in data-centric security, it’s now possible to extract the maximum value from even the most sensitive data without exposing the “live” data to low trust environments – even in the very latest Big Data analytic platforms. The technique is called Format Preserving Encryption (FPE) – NIST FFX mode AES. The solution using this powerful technology is Voltage SecureData Enterprise. FPE is simple to use. It's secure and proven. It preserves the value in the data, but removes the risk. It scales tremendously, and it can be distributed and consumed on any platform anywhere from mainframe to the cloud with minimal impact. It can work with existing investments in data management including ETL systems and data lifecycle management tools. And it works.
Leaders across the public and private sector including major healthcare providers and insurance companies and even US Government military agencies dealing with healthcare informatics use data-centric approaches today. They protect live data in production, de-identify data for use in development and QA, and enable sharing of sensitive multi-terabyte datasets with third party research hospitals back-and-forth for analysis without risk, all without compromising the integrity of the data or the research. Quicker analysis from more data means better results, faster decision making, more value from data, and improved healthcare. Data-centric security is the enabler.
Data-centric security can be achieved easily and quickly at any scale – especially in healthcare to release the full value in the data without increased risk. So why didn’t BC Health take that extra step to safeguard its data on the millions citizens it serves instead of just writing handling rules that clearly weren't followed? Maybe we will never know, but why would anyone wait when data-centric security is that easy and so powerful?