This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners and the latest on effective security awareness."
Download it now to read this article plus other related content.
I confess I used to run away from all professional discussions about privacy. I found them murky and contentious: a bit like religion or politics but peopled with lawyers, legislators, and lobbyists! Still, from my comfort zone of managing security controls I wrestled with the notion of privacy, which seemed to be something inside of confidentiality that kept squeezing out through the cracks to be much, much more. Worlds collide when a researcher says, "Well, it's my data about these patients, so I can give you access."
My turning point was purchasing an out-of-print copy of Alan Westin's 1967 book Privacy and Freedom. This prescient, insightful work provided a context for these difficult conversations and prompted me to adopt the following definition: "Privacy is the right of the individual to control information about him or herself." When feeling devilish, I'll throw in "perceived right" just to dangle the red cape and begin a lively discussion among colleagues from different countries.
Beyond giving me a chance to reflect on one of the big questions behind security, that definition essentially provided the driving force for my security work. In my world of health care, the need for security and privacy arose more than 2,500 years ago in the Hippocratic dictum, "All that may come to my knowledge in the exercise of my profession …ought not to be spread abroad, I will keep secret and will never reveal." The more we value privacy, the more we search for
Five years after jumping off the security cliff into the problematic world of privacy, I feel more comfortable tackling the difficult discussions around both of them. They are meaningful discussions but seldom are they easy. That's because they test the limits of what people will tolerate as they meet head-on the life-changing aspects of technology in the 21st century. Many of us are not ready to give up our location every minute or share our innermost thoughts with strangers, but some of us are. How can we help companies and health care organizations navigate this diverse new world? Our seemingly miraculous IT-based devices and services have made the delivery of care much more effective but, unfortunately, very complex. We must reduce the complexity to give people choices and, when we don't know their choices, act conservatively and both secure and keep confidential their personal information.
I have learned that there are many security risk management practices that are transferrable into the world of privacy. As has been noted in these pages over and over again, it's not just a matter of marking off a checklist a set of features, settings or practices. It's about balancing the risks of security or privacy breach consequences with the cost of maintaining security and privacy. The underlying theme is risk management -- really thinking about how risk accrues if we fail to comply with law, regulation, policy, contract, ethical behavior or the choices of the individual. Working under the risk management umbrella led Philips Healthcare and I to manage two global interrelated programs -- one for product and services security and the other for privacy compliance.
Less than five years ago, Brian Fitzgerald of the U.S. Food and Drug Administration called together a diverse mix of health care folks to talk about the harm that was being done from poor networking of medical devices in hospitals. His agency had reports of injury and death as a result of improperly connected networked devices. In that first brainstorming meeting of December 2005, there were biomedical engineers, IT professionals, regulatory specialists, medical device risk management specialists, security professionals, and medical device engineering staff. Brian urged us to organize and do something to help the world avoid this harm. To avoid international mismatches and "not invented here" issues in government regulatory authorities, he suggested this be pursued as a global standard. Five years later, we are very close to the final vote on the first international standard to address the Application of Risk Management to IT-networks Incorporating Medical Devices (IEC-80001-1).
This standard lifts security and privacy risk out of the afterthought category into the mainstream of health care delivery. It does this by building around the principle that decisions in any new device integration project in health care need to be built around some simple concepts. In the parlance of IEC-80001-1, medical IT-network risk management proceeds with a careful examination and understanding of three key properties: (1) safety, (2) effectiveness and (3) data and systems security. By considering all three, we can first "do no harm" while effectively delivering on the organization's health care mission. This is done with careful and explicit treatment of the appropriate level of confidentiality, integrity, and availability.
Of course, today's IT staff and biomedical engineers are skillful at keeping the highest levels of safety and effectiveness. However, with IEC-80001's explicit inclusion of data and systems security breach into its definition of harm, we have paved the way for an open and honest discussion of the C-I-A impacts of an interconnection project or a network change. It allows a consideration of the harm brought to individuals when confidentiality is threatened and, for the first time, consideration of the harm of privacy compromise is an essential part of the IT, biomedical engineer, caregiver, and compliance discussions.
This is an exciting time. I believe that this new risk-based framework for bringing together caregivers, biomedical/clinical engineers, security professionals, and privacy professionals will improve the quality of care. Although not without effort or difficult choices (and some free falling), we now have a framework to discuss and decide on the best way to provide the highest levels of safety, effectiveness, and security.
|SECURITY 7 AWARDS|
Title: Senior director of product security and privacy
Company: Philips Healthcare
Credentials: Ph.D., Biological Science, Certified Information Privacy Professional
INFORMATION SECURITY MAGAZINE'S 6TH ANNUAL SECURITY 7 AWARDS
Consumerization of IT and enterprise evolution: Consumer devices in the workplace and the shift to cloud services require new security standards.
An effective information security program requires ongoing monitoring: A successful information security program uses ongoing oversight and monitoring to manage risks.
Online banking security is a balancing act: Online banking security requires providing users with choices in order to minimize risk without becoming intrusive.
Government transformation through technological innovation: The economic crisis gives government entities the opportunity to change for the better.
Maintaining health care privacy and security: In the world of health care, the more we value privacy, the harder we work to protect it.
Implementing an information security strategy in a decentralized environment: Implementing data security in a decentralized organization requires a collaborative approach.
Fighting online fraud requires delicate balance: Countermeasures for thwarting Internet fraudsters must be balanced with customer service.
This was first published in October 2010