Recently, Kuma had the privilege of attending and supporting panel discussions at the IAPP Privacy. Security. Risk. 2018 Conference. If you didn’t have a chance to participate, here’s a snapshot of what we learned from two different, yet equally essential discussions about privacy engineering and healthcare interoperability.
PANEL 1 – Walking the Talk: Privacy Engineering in Practice
Moderator:
Ron De Jesus, Program Lead – Tinder
Panelists:
Jenn Behrens, Partner, EVP, Privacy – Kuma
Mark DiFraia, Senior Director, Credentials and Ecosystems – Idemia,
Subhash Sankuraptripati, Head of Privacy Engineering – Snap
Ford Winslow, CEO – Ice Security
Leading privacy-engineer practitioners and experts provided insights, shared lessons learned, and detailed the ups and downs of enabling privacy engineering practices within their organizations. Here are key takeaways:
Privacy engineering and security are better together.
Privacy engineering works in harmony with security, by identifying potential harms with your technology stack and creating a balance between security and privacy controls. Implementing one without the other means you can’t be sure you’re protecting the rights of individuals and be sure your business mission can be carried out smoothly.
Privacy Engineering is smart.
More than ever, steps must be taken to protect the privacy of technology users. With vast growth in web-based services and mobile application use, consumer concern about data protection, and data breaches responded to by intervention at top levels of the federal government, Mark DiFraia of Credentials and Ecosystems, asserts that businesses need the right controls in place that maintain user flexibility but ensure they can compete as a business without compromising data.
Organizations must allocate resources to privacy engineering.
More organizations are seeing why it’s essential, allocating resources and budget to build and mature a privacy program. Ron De Jesus with Tinder said it well – if you’re trying to implement a program, have persistence with your organization and drive advocacy for funding the effort. Change takes time, but the benefits will be realized, and eventually, practices will be adopted throughout the organization.
A Real-Life Example of Applying the Practice of Privacy Engineering
Ask for the artifacts from the architects, developers, engineers, and programmers, and always review from the end-user’s perspective. For example, Jenn recently reviewed a set of wireframes for a web-to-mobile use case. While the sequence diagram looked clean, the wireframes revealed the lack of proper consent handling and additionally the display of PII multiple times. Walking through the documents as the solution was being developed ensured timely and proper consent was being captured and reduced the risk of privacy harms due to disclosure of PII when not necessary.
PANEL 2 – Managing Risk While Increasing Interoperability in Healthcare
Moderator:
Jenn Behrens, Partner, EVP, Privacy – Kuma
Panelists:
Nora Belcher, Executive Director, Texas eHealthAlliance
Dan Chavez, Executive Director, San Diego Health Connect
Anne Kimbol, CIPP/US, Assistant General Counsel, CPO, HITRUST Alliance
“Excellent panel session with colleagues from Texas. I really enjoyed and learned a lot. It was tremendously satisfying to discuss common views of problem definition, as well as, potential solutions formulation. A common security and privacy framework must include conscious convening and conflict management process.” – Dan Chavez
Exchanging patient identity and information between organizations necessarily implicates privacy and security risk for patients, systems, and communities. This panel tackled ways to manage this risk to support interoperability without creating barriers. Here are key takeaways:
Interoperability and governance structure may reduce risk.
Healthcare organizations and information exchange networks allow multiple organizations to access and share health information. Exchanging patient identity and information necessarily implicates privacy and security risk for patients, systems, and communities. Managing this risk requires specific interoperability goals, clearly defined data governance, and compliance with an array of legislative regulations.
HITRUST can reduce the network effect of risks throughout healthcare communities.
HITRUST provides rigor to a harmonized set of privacy and security standards, including requirements from NIST, ISO, SOC, and many others. This robust framework may be utilized across industry and sectors, which may foster interoperability and the assurance of safely integrating patient health information and non-health data such as social determinants of health. This allows organizations sharing data, healthcare or non-healthcare organizations, to adhere to the same privacy and security levels, giving you confidence that everyone is on the same page.
The role of Trusted Exchange Framework and Common Agreement (TEFCA) in managing risk.
The goal of TEFCA is to define standards for interoperability. Its draft specifications released in January of this year took an expansive look at improving data exchange and the vehicles for exchange. Health Information Exchange (HIE) organizations are cautiously optimistic that this framework can help to put a structure in place to guide exchange within pre-defined safe zones and act as a way to remove barriers to effective interoperability and improve data flow while protecting patient privacy rights.
The Kuma Difference
Kuma brings thought leadership to the industry through discussions and the work we do each day with clients. Kuma’s has solutions to help you achieve your privacy, security, and risk goals. We ensure you have access to senior level resources and confidence through our forward-thinking approach.
Learn more about our privacy engineering methodology.
Download our data sheet for HIEs and healthcare organizations.
Request a consultation with a Kuma team member today.
