Essays and Case Studies in Information Governance
The IG Problem in Healthcare
By Mansur Hasib
Healthcare now exists within a modern world of hyper-connected networks, as is the rest of the business world. In this world, digital strategy should be a key driver for modern healthcare organizations.
This imperative is evident with the increased adoption of newer digital technologies like electronic health records (EHR), telemedicine, health information exchanges (HIE), health insurance exchanges, the Internet of Things (IoT), artificial intelligence (AI), and an array of digital patient services. So clearly, healthcare executives must implement organizational strategies in step with today’s digital advancements to deliver improved patient outcomes, to guard patient data, and also to deliver financial results.
Yet healthcare executives are surprisingly still making outdated decisions—usually with drastic and expensive consequences, which include massive breaches of data, threats to patient health and safety, ransomware attacks, loss of intellectual capital, and other existential threats to the organization.
This author conducted a national study of cyber-security in healthcare in the United States (Hasib, 2013), and was very surprised to find that top executives in half of U.S. healthcare organizations were developing digital strategies with knowledge rooted in the 1980s.
Their anachronistic thinking harkened back to a time when programmers and technology professionals worked in finance, accounting, and human resources departments in order to support the automation of accounting, finance, and payroll.
In these organizations senior IT positions were often not represented, or were under-represented. Some had employees with the CIO title, but they reported to the chief financial officer (CFO) or other comparable executive. Therefore, quite frequently, CIOs were not empowered to make the right decisions related to Information Governance (IG) and cyber-security. They served under an organizational structure which viewed IT as a cost center instead of an investment and business driver, or perhaps even a profit center (as is suggested in the book, Infonomics, by Doug Laney [Taylor & Francis, 2017]).
Lack of Information Security Roles
In the same study, it was also found that one-third of U.S. healthcare organizations did not have a chief information security officer (CISO) or equivalent, and about one-fifth had no intention of hiring one anytime soon. This is unsustainable in today’s business environment with the myriad of digital threats that organizations face.
Later, upon closer examination of some major breaches in healthcare, clear lapses in IG were found.
Finance-Driven Decisions
And it was clear that finance executives were in charge of the digital strategy—essentially a strategy driven by short-term cost reduction instead of greater considerations: protection of patient records, protection of patient trust and brand equity, protection of intellectual capital, and long-term profitability.
These situations of improper IG in healthcare organizations are extremely dangerous—both for the organization and for the CIO for the following key reasons:
■ The CFO and other executives run cyber-security and IG strategy through budget and veto authority.
■ The CIO’s pay is reduced—at least a full grade level lower than it should be. Had the CIO role been on par with other executives such as the CFO, higher-quality, true digital strategists could be recruited. Most experienced CIOs would not agree to report to a CFO.
■ Since CIOs are often not considered members of the executive team, they cannot participate meaningfully in organizational strategy meetings.
■ Since the CIO pay is at least a rank lower, the pay for the rest of the information workers, including the chief information security officer (CISO), if such an executive exists, is also lowered. Thus acquiring and retaining top talent is extremely challenging.
■ IG and cyber-security principles are rarely baked in from the beginning; rather they are overlaid in a patchwork way later, if at all, resulting in a wide range of problems.
■ The CIO or CISO become ideal whipping posts for any failures; other executives are shielded, even though they make the final decisions.
■ IT is not generally viewed as mission-critical and is typically outsourced because finance executives feel unqualified to lead them, and look only at expenses. This results in reduced innovation, reduced support and training of users, and depletion of internal technical talent. (Outsourcers provide exactly what is written into the contract. Innovation is not typically written into an outsourcing contract. Innovation is typically an upsell opportunity for the service providers.)
■ Instead of due diligence and proper mitigation, information risks are usually transferred to third parties through insurance or other financial vehicles—usually with inadequate coverage. The inadequate coverage is typically discovered after the damage is done.
The organization chart in healthcare organizations can become the biggest cyber-security threat for the organization—a lack of proper staffing and training. This IG-related challenge must be tackled first. Also, healthcare auditors should review and address these issues in their findings. Only then can healthcare organizations begin to embark on a successful IG strategy.
Are Health Information Exchanges Properly Safeguarding ePHI? A Case Study
By Baird W. Brueseke
A regional health information exchange (HIE) contracted with information security experts to perform a security assessment of the HIE’s physical office, network infrastructure, operational processes and cloud portal. This case study describes the methods used and tasks performed during the security assessment, presents lessons learned and then makes recommendations for Best Practices which should apply to all regional HIE security assessments.
Background
The governance of protected healthcare information (PHI) was originally addressed by the Heath Information Portability and Accountability Act (HIPAA), which was enacted in 1996 during the Clinton Administration. In today’s interconnected world, most all PHI is electronic (ePHI).
The task of properly managing ePHI was made more complex by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act is part of the American Recovery and Reinvestment Act (ARRA), a federal program which includes incentives for healthcare service providers to accelerate the adoption of electronic health record (EHR) systems.
Beginning in 2009, the HITECH Act authorized incentives totaling $36 billion in meaningful use funds for healthcare service providers and community grants for the formation of regional centers that foster the exchange of electronic health information. The ultimate goal of this effort is a nationwide health information network, which the lawmakers believed would improve patient care and reduce healthcare costs.
At the time these regulations were codified into law, the threats of cyber exploits where not well understood. As a result, the HIPAA Privacy Rule and other guidance by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) does not reference specific cyber-security safeguards, but rather merely requires providers to use their “best efforts” to protect the ePHI, which in the case of HIEs is contained in individuals’ electronic health records (EHR). The protection of ePHI in the new information sharing environment mandated by the HITECH Act and other federal legislation is an imperative that comes essentially without a rule book.
Various organizations such as the Electronic Healthcare Network Accreditation Commission (EHNAC, www.EHNAC.org) and the California Association of Health Information Exchanges (www.ca-hie.org) have developed accreditation programs (HIEAP) and state-specific standards (CalDURSA) to provide guidance for the HIE’s handling, transmission and exchange of electronic medical records. However, to date no national standard has emerged to provide a checklist audit to ensure that an HIE’s software application and technology infrastructure are secure. This lack of specificity leaves many wondering if their electronic health records are “safe” in cloud-based portals managed by underfunded organizations which were chartered as a result of incentive-based programs—and are no longer receiving ongoing government funding.
Health Information Exchange Architecture
The HITECH Act established the HIE concept as a first step toward a national health information system. The concept was that regional healthcare organizations would work together on a local basis to establish methods for doctors, nurses and other healthcare providers to access and securely share a patient’s vital medical information with an overall goal to improve the speed, quality and safety of patient care.
There are three types of health information exchange:
Directed exchange – provides the ability to send and receive secure information electronically between providers to support coordinated care;
Query-based exchange – gives providers the ability to find and/or request information on a patient from other providers. This method is often used for unplanned care such as automobile accidents and other emergency situations;
Consumer-mediated exchange – provides patients with the ability to aggregate and control the use of their health information among providers.
The regional HIE in this case study is a public exchange using the query-based exchange architecture. Each night, participant providers upload the key index fields from health records of patients who have authorized their participation in the program (via the HIPAA disclosure form) to a repository maintained by an external, third-party vendor using specialized software that is compatible with the major EHR systems. The records are transmitted using the HL7 message transport protocol which encrypts the data and ensures that the data does not “leak” during the transmission. It is important to note that the repository only contains index fields which facilitate the record search and not the entire health record.
In this architecture, the responsibilities for the Information Governance (IG) of the EHRs remain firmly with the organization which provided the medical service(s).
When a participant healthcare provider (doctor, nurse, ambulance driver) needs access to the patient’s medical records, they utilize the HIE’s web-portal to input demographic search criteria and query the repository. The repository software then queries the healthcare providers’ database, packages a data stream in the HL7 format and sends it to the HIE’s web server, which in turn decrypts the information and displays the health record information in a web browser for use by the requesting medical team. As a result of this process, the HIE facilitates the exchange, requesting and delivering the ePHI in encrypted format, but never storing the ePHI as data at rest.
NIST Cyber-security Framework
IG programs include many elements of operational business activities. One very important task is keeping data safe. Today, “safe” must be evaluated in the context of potential cyber-security threats. The charter to facilitate the exchange of ePHI in a secure environment brings with it the daunting responsibility to keep pace with bad actors who seek to compromise individual privacy for personal gain.
Executive Order #13636, Improving Critical Infrastructure Cybersecurity, was issued in 2013. This order directed the National Institute of Standards (NIST) to work with stakeholders to develop a voluntary framework based on existing standards, guidelines and practices for reducing cyber risks to critical infrastructure.
The NIST Cyber-security Framework outlines voluntary guidelines for enhancing corporate security posture. Although not mandated by regulation, the insurance industry is envisioned as the government’s de facto enforcement arm, using the market tools of risk ratings and policy rates to drive U.S. companies into compliance with the NIST Cyber-security Framework guidelines. In addition, large accounting firms are starting to require both public and private businesses to engage third parties to perform vulnerability assessments of IT assets and corporate security posture. Soon, these assessments (mandated by auditors and suggested by insurance companies) will be expanded to include full compliance audits against the NIST Framework.
The security assessment performed for the HIE was aligned with the NIST Cyber-security Framework. The five elements of the NIST Framework are Identify, Protect, Detect, Respond and Recover, as depicted in the graphic below:
Utilizing the principles of the NIST Framework, the security team was able to assess the HIE’s compliance with Framework guidelines and correspondingly its resilience to cyber-security threats. This approach is comprehensive and easy to understand:
■ Identify by categorizing crown jewels and identifying risk areas
■ Protect by safeguarding crown jewels and assets from data loss events
■ Detect by spotting threats and non-compliance before it manifests into critical risk areas
■ Respond by acting on incidents and activating plans to eradicate the threat and recover
■ Recover by restoring critical capabilities based on pre-established plans and actions
HIE Security Assessment Project
HIPAA requires service providers who work with sub-contractors who have access to ePHI to enter into a business associates agreement (BAA). The BAA defines the healthcare service provider as a “covered entity” and the sub-contractor as a “business associate.” The contractual wording in the BAA ensures that the regulatory obligations set forth in the Code of Federal Regulations (CFR) are clear and that provisions for potential data breaches and security incidents are established. The BAA also details the business associate’s possible liabilities and the associated cyber-security insurance requirements.
In addition to the BAA, the security team worked with the HIE’s staff to establish and authorize the Rules of Engagement (ROE) which detailed the systems that were in scope and the times during which the phishing campaigns, vulnerability scans and penetration tests could be performed. The ROE also specified the tools used on the project which included: Router Analysis Tool (RAT), NMAP, Nessus, AppDetective AppScan, Critical watch FusionVM, Rapid7’s Nexpose and Metasploit, Wireshark, Social Engineering Toolkit (SET), Burp Scanner and Kali ZAP Tools.
The security assessment consisted of the following tasks:
■ Internet footprint and attack surface
■ Detailed website assessment (OWASP)
■ Incident response testing and analysis
■ Information security risk assessment
■ Information technology risk assessment
■ Social engineering
■ Vulnerability assessment
■ Penetration test
■ HIPAA compliance audit
The Security Team utilized a standard approach to vulnerability assessments and penetration tests that is based on industry Best Practices. The Team used the methods defined by the Institute for Security and Open Methodologies (ISECOM). Their publication, the Open-Source Security Testing Methodology Manual (created by Pete Herzog, http://www.osstmm.org/), documents in great detail the components of a vendor-neutral approach to a wide range of assessment methods and techniques. The security team’s approach to a security assessment and penetration testing includes the following elements:
Initiation: The project kick-off meeting introduced the teams, reviewed the project schedule and identified the actions necessary to formulate an agreement on the rules of engagement (ROE).
Discovery: Once the ROE was finalized and signed off, the first active step in the security assessment was to perform a discovery and footprint analysis of the network infrastructure. It is important to gain an understanding of what types of systems and services are present, as well as researching general information (such as contact names and DNS registration) available on the HIE and its websites from publicly available sources.
Initial assessment: The initial assessment included automated vulnerability and application scans of the HIE’s systems. This information allowed the security team to have an understanding of operating system, application and service weaknesses that exist in the applications and infrastructure. The output from the automated scanning tools allowed the security team to quickly enumerate the potential issues.
Vulnerability analysis: The security team used the available information to identify vulnerabilities resulting from compound weakness across multiple systems. These included checking default passwords, validation of incorrect database configuration, enumeration of data available on external networks (such as through FTP and Windows File Share services) and other active exploitation techniques.
Exploitation: The security team exploited the network infrastructure within the (ROE). External black box penetration testing on systems simulated a real outside cyber threat. A gray box penetration test was then performed from inside the network to simulate a real insider cyber threat.
Reporting: The deliverables included both an executive summary of issues for management and detailed technical information for remediation tasks.
Lessons Learned
■ The performance of an annual security assessment helps reduce risk to critical business assets by providing the HIE with a regular checkpoint to evaluate changes to systems and network infrastructure.
■ The heat map risk chart provided the executive team with a visual representation of their cyber-security posture that was clear and easily understood. This allowed the vice president of operations to immediately prioritize remediation activities.
■ The Internet footprint and attack surface analysis provided the CISO with graphical insights into operational issues which were subsequently remediated.
■ The incident response testing identified response times which were outside the parameters of a vendor’s service level agreement (SLA). As a result, the CISO was able to hold the vendor accountable and force them to meet the terms of the SLA.
■ The information security risk assessment identified polices that were out of date and unavailable for employee review. In addition, there were controls that were not being audited for compliance on a regular basis.
■ The information technology risk assessment identified threats that were previously unknown.
■ The HIPAA compliance audit generated significant internal discussion, resulting in changes to internal procedures.
Security Assessment Findings
Overall, the HIE used best efforts to build usable systems and implement perimeter defenses to protect the core network from external attack. Some security gaps and software vulnerabilities were identified on internal systems. A remediation plan was presented that prioritized recommendations by severity and threat level.
The distributed architecture of the query-based exchange system provides an intrinsic level of cyber-security for the her, which minimizes or even negates the possibility that the HIE will expose data during normal data transmissions.
The IG responsibilities associated with the medical records remain with the organization that creates the medical record.
The medical professionals requesting the ePHI via the electronic exchange process have obligations under HIPAA and business associate agreements to safeguard the information during the time it is displayed on their computer systems. However, since the PHI is transitory and not stored locally, this risk is relatively small.
The human factor remains the weakest link in the HIE process. Compromised credentials and misuse by emergency personnel are human factors which represent significant risk, not only for the HIE in this case study, but all regional HIEs in general.
Security Assessment Best Practice Recommendations
Typically, cyber-security assessments are narrowly focused on the technical aspects of computer patching, network infrastructure and website programming. In this case, the security team’s statement of work also included tasking to conduct an information security (IS) risk assessment and an information technology (IT) risk assessment. The IS assessment audited the HIE’s posture relative to standard security controls. In addition, it also evaluated the HIE’s compliance with its own set of policies and procedures. The IT assessment inventoried the HIE’s computing infrastructure and then used a numerical system to model potential threats and score the associated risks.
The inclusion of the IS and IT risk assessments in the overall security assessment project scope delivered significant value to the HIE, bringing to light opportunities for improvement in the HIE’s cyber-security posture that were not identified in the previous annual security assessment.
The security team recommended best practice is that all regional HIEs include information security risk assessment (controls audit) and information technology risk assessment (threat modeling) tasks in their annual security assessment projects.
Where Do You Keep Your Crown Jewels? Identifying, Classifying and Managing Your Information Assets
By Dennis Kessler
However we define it, the concept of “information management” has been around for many years, steadily growing as an industry and gaining in strategic importance for organizations, seemingly without much debate or controversy.
By contrast, information governance (IG), a relatively new upstart, can appear daunting.
The reason is that there is no single recipe for success. IG is not like an IT project, with a clear beginning, middle and end. Instead, it is more like a collection of complementary ongoing activities, all designed to improve the way we manage and secure information.
And all supported by some form of governance activity, checking whether we’re moving in an agreed direction in terms of standards, guidelines and metrics.
Defining IG Isn’t Hard
“Information governance” actually involves two distinct elements—instead of “governance over information,” IG is really about “governance over our information management activities.” It is about taking prudent care of information assets, minimizing their risks and costs while maximizing their value.
The National Archives of the U.K. government defines an information asset as “a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively,” adding that, “Information assets have recognizable and manageable value, risk, content and lifecycles.”
The basic concept underpinning all information management and governance activities is the idea that information has value—and so needs to be managed and safeguarded accordingly based on its value.
Organizations manage their financial assets through a combination of policies, standards, systems and governance measures. These measures aim to achieve agreed levels of oversight, scrutiny and legal and regulatory compliance, while continuously improving.
In my experience, three key elements need to be in place for IG to flourish and deliver lasting benefits:
1.Information principles: These principles express the value of information and start to establish an information-focused culture in your organization.
The principles might vary somewhat depending on the organization and industry. But they should include the following:
– Information is a strategic asset of the organization: All users recognize that information is essential for the organization to achieve its mission, objectives and activities.
– Information belongs to the organization: Even if an info asset has an accountable owner, it still exists to benefit the organization. The “owner” is more of a steward—managing the information to ensure its quality and availability to those who need it;
– Information is controlled and managed: Every information asset should be managed so that we know what information is stored where, how it is used, how important it is, etc.
– Information is safeguarded: According to a risk assessment of the value of the information. The more critical the information, the more stringent (and costly) should be the measures applied to protect it.
– Information should be shared: People must be able to find the information they need, when they need it.
– Information has integrity: Information owners and managers follow standards and measures to ensure that the information they’re responsible for is trustworthy and accurate.
– Information handling carries risks and responsibilities for securing and properly utilizing information.
2.Information standards, policies and guidelines: For information management, which together describe specific behaviors, activities and outcomes needed to implement the principles and achieve the corresponding goals.
3.Governance framework: The structure of steering committees, roles and responsibilities and review processes which collectively asks, “How well are we meeting the principles?”
Measuring the Value of Information
In most organizations, requested spending on projects or operations requires a business case and projected “return on investment.”
Although information is an asset, it’s largely an intangible one, which means it’s hard to put a firm dollar price on a piece or collection of information—at least in the traditional way accountants are trained to expect us to do.
Instead, think about the cost to operations, business process efficiency, customer trust and even reputation if the right information was not available to the right teams or systems at the right time.
This is exactly what information security is all about—and a good place to lay the solid foundations for effective information management and governance—even if we are unable to fund and launch a formal explicit IG program.
Although recognition of the value of IG is slowly growing, information security and, specifically, “cyber-security” are now firmly on the table as agenda items for executive boards around the world. Indeed, given the widespread recent publicity resulting from industrial-scale data breaches at Anthem, 21st Century Oncology, Sony, Target and even the U.S. Office of Personnel Management.
Information security is now seen as an existential threat to some organizations and even economic growth (according to the World Economic Forum).
Locating the “Crown Jewels”—and Protecting Them
Once we have located an information asset, we you need to analyze and classify it to build a simple profile. We will then store and maintain the profiles in an information asset register.
The term “information security” is based on the idea that information represents an asset which has a value.
To determine the criticality of an asset, we consider the impact of loss of the asset’s:
■ Confidentiality: Has there been a breach of unauthorized access?
■ Integrity: Can we trust the information to be accurate and complete? Has the information been tampered with or corrupted?
■ Availability: Is the information available to those people, processes or systems who need it, when they need it?
Based on its resulting criticality value, each information asset needs a corresponding level of protection—specifically, to safeguard and maintain its availability, confidentiality and integrity.
The resulting criticality value then suggests the corresponding level of protection needed to safeguard and maintain its availability, confidentiality and integrity.
Benefits of Tracking Your Information Assets
As well as greater confidence that you are protecting your information assets appropriately, this asset-based approach to managing information helps to reveal:
■ Which people or teams are responsible and accountable for maintaining the confidentiality, integrity and availability of information
■ Which people/teams and systems can access information, and for what purposes—whether to create, update or consume information
■ How information flows and is used throughout the organization—which business processes and which decision-making points depend on which information
■ Regulatory, compliance and other obligations
General Regulation on Data Protection (GDPR) Considerations
U.S. healthcare organizations are already familiar with the need to comply with the Health Insurance Portability and Accountability Act (HIPAA), the U.S. law requiring protection of confidential and sensitive patient data.
The regulatory burden can be significant. As well as complying with HIPAA, from May 2018 healthcare companies in Europe or doing business with European citizens also have to meet the conditions of the EU General Regulation on Data Protection (GDPR). The GDPR is perhaps the most strict privacy regulation to date. Its effects are being felt around the globe, and it will most likely influence a tightening of U.S. privacy laws.
To stay on the right side of GDPR, it is essential to discover and document what personal data you hold (irrespective of whether it is for patients, staff or suppliers), where it came from, how you use it and why, and who you share it with. And the only way to get a reliable picture of the situation is to carry out an information audit.
Other activities which organizations must carry out to comply with these regulations include ensuring:
■ privacy notices and policies are aligned with the regulations, such as the specific purpose(s) for which data is stored and processed
■ individuals’ rights, including procedures to support requests for data retrieval and deletion
■ data is stored securely and appropriately given its sensitivity
Achieving all of these and other related points depends on understanding what data you’re storing, where you’re storing it and what is represents.
As is generally true for all customer data, the mining and analysis of patient data can be the key to innovation and big profits for healthcare companies. However, managing this precious patient and customer data means balancing the potential rewards with privacy responsibilities and costs. Customers and patients are increasingly aware, empowered and concerned with privacy.
Sample Information Asset Survey Questions
1.Information Asset Description
a. Name: A descriptive and meaningful label for the asset
b. Description: What is the information asset and what it is used for
2.Ownership: This section covers the “stewardship” of the information asset, including the key roles and responsibilities of the owner and manager, together with any other stakeholders likely to be affected by the quality and availability of the asset
a. Owner has overall accountability for access, use and management of the asset
b. Manager: Hands-on manager responsible for day-to-day operations and administration. Expected to be familiar with the details of the asset content, structure and usage, and so likely to be quick to detect evidence of breach, tampering/corruption etc.
c. Creator: Source of the information; a person, application system or external source
d. Stakeholders/customers: Other stakeholders affected by the use, management, integrity or availability of the asset
3.Dates
a. Creation date: Date on which the asset was created (if involving a fixed lifecycle)
b. Last review date: Date on which the asset was last reviewed for completeness and accuracy
c. Date closed: Date on which the asset was closed/completed/removed from production use
4.Confidentiality
a.Confidentiality: Indicates the confidentiality classification of the information based on the BIS Confidentiality of Information policy (SN 1045) (NB this is distinct from the Risk/Impact Criticality rating in section 7 below.)
b.Data Privacy & Protection: Indicates whether the asset contains or relates to Personally Identifiable Information (PII) and potential relevance to Data Protection or Data Privacy regulations & legal risk—especially the EU General Data Protection Regulation (GDPR).
5.Retention
a.Retention period: Retention category (if useful—but avoid duplication and inconsistency)
b.System of Record: Name of the record system used to store the asset (or a subset of related business records)
6.Access and Use
a.Applications & Interfaces: List of applications & interfaces authorized to access the information asset, together with the corresponding access rights
b.User groups: List of user groups authorized to access the asset, together with the corresponding access rights
c.Metadata: List of any metadata needed to access or describe the context of the asset
7.Risk/Impact of Problems/Issues
a.Confidentiality: Impact if the asset is accessed or disclosed without authorization
b.Integrity: Impact if the information is corrupted, tampered with or otherwise suffers a loss of integrity
c.Availability: Impact if the information is lost or unavailable
d.Criticality: The overall criticality rating is the product of the combined scores of the above confidentiality, integrity and availability ratings.
25 Exciting Things to Do with an Information Asset Register
By Reynold Leming
Many organizations have undertaken information audits to gain an insight to this highly valuable corporate asset. This is particularly the case for those who will be governed by the EU General Data Protection Regulation, where there are increased obligations to maintain documentary evidence of processing activities. However, there are of course many drivers for understanding the information assets maintained and used, their characteristics and the value and risks associated with them.
Whether in a spreadsheet form or (ideally) a database, an information asset register (IAR) is used to record the inventory. This chapter explores (in no particular order of importance) 25 potentially beneficial outcomes from populating, maintaining and interrogating an IAR:
1. Understanding relationships: A related series of records sharing the same purpose (an “asset collection” if you will) might have a variety of constituent entities (“assets”) in different formats – e.g. physical records, digital content, system data. Identifying these within an IAR, with a suitable narrative recorded, will enable an understanding of their relationships and purpose over time. This could include for example the “story” of document handling paper originals and resulting images within a document scanning process or the retirement and introduction of systems.
Allied to this is tagging assets to a business classification scheme of the functions and activities of your organization. This allows the assets to be categorized to a vocabulary of business activity that is neutral to and more stable than organizational structures (which can change more often than what an organization actually does), provides a collated corporate view of assets maintained based upon their purpose (for example many departments will hold invoice, staff, policy and contract records) and supports cross-cutting processes involving different teams. It also allows the consistent inheritance and application of business rules, such as retention policies.
2.Security classification : Assets can be classified within the IAR to an approved security classification/protective marking scheme, with current protective measures recorded, in order to identify if there are in any risks relating to the handling of confidential personal or commercially sensitive information. You can assess that assets are handled, stored, transferred and disposed of in an appropriate manner.
3.Personal data : Specifically, you can identify confidential personal information to ensure that data protection and privacy obligations are met.
The GDPR contains many obligations that require a thorough understanding of what personal data you process and how and why you do so. Many requirements for keeping records as a Data Controller for GDPR Article 30 can be supported by the information asset inventory. For example, the asset attributes can describe the purposes of the processing, the categories of data subjects and personal data, categories of recipients, envisaged time limits for erasure of the different categories of data and a general description of the technical and organizational security measures.
It will also help data processors keep a record of the categories of processing, transfers of personal data to a third country or an international organization and a general description of the technical and organizational security measures.
Much of the information about personal data required for Article 30 compliance is also useful to meet obligations under Article 13 and Article 14 on information to be provided, for example via privacy notices or consent forms.
Under Chapter 3 of the GDPR, data subjects have a number of rights. Understanding things such as the location, format, use of and lawful basis of processing for different categories of personal data will enable support responses to rights and requests.
Under Article 25 of the GDPR there are requirements for Data Protection by design and by default. Additionally, under Article 35 there are requirements relating to Data Protection impact assessments. The inventory can provide insight to which processes and systems need to be assessed based upon for example the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
As aforementioned, it is important to identify who personal data is shared with. The inventory can support this as well as specifically enable monitoring of the existence or status or suitable agreements. For example under Article 28 of the GDPR processing by a processor shall be governed by a contract or other legal act under Union or Member State law.
Article 32 of the GDPR covers security of processing, with requirements to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Then using the inventory you can assess the security measures in place for assets against their level of confidentiality. It also can help with identifying the data sets where, if anything unfortunate were to happen, there are considerations regarding Article 33 Notification of a personal data breach to the supervisory authority and Article 34 Communication of a personal data breach to the data subject.
4.Ownership : The ability to know: Who owns what? This includes understanding ownership both in terms of corporate accountability and ownership of the actual information itself. You could also record who administers an asset on a day-to-day basis if this is different.
5.Business continuity : An organization will have vital/business-critical records that are necessary for it to continue to operate in the event of a disaster. They include those records which are required to recreate the organization’s legal and financial status, to preserve its rights, and to ensure that it can continue to fulfill its obligations to its stakeholders. Assets can be classified within the IAR to an approved criticality classification scheme, with current protective measures recorded, in order to assess whether they are stored and protected in a suitable manner and identify if there are in any risks relating to business-critical ("vital record") information. You can also identify the recovery point objective (RPO) and recovery time objective (RTO) for assets to support a disaster recovery or data protection plan.
6.Originality : You can identify whether an asset is original or a copy, ascertaining its relative importance and supporting decisions on removing duplication and the optimization of business processes.
7.Heritage : You can identify records of historical importance that can be transferred at some stage to the custody of a corporate or third-party archive.
8.Formats : The ability to understand the formats used for information, supporting decisions on digital preservation or migration.
9.Space planning : In order to support office moves and changes, data can be gathered for physical assets relating to their volume, footprint, rate of accumulation, use, filing methods etc.
10.Subject matter : If assets are tagged to a business classification scheme of functions and activities, as well potentially to a keyword list, the organization can understand the “spread” of record types (e.g. who holds personnel, financial, contractual records) and/or “discover” resources for knowledge management or eDiscovery purposes.
11.Archive management : The ability to understand what physical records (paper, backup tapes, etc.) are archived, where and when; this might for example identify risks in specific locations or issues with the regularity of archiving processes. The organization can also understand its utilization of third-party archive storage vendors—potentially supporting decisions on contract management/consolidation—and maintain their own future-proof inventory of archive holdings. Archive transactions can be recorded if there is no system to otherwise do so.
12.Location: The “location” of an asset can of course be virtual or physical. This (together with other questions relating to for example security measures) is important to ensure that information assets are suitably protected. It also helps in the planning of IT systems and physical filing/archiving services. The benefits for archive management are explored above and for maintaining a system catalogue below. Other examples might be to identify records to gather when doing an office sweep following vacation of a floor or building, or what assets are held in the cloud, or asset types within a given jurisdiction. It would also support the “discovery” of resources for knowledge management or eDiscovery purposes.
13.Retention: An IAR can be used both to link assets with approved records retention policies and understand the policies and methods currently applied within the organization, therefore identifying queries, risks and issues. The IAR can also be used to maintain the actual policies (across jurisdictions if applicable) and their citations; if a law changes or is enacted, relevant assets can be identified for any process changes to be made.
14.Disposal: An IAR can be used both to link assets with approved destruction or transfer policies and understand the processes and methods currently applied within the organization, therefore identifying queries, risks and issues, particularly for confidential information. Disposal transactions can be recorded if there is no system to otherwise do so.
15.Source: The source of assets can be identified to understand where information is derived from and better manage the information supply chain. Under Article 14 of the GDPR, part of the information the controller shall provide to the data subject to ensure fair and transparent processing includes from which source the personal data originated, and if applicable, whether it came from publicly accessible sources.
16.Rights: The rights held in and over assets can be identified, such as copyright and intellectual property, in order to protect IPR and to avoid infringement of the rights of others.
17.Applications catalogue: The application systems in use (e.g. content management, front and back office) can be identified and be linked in locations, people, activities and of course assets. Licensing and upgrade criteria could also be managed. It would also be possible for example to identify system duplication or the use of homegrown databases.
18.Condition: Both physical and digital assets can degrade; this can be identified for assets with conservation/preservation actions taken accordingly.
19.Age: The age of assets can be established, with decisions made on their further retention/disposal, the need for archiving (historic or business) and potentially whether they need to be superseded with newer resources.
20.Organization and Referencing: An understanding can be gained of whether structured systems and approaches are in place to describe, reference and organize physical and digital assets, identifying if there are likely to be any issues with the finding information.
21.Utilization: An understanding can be gained of whether assets are proposed, active, inactive, discontinued/superseded, therefore enabling decisions on their format, storage, disposal, etc.
22.Sharing: An IAR can be used to identify how information is shared within and without the organization, helping ensure that it is available as required, and that suitable security measures and, where applicable, information sharing agreements are in place. This supports compliance with Article 30 of the GDPR as part of the records of processing activities.
23.Provenance: Fundamentally an IAR can provide an accountable audit trail of asset existence and activity, including any changes in ownership and custody of the resource since its creation that are significant for its authenticity, integrity and interpretation.
24.Publications: Information produced for wider publication to an internal or external resource can be identified, including for example the audience for whom the resource is intended or useful, the channels used for distribution and the language(s) of the content, thus facilitating editorial, production and dissemination planning and management.
25.Quality: Observations can be recorded on the quality of assets (e.g. accuracy, completeness, reliability, relevance, consistency across data sources, accessibility), with risks and issues identified and managed.
Privacy and Data Protection Officers: Implementing the EU General Data Protection Regulation
By Andrew Harvey and Barry Moult
Introduction
At time of writing the European Union General Data Protection Regulation (GDPR) is being subsumed into British domestic legislation, and will become the basis for a new Data Protection Act, replacing the old 1998 Act, itself based on a 1995 EU Directive. For this reason, until the new Act receives Royal Assent, this piece continues to refer to the GDPR. The pending legislation is, overall, causing much generalized debate regarding its implications and where Data Protection practice in the U.K. is destined.
There has been substantial specific debate and concern about who should be appointed as the Data Protection Officer (DPO) under the GDPR within healthcare organisations. In this section we will attempt to inject some order into the confusion. This has concentrated on the GDPR itself, along with guidance from the Article 29 Working Group (WP29), the U.K. Information Commissioner’s Office’s (ICO), and significant discussion between the authors, both interpersonally and online with Information Governance (IG) and Data Protection professionals.
The perspective here is mostly applicable to Acute trusts within the National Health Service (NHS), although its message is likely to be applicable more broadly across the U.K. healthcare sector.
Is a DPO Required?
GDPR Article 37 states that a DPO is needed in any case where:
■ The processing is carried out by a public authority or body, except for courts, or
■ The core activities of the Data Controller or the Data Processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
■ The core activities of the Data Controller or the Data Processor consist of processing large volumes of Special Categories of Data or information about criminal convictions and offences. 1
Whereas it is common understanding that the NHS is a public body, the term “public authority or body” is, rather unhelpfully, not defined in the GDPR. For sake of clarity, however, it is apparent by extrapolation from the definition in Schedule 1 of the Freedom of Information Act 2000, that the NHS is indeed included.
Who Should Be the DPO?
It is perfectly acceptable for public bodies to appoint a single DPO to be shared between authorities. 2 It may be beneficial, therefore, that the DPO is shared between healthcare organizations working in close partnership with each other, or perhaps across several organizations within a localized Sustainability and Transformation Partnership, Accountable Care Organization/Partnership or other similar forms of partnership working.
GDPR Article 38 is clear about the position of the DPO, in that the Data Controller and Data Processor shall:
■ Ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
■ Support the DPO in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge.
■ Ensure that the DPO does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the Data Controller or the Data Processor for performing his tasks. The DPO shall report to the highest management level. 3
Furthermore:
■ Data Subjects may contact the DPO with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR.
■ The DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.
■ The DPO may fulfill other tasks and duties. The Data Controller or Data Processor shall ensure that any such tasks and duties do not result in a conflict of interests. 4
With regard to the last point, WP29 clarifies that:
As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues. 5
DPOs do not have to be lawyers but need expert knowledge of Data Protection law and practices. From a practical perspective, they must also have an excellent understanding of the organization’s governance structure and be familiar with its IT infrastructure and technology.
The DPO role may be employed (“internal DPO”), or there may be circumstances were they may act under a service contract (“external DPO”). In both cases, they must be given the necessary resources to fulfill the relevant job functions and be granted a certain level of independence, to be able to act in the necessary ‘independent manner’. This independence is supported by a degree of protection against dismissal or other sanctions on grounds that relate to their performance of their DPO tasks.
The DPO does not have to be a standalone role, and may have other tasks within the organization, so long as they do not interfere with the DPO role. WP29 has made it clear that the DPO ‘cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data’. 6 For example, it is the responsibility of the Data Controller or Data Processor to maintain a record of processing operations under its responsibility or maintain a record of all categories of processing activities carried out on behalf of a Data Controller. In reality, however, it may be the DPO that creates the inventories and holds the register of processing operations even though it is not a specific requirement of the role.
Many healthcare organizations already have staff in place who oversees most issues relating to Data Protection. These roles generally have titles such as Head of IG, IG Lead, IG Manager or Privacy Officer. It is anticipated that it is these roles that will be most appropriate to undertaking the DPO role within healthcare organizations with mature IG models as it is these personnel who have the necessary IG and Data Protection knowledge and experience to undertake the role.
To make this appropriate, the addition of the DPO post to such roles will require both an amendment to the post holder’s Job Description, including an appropriately senior salary band/grading, along with a clear reporting responsibility (a dotted line in some circumstances) to a Director, Executive Director and/or Board member, depending on the structure, size and maturity of the organization.
What Are the Qualifications to Be a DPO?
GDPR Article 37 does not absolutely define the credentials for a DPO beyond ‘expert knowledge of data protection law and practices’. 7 The GDPR’s Recitals add that this should be ‘determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor’. 8
Realistically this is a member of staff with detailed expert knowledge and experience of applying IG and Data Protection principles within a healthcare environment, potentially along with a qualification to demonstrate the ability to act at this level.
The WP29 guidance clarifies this further:
Although Article 37(5) does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.
Knowledge of the business sector and of the organization of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.
In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization. 9
What Are the Tasks of the DPO?
The DPO’s tasks are very clearly delineated in the GDPR Article 39, to:
■ Inform and advise the Data Controller or Data Processor and the employees who carry out processing of their Data Protection obligations.
■ Monitor Data Protection compliance.
■ Assign responsibilities, awareness-raising and training of staff involved in processing operations.
■ Undertake internal audits of Data Protection.
■ Provide advice on the need and completion of Data Protection Impact Assessments.
■ Cooperate with the ICO and act as the contact point for any issues relating to processing.
■ Undertake or advise on the potential risk of processing activities.
Under the GDPR, DPOs have many rights in addition to their responsibilities; they:
■ May insist upon resources to fulfill their job functions and for their own ongoing training.
■ Must have access to the company’s Data Processing personnel and operations.
■ Have significant independence in the performance of their roles.
■ Have a reporting line ‘to the highest management level’ of the organization.
What Are the Organization’s Responsibilities?
The most essential requirement is that the DPO must be allowed to perform their tasks in an independent manner. They need to report to the highest management level in the organization and cannot be dismissed or penalized for doing their job (i.e. giving advice). This will require a robust governance reporting structure for the DPO to function and evidence that advice has been accepted or rejected.
GDPR Article 38 requires the organization to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’. The WP29 Guidance adds that, depending on the nature of the processing operations and the activities and size of the organization, the following resources should be provided to the DPO:
■ Active support of the DPO’s function by senior management (such as at board level).
■ Sufficient time for DPOs to fulfil their duties. This is particularly important where the DPO is appointed on a part-time basis or where the employee carries out data protection in addition to other duties. Otherwise, conflicting priorities could result in the DPO’s duties being neglected. Having sufficient time to devote to DPO tasks is paramount. It is a good practice to establish a percentage of time for the DPO function where it is not performed on a full-time basis. It is also good practice to determine the time needed to carry out the function, the appropriate level of priority for DPO duties, and for the DPO (or the organization) to draw up a work plan.
■ Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate.
■ Official communication of the designation of the DPO to all staff to ensure that their existence and function is known within the organization.
■ Necessary access to other services, such as Human Resources, legal, IT, security, etc., so that DPOs can receive essential support, input and information from those other services.
■ Continuous training. DPOs should be given the opportunity to stay up to date with regard to developments within data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.
■ Given the size and structure of the organization, it may be necessary to set up a DPO team (a DPO and his/her staff). In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly drawn up. Similarly, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client. 10
Failure to appoint a DPO where required can lead to significant ramifications. Administrative fines can be as high as the equivalent of €10m (almost £9m at time of writing) or 2% of the organization’s turnover, whichever is higher.
The appointment of a DPO may look unnecessary at first (“we already have an IG Manager”). However, not only is it a legal requirement, it must also be seen as an efficient way to ensure Data Protection compliance, something that is especially true when it comes to sophisticated Data Processing activities and cross-border data flows.
What Could a DPO Job Description Look Like?
By nature of being different organizations, operating in their own way, these will likely vary widely across healthcare. Some organizations may opt for an addition to the Job Description of the member of staff completing the role that is as simple as ‘To act as the Trust’s responsible Data Protection Officer, as defined in the General Data Protection Regulation’ (as is the case with one of the authors). Others may desire something more detailed. A possible example is as follows:
Job Description
DATA PROTECTION OFFICER
1.Role Purpose
The Purpose of the Data Protection Officer (DPO) is to provide the organization independent risk-based advice to support its decision-making in the appropriateness of processing Personal and Special Categories of Data within the Principles and Data Subject Rights laid down in the General Data Protection Regulation (GDPR).
2.Tasks
Within the GDPR, the DPO’s tasks are summarized as:
■ Leading from the front in promoting an appropriate Data Protection culture within the organization.
■ Setting organizational trigger-points for mandatory input from the DPO.
■ Close liaison with senior clinical and nonclinical colleagues to enable and support both operational and strategic decision-making.
■ Management of a governance structure to record Data Protection decisions made by the organization.
■ Provision of advice on complex Data Protection issues, such as Subject Access Requests, procurement decisions, Information/Cyber Security and Information Sharing.
■ Sign-off of regulatory requirements, e.g. Information Governance Toolkit submissions.
■ Maintaining ongoing personal development and knowledge of Data Protection law, issues and developments.
■ Informing and advising the organization and its staff about their obligations to comply with the GDPR and other Data Protection laws.
■ Monitoring compliance with the GDPR and other Data Protection laws, including:
■ Managing internal Data Protection activities.
■ Advising on Data Protection Impact Assessments.
■ Training staff.
■ Conducting internal audits.
■ Being the first point of contact for the Information Commissioner’s Office and/or Data Subjects.
3.Person Specification
■ Demonstrable expert knowledge of Data Protection law and practices, gained by formal qualification and/or experience.
■ In-depth knowledge and practical experience of the NHS.
■ Confidence, although employed by the organization, to act “as if” independent, especially when liaising with senior colleagues.
■ The equivalent seniority of Band 8a or above. 11
Long-Term Digital Preservation in IG Programs: Advice from the Pharmaceutical and Biotechnology World
By Patricia Morris and Lori J. Ashley
Introduction
Pharmaceutical and biotechnology companies have numerous compelling use cases for long-term digital archiving and preservation capabilities for their information and records. Research, development, and manufacturing processes that bring products to market are complex, decades in duration, and subject to health authority regulatory and industry standards. With only minor exceptions, information and records generated during drug development are now managed exclusively in digitally encoded formats. Additionally, with its close alliance to healthcare organizations during the clinical phase of drug development, there are common directives between these industries for the compliant management of protected health information (PHI), personally identifiable information (PII), and confidential or sensitive information.
A significant percentage of information assets created and used in the pharmaceutical and biotechnology industries require long-term retention and access in excess of 10 years. The information must be able to survive successive generations of technology and custodians with all the necessary controls in place to assure it is protected. It is imperative that Information Technology (IT) professionals have strategies and capabilities to address this demand to ensure that these mission-critical organizational and customer information assets are managed appropriately with integrity and security maintained and availability assured for their lifespans.
The Challenges of Long-Term Digital Preservation in Information Governance
First of all, what does “long‐term” mean?
■ Long enough to be concerned with the impacts of changing technologies, including support for new media and data formats, or with a changing user community. Long term may extend indefinitely, but may start in as soon as 10 years.
Digital information with retention periods of 10 years or more must remain protected, usable, retrievable, and authentic over successive generations. Hence, digital preservation is defined as:
■ The long‐term, secure, and error‐free storage of digital information, with means for retrieval and interpretation, for the entire lifespan the information is required to be retained.
This is a challenge because digital content is fragile and dependent on ever-changing hardware and software to be readable and usable. Risks to maintaining the integrity and authenticity of digital information over time include:
■ Limited budgets
■ Lack of specialized expertise
■ Insufficient or outdated technical infrastructure
■ Mismanagement or loss of materials while in the hands of the creators
■ Lack of descriptive information or sufficient metadata
■ Bit rot or other forms of media corruption
■ Unreadable file formats
■ Human error
■ Lack of specialized technical expertise
■ Unintended information security breaches
Building a long-term digital preservation solution, or electronic archive (eArchive) requires investment by the organization for this new process and technology. Justifying the costs and building the right business case for the eArchive is an essential part of an overall IG strategy. Different stakeholders in the organization will have views on the drivers for such an investment. Their views are likely derived from what they are accountable for in their role and how their budgets are defined and justified. Their drivers may come from expected compliance to external laws and regulations or from directives regarding costs savings and efficiency, or both. In the following case study, the principals in the project were primarily driven by their need to show compliance to regulations stipulated by health authorities in numerous national jurisdictions.
Case Study
This is a description of the process used by a pharmaceutical company to establish a digital archive for electronic study records and data generated during the Pre-Clinical Research phase of drug development.
The digital information identified for preservation and storage in the Pharma eArchive is subject to regulations issued by health authorities, as well as relevant laws pertaining to electronic recordkeeping. Strict compliance with these laws and regulations is essential to company operations and is routinely audited for assurance. In this instance, compliance with a specific set of regulations from the United States Food and Drug Administration (U.S. FDA) Code of Federal Regulations (CFR) that define archiving practices for records created according to Good Laboratory Practice (GLP) was the primary driver for the development of the eArchive. These essential business records have significant value to the Company in terms of scientific innovation and evidence, and are commonly retained in excess of 50 years.
Project Approach
The scope of the eArchive project was to determine a technology solution to support long-term preservation and management of electronic Pre-Clinical GLP records and data sets. This effort was undertaken with the understanding that business processes, roles and responsibilities, workflows and technology must work in concert to cover the entire spectrum of required capabilities and lifespan controls defined by the future users of the solution. To that end, a cross-functional team was convened which included Pre-Clinical scientists, Quality Managers, and Information Technologists. External consultants, who were experts in delivering long-term digital preservation and pharmaceutical electronic archiving solutions, supported the team. This collaboration resulted in the development of a formal set of user requirements and technical specifications for the eArchive.
Initially, there was an emphasis on finding a solution for the long-term preservation of structured and proprietary data sets. Demonstrations of six solutions were conducted to stimulate project team discussion and ensure that user requirements for the GLP eArchive would meet future operational and compliance demands. The solutions reviewed ranged from full-blown enterprise records and content management solutions to database archiving to long-term digital preservation systems. As a result of the demonstrations and an additional review of the full requirements it was determined that more than one technology solution may ultimately be required to address the full spectrum of content types (structured, semi-structured, and unstructured information).
The external consultants developed an initial eArchive Operating Model so the project team could envision the process of how records would be appraised, ingested and archived. The basis of this model was the approach defined in ISO 14721:2012 (a Space data and information transfer systems – Open archival information system (OAIS) – Reference model) with customizations based on internal process demands. The model showed the records moving from production systems, through appraisal and preparation for ingest, long-term management and storage in the eArchive (including file format transformations when necessary), subsequent search and retrieval, as well as potential disposition. At this point, the project team produced the final set of user requirements for the solution.
As a result of this newly confirmed focus and adjustment to the project scope and user requirements, a formal request for proposal (RFP) was issued to the two long-term digital preservation system vendors who had demonstrated the highest degree of capability for the required ingest and lifespan management capabilities for the eArchive.
The outcome of the RFP process was that a preferred vendor was selected to fulfill project requirements. A three-month Proof of Concept (POC) project using a cloud-based version was completed and the results confirmed the suitability of the solution.
Project Results
Following the POC and based on new technical and legal requirements, the Company made a software selection for their final solution. The software is a modular on-premise preservation platform that will be configured and customized to meet Company needs. The Company’s central IT will manage the repository and the archival content storage will be based on the Company’s Amazon S3 account. The logical architecture is a standard three-tier web-application architecture. The presentation tier (access interface) is primarily a web interface serving a combination of static and dynamic HTML pages. The application tier is a series of Java-based applications, using J2EE standards. The relational database will be based on MS SQL and hosted internally.
The categories of records to be ingested was expanded after the POC to include other research and development (R&D) groups. The Company launched the next phase of the project and it was understood that in order to maintain compliance to applicable external regulations, the solution would need to be fully validated against the approved user requirements and technical specifications (as well as internal Information Technology Validation standards). So effort was put toward finalizing those documents. Work was undertaken in parallel to revise and update records transfer and archiving processes and the associated roles and responsibilities within the record creating units. The end result delivers their new way of preserving essential electronic drug development records for the long term with the expectation that compliance requirements will be met.
Case Study Summary
It is well established that a vast amount of digital information is generated in the healthcare industry and some of it must be retained and remain viable for a very long time, often in complex or proprietary file formats and outside of the systems in which it was generated. The need for companies and institutions in the healthcare arena to devise and implement a long-term digital preservation strategy and solution as part of their overall IG program is essential. It will ensure that the digital information with long-term preservation requirements will remain protected, usable, retrievable, and authentic over successive generations. Implementing a true eArchive solution, with appropriate controls and systems in place for digital preservation, will provide the secure and error‐free storage environment with the means for retrieval and interpretation, for the entire lifespan the information is required to be retained.
Building the Business Case for Digital Preservation
Compliance : The case study summarizes a project whose justification was based on the need for compliance to laws and regulations related to use of electronic information systems for creating and managing information that has long-term retention and reuse requirements. The demand and funding for the project was raised by those in the company who were accountable for assuring that compliance through their Quality Management Framework and corporate Code of Conduct.
Cost savings: Another driver for justifying the investment in an eArchive solution can be derived through the decommissioning of information systems that are no longer actively being used but remain online to retain their content due to retention obligations. The proper eArchive solution will assure the integrity and availability of the information, independent of the originating system, for the lifespan of the content. This will allow for the decommissioning of applications and can provide an equivalent or greater cost savings than the cost to build and maintain the eArchive itself. Those within IT know that while storage may be inexpensive, the overall application infrastructure and human resources required to manage it is not.
Value Protection: A mature IG program will also uncover a likely significant quantity of information that is being retained well past its usefulness or obligation (as defined in the organization’s records management policy and retention schedule). While searching for the “gems” that require long-term digital preservation within the enterprise to be ingested into an eArchive, a lot of redundant, outdated, and trivial (ROT) information will be identified that can be disposed of to free up existing storage, assure compliance to internal policies, and potentially reduce future eDiscovery costs. A business case that calculates all of these factors and projects the future escalation of costs and risks without action will justify the investment in an eArchive that will assure long-term digital preservation.
IG Education Is Key to Success
By Robert F. Smallwood
Usually, securing budget for any project or program is the primary obstacle to moving forward. That is not the case with information governance (IG) programs, according to IG practitioners.
The leading barriers to success in IG programs are education, program communications, and executive sponsorship.
Lack of understanding and awareness of the value of IG is often cited by practitioners. This can be remedied at a modest cost with IG training courses, webinars, podcasts, books, and articles. (Go to www.IGTraining.com for options.)
Other major barriers to IG progress are rather “soft” skills, that is lack of collaboration across functional groups, change management, and planning. These challenges can also be overcome mostly with focused directives and an investment of time, prior to undertaking the IG program effort in earnest.
IG is a complex undertaking that requires cross-functional collaboration. And for IG programs to launch, a wide net must be cast. IG programs must have support from core IG-related functions, including legal, IT, information security, and health information management (HIM). But a particular IG program can span across many more functional groups, including data privacy, compliance, human resources, analytics, audit, finance, and business units, according to an article published by Baron and Marcos in the October/November 2015 issue of Practical Law. We would add risk management and possibly knowledge management to this list. Bear in mind that IG programs must be customized to meet the business objectives of specific organizations.
With significant roles from such varied functions required for IG program success, it stands to reason that they must have a common understanding of IG, a common language—its key terms, its benefits, and how the IG program will contribute to the accomplishment of the healthcare enterprise’s business objectives. This means your IG team or steering committee must have baseline IG training to give the program a chance at succeeding.
It also means that close attention must be paid to communication and change management factors, which should be intertwined with IG training efforts to reinforce and support program objectives.
IG Insight: The Soft Stuff Is the Hard Stuff
By Robert F. Smallwood
When organizations seek out answers for the keys to success in IG programs, they often get the typical answer from consultants and vendors: it depends.
Sure, it depends on the focus of the initial effort in an IG program. The business driver for some organizations may be cost-cutting measures that focus on reducing redundant, outdated, and trivial (ROT) files to cut the cost of storage, or at least abate it.
Hard dollar savings can be made by reducing storage costs of central servers while additional savings can be gained through improved content organization (through improved taxonomy design and leveraging metadata) which lowers e-discovery collection and document review costs. That’s “hard” stuff that yields hard dollar cost savings, but it is relatively straightforward. Further, search capabilities on unstructured files such as voice notes, radiologic images, scanned document images, Word, Excel, and PowerPoint are improved.
Some organizations focus their IG efforts on securing confidential information by identifying PII and protected health information (PHI) and applying security software and techniques. Using file analysis, classification, and remediation (FACR) software finding all incidences of ePII and ePHI is easy, due to the unique characteristics of the data. Then various encryption tactics are applied.
Other healthcare organizations are focused on reducing runaway litigation discovery costs, and concentrate their efforts on e-discovery, by not only cutting ROT and organizing e-documents, which cuts costs and improves search capabilities, but also by leveraging newer technologies such as predictive coding to automate and drastically reduce document review and costs.
And yet other healthcare organizations focus on data governance as a strong component of their IG program. Improved data governance can improve data quality, data integrity, patient care, and outcomes. Data governance can also yield cost savings by data scrubbing, data cleansing, de-duplicating, and implementing master data management (MDM) to eliminate corrupted and duplicated data. In addition, new business insights can be gained on this cleaned data by using data analytics, business intelligence (BI), trend analysis, and other tools. These new insights can lead to increased revenue from upselling and cross-selling existing patients and customers, and finding new ones or creating new products or services.
The point is, there are multiple entry points for IG programs, and the focus of the effort depends on where the organization decides to invest resources. The focus of an IG program is often born out of the greatest pain points of risk and cost that boil up to the executive suite and demand attention. After their major breach, it is taken for granted that Anthem Health is now investing resources in identifying and securing ePHI and other confidential and sensitive information.
But what do all IG programs have in common as their most critical factor to succeed? What absolutely must be done before the program has a chance to succeed?
It is not running FACR software to identify PHI, duplicates, and out-of-date documents, and to begin broad classification of files, and insert basic metadata tags. No, that all sounds complicated but they are very straightforward processes. Simple software execution.
And it isn’t implementing an enterprise content management (ECM) system or enterprise file sync and share (EFSS) aimed at reducing or eliminating shared drives and implementing a holistic approach to content management. That is what the software was designed to do. It manages content. Sure, many ECM efforts have failed but not because of the software itself lacked capability, but rather, poor implementation planning, training, and communications efforts have been the primary cause.
And it is not even implementing an electronic health record (EHR) system or other patient-centered digital technologies.
What all IG programs must do well to succeed, the absolute most critical elements, are firstly strong executive sponsorship. Without a long-term commitment to the IG program it will fail. But also what is often overlooked is often referred to as “soft stuff.” Soft stuff includes such activities and tasks as leadership, executive communications, team selection and building, group dynamics, change management, program communications, and training. All are critical program management functions. These are the crucial elements that any IG program must include—and do well—to succeed.
Now consider the fact that IG programs must be ongoing, so it must be considered how to keep team members motivated and performing over a span of years. How will they maintain their focus for three, four, five years or more? And instill commitment to the IG program in any team replacements or additions? These are challenging tasks. They are not easy to do, which is why many IG programs will fail, leaving careers in their wake.
As a starting point, let us examine some of the considerations for determining the best executive sponsor to drive an IG program.
What is needed is to get all the varying agendas and business objectives out on the table and to assess and prioritize them according to the organization’s overall business objectives. That means nominating the most senior of the potential executive sponsors to be the executive sponsor for the IG program, with a “deputy sponsor” or “supporting sponsor” as backup.
So if there is a scenario where the General Counsel, CIO, SVP of Operations, and CFO all are on board to help drive the program, perhaps the best choice is an executive who they all report up through. It could be the Administrator, or, say, the EVP of Risk Management. After all, risk is a key impact area for IG programs: Reduce the risk that PHI is breached, reduce the risk that confidential documents or IP are breached, reduce the risk that litigation costs soar out of control and threaten the brand and viability of the organization.
Key players on the IG steering committee will have differing agendas and objectives. It is essential to harmonize and prioritize the objectives of the IG program to best serve the organization.
Anticipating Conflicts in Your IG Program
By Robert F. Smallwood
There is a lot of theory in IG. The profession has been seen as “mushy” or “amorphous” but has started to firm up as case studies flow in and principles and Best Practices evolve. There have been many failures, although IG program efforts are, in fact, getting off the ground, expanding, and showing benefits in the healthcare sector.
However, few executives and managers really grasp the level of planning and effort that is required to anticipate and overcome the inherent conflicts that will arise in all IG programs.
These conflicts are inevitable due to the cross-functional nature that is essential for IG program efforts. Think about it: usually the typical hierarchical organization is structured by business functions and those at the top of the ladder in C-level positions can set objectives and drive results through their direct reports. These executives are tough people who fought their way up the ladder.
However, IG programs require that these steely C-level executives from key functional areas (including legal, IT privacy, security, risk management, and him, and perhaps more depending on the organization) work together and collaborate.
Stop and think about that for a minute.
Consider the politics and competition that is a part of every organization. The CIO and CFO and General Counsel and others at that level are all competing to get that next promotion to executive VP, COO, or even CEO.
Competition at that level is fierce. IG can be a full contact sport!
So here we have the rub, the crux of the matter, the reason why many IG programs lose steam and fail.
They are sabotaged for political purposes, often slowly and covertly, by those not leading the effort, or those who have the least to gain by its success. Since there are so many moving parts to an IG program, simple dragging of feet or missing a few meetings can start to kill the effort.
Smart and successful IG practitioners will be aware of the inherent conflicts in political agendas, business objectives, and careers, and build in conflict resolution and change management tactics to their IG program strategies.
Information Governance and Brand Management: A Critical Link
By Robert F. Smallwood
Brand management is a critical impact area of IG programs. Protecting the value of an organization’s brand is of paramount importance to stockholders and stakeholders. Most healthcare organizations in the U.S. are for-profit so their brand and image matters.
During the Chipotle Mexican Grill food poisoning outbreaks of late 2015, the stock dropped over 40% in just three months. That's around $5 billion in value. That is real money. $5 billion that vanished due to the reputational damage wrought on the Chipotle brand. Damage that was caused by poor recordkeeping and a lack of good information for management to analyze: essentially a failure of IG. And the stock price never completely recovered.
So executives and marketing departments also have a stake in IG, particularly in large public companies.
Information Governance by Design: “Baking” IG into Everyday Processes
By Robert F. Smallwood
The goal of IG programs is to continuously strive to change the organizational culture and underlying business processes so that IG considerations including information security, privacy, legality, records and health information management (HIM), e-discovery readiness, and information quality are an everyday, routine part of managing information.
Leading IG practitioners call this process of infusing IG into business processes the “routinizing” of IG. Once these IG considerations become a routine part of operations—“baked in” to them, you might say—the organization will have achieved, in a sense, IG by Design XE "Information Governance:IG by Design" .
IG by Design means that critical privacy and security considerations and requirements become a part of everyday, routine business processes, as do regulatory and legal considerations, information quality assurance, HIM requirements, and IT efficiency considerations, all focused on maximizing information value while minimizing information risks and costs. This redesign requires deep knowledge of the organization’s IG goals and strategies, and business process analysis (BPA) to redesign and streamline processes while baking in IG considerations. Then IG-enabling information technologies should be evaluated and deployed when justified and in alignment with IT strategy and business objectives. These technologies will help to monitor and enforce IG policies.
The result of IG by Design is reduced risks: lessened information risk, privacy risk, legal risk, and compliance risks while improving information value, which leads to greater profitability and viability for the business.
But it takes vision and leadership to pull off. Most organizations are far away from the IG by Design ideal. For those just starting down the path, it is best to form business objectives, recruit an executive sponsor, and draft an IG steering committee. Then draw up the overall program and select target areas where some early wins can show real results.
If large regulatory fines have been levied due to a HIPAA audit, then business processes must be re-evaluated and more employee training should be done with the business objective of reducing and eventually eliminating these fines. This process must start from the beginning with a thorough yet expedient inventorying of information assets, and, better yet, creating an Information Asset Register (IAR) to track and monitor information assets.
IG by Design as a term may be a little misleading since it implies that once the design is set, the organization has “achieved” IG. However, IG is an ongoing, “evergreen” program that evolves and expands and pushes to continuously improve.
Striving for IG by Design should be a paramount goal of any IG program. From there, with leadership, training, communications, reinforcement, solid metrics, and a prudent audit process, adjustments and improvements can continue to be made.
Veteran Advice on Getting Your IG Program Launched
By Richard P. Kessler
When first developing an IG program, corporate executives should be wary to keep its initial scope narrow, carefully select the right people as its initial contributors, and create a framework that supports growth and future success.
Early “wins” are key to an IG program’s long-term survival. The first IG project must be selected with care so it can be accomplished relatively quickly while also delivering demonstrable value. For example, a proposed project that requires new technology to be rapidly developed, evaluated, approved, and implemented to realize a time-sensitive, significant, revenue-generating opportunity can provide an excellent opportunity to demonstrate the value of the IG approach. In such cases, IG can be used to facilitate a coordinated, collaborative, and parallel review by SMEs within legal, litigation, compliance, operational risk, IT, HR, regulatory, and information security, and other functions that may normally work serially, separately, or worse, at cross-purposes. An IG program can be used to create a governance structure that coordinates these different roles. This can be a great place to start if you do not have a specific, significant, and recent incident to leverage.
If you have recently had an event that challenged your organization and perhaps resulted in damaging press or a significant drop in stock price, it often can be leveraged to start an IG program. A data security breach, regulatory fine, lawsuit, or other significant loss can jumpstart an IG program. It will bring together an initial set of SMEs, and serve as an opportunity for the right leader to step in and coordinate and address the incident or resulting challenge.
An experienced executive will already know how vital a dedicated, empowered, and funded senior executive sponsor is to any program. However, a fledgling program—especially an IG program—also requires a strong, intelligent, patient, and well-spoken leader. This person should be a subject matter expert in several IG disciplines, such as records management, eDiscovery, security, and IT, and have a working knowledge of related subject areas to enable issue spotting as challenges arise. They will need to rapidly understand and resolve conflicts and differences of opinion among both contributors and governance-body members alike.
The leader must also create an environment of mutual respect, understanding, collaboration, and open communication, so that minority and dissenting opinions are welcomed and no one is afraid to speak when they see an issue for their particular discipline. Foster an environment of discussion and “give and take,” even if it means getting a bit off track from a meeting’s purpose—this will facilitate a sense of contribution and ownership that will increase the group’s effectiveness better than a rigid adherence to pre-set agendas. This same individual will then need to lead the group to a defensible and actionable decision, and create consensus for the best possible way forward. This is not easy to do, and early experiences with smaller groups will be vital so that the leader can learn from their mistakes. The process to figure out, actually “feel” out, how to manage the governance structure appropriately is an iterative one and will require patience and a willingness to adjust your approach as you go. For example, getting to a “perfect” way forward often will not be possible. A good leader will help the IG team understand that the perfect can be the enemy of the good, and that a risk-value-cost balance will often be the best achievable result.
Even with a strong leader, it is critical that the IG steering committee be comprised of strong SMEs that also have the right level of authority and responsibility within the firm. In IG, it is often all about the details, and the members of the team must understand the nuances of their field. Thus, early iterations of an IG program should include a relatively small group of stakeholders that are patient with each other, have some knowledge outside their own discipline, and can communicate well. Ideally, these people should include challengers and contributors. Diversity of opinion and perspective and the resulting challenges will help the team identify the best way forward, and contributors will help map out the path to get there.
As the scope of the IG program expands and the repeatable success becomes a reality, principles and strategic objectives of the program should be developed to serve as the constraints and guideposts for the IG team. Creation of IG guidelines, standards, and exception procedures are vital to resolve conflicts, which will inevitably arise. There will be times when not everyone will agree and consensus will seem unattainable; having standards and principles in place will help get and keep everyone on track.
In summary, by leveraging the right initial project or program, carefully selecting leaders and SMEs with the right mix of attributes, strong executive sponsorship, and a principled framework supporting further growth and expansion, your nascent IG program will not only get off the ground but will be poised for success and integration into every facet of your organization’s change efforts.
Notes
1. GDPR Article 37(1)(a–c).
2. GDPR Article 37(3).
3. GDPR Article 38(1–3).
4. GDPR Article 38(4–6).
5. Article 29 Working Group (2016), Guidelines on Data Protection Officer, fn. 34, pp. 15–16.
6. Article 29 Working Group (2016), p. 15.
7. GDPR Article 37(5).
8. GDPR Recital 97.
9. Article 29 Working Group (2016), p. 11.
10. Article 29 Working Group (2016), pp. 13–14.
11. For illustrative purposes, at time of writing, an NHS Band 8a member of staff earned between £40,428 and £48,514. This figure is based on a candid belief of the salary the role is realistically likely to attract, rather than what it is truly worth.