Skip to content Skip to navigation

Building a Data Governance Team with a Eye on Information Security

December 12, 2014
| Reprints
Tips for creating a ‘culture of data awareness’ from a data security expert

At a time when vast amounts of data are improving the quality of care in remarkable ways, the provider organizations that are charged with obtaining, storing and exchanging that data are facing a very high bar when it comes to keeping that data secure. For that to happen, an effective data governance program is crucial.

That was the topic of a webinar, “Information Security Perspectives of Data Governance,” which was presented yesterday by the Institute for Health Technology Transformation. During the informative session (which was sponsored by Netrix), Mary Potter, information security officer at the Roanoke, Va.-based Carilion Clinic, gave her advice to provider organizations on creating what she termed a “culture of data awareness,” and a data governance structure.

Potter noted that information is essential to supporting good patient care, as well as operational effectiveness, reducing costs; but data in itself also produces a level of risk for the organizations.

Historically, she said, there has been a perception that data should be available any time, anywhere. There needs to be recognition that provider organizations must maintain control of data, which is essential to the care of the patient, she said.

She noted that provider organizations today have access to vast amounts of data, from personal identifiable information, personal health information, corporate information, intellectual property and research. Those data are coming from a variety of internal and external sources: electronic health records, claims data, accounting, human resources, medical devices and cloud computing applications. 

Maintaining control of that data is a challenge, but is crucial. Data governance must move from concept to concrete reality, she said. To drive home her point, she noted that in August, Community Health Systems, which operates 207 hospitals in 29 states, announced a data breach involving 4.5 million patient records. Class action lawsuits began to be filed in October, and the health system faces an estimated $150 million in losses.

Part of the move to establishing a data governance mindset is communication. At Carilion, Potter has worked with the CMIO and the Information Security Group to prepared a white paper that was presented to all upper management to inform them know about the Community Health Systems incident, as well as the possibility of Carilion facing a breach of that magnitude, and what do about it, she said.

“The information about the data that we hold and the data that we protect has to be discussed at the highest level,” she said. “We have to be able to frame that to upper management in a way they can understand from a healthcare perspective.”

Potter said noted that vast amounts of electronic health information, protected health information in all forms, employee information and corporate and intellectual property information are all part of what makes a healthcare system successful. A new data governance program probably will not be able to handle all of those data successfully at once, she said.

Electronic protected information covered under the Health Insurance Portability and Accountability Act (HIPAA) and meaningful use is a good place to start in assessing risk, she said. Those regulations require risk assessments that involve identifying information, where it is and who has access to it. “Start with what you’ve already done and move forward,” she said.

Regardless of the scope of the data governance project, Potter advised being practical, and staying within the limits of the time and resources available. She also advised seeking outside help. She advised being goal-driven and keeping the initial start to a data governance program simple.

One of the biggest pieces for data governance, especially from view of data security, is having the right people deciding what the risks are, what data going to be collected, where it will be stored, who is going to use it and how it and how it will be shared, and with whom, she said. An informatics group can establish how easily is it to get at the data and the costs associated with reporting, storing and sharing data. The health information management team knows where the information is kept and understands where it is going. Nursing and physician leaders know how data is used, and can help gauge when sharing the data is less than risk of not sharing it.

What should be the priorities of a data governance structure? Potter had some suggestions, (based on information from the American Health Information Management Association). Each has information security concerns that need to be addressed, she said. Among them:

  • Accountability—who has access to the data, where is the data going and where has it been and who has the ability to modify the data.
  • Integrity—having good controls and good segregation of duties.
  • Protection of data—part of the risk assessment, but also covering encryption and a secure and known mechanism to send data.
  • Compliance—meeting regulatory requirements of HIPAA, meaningful use and accountable care.
  • Availability—covering stationary assets to mobile assets, as well as in the cloud.Retention—how long data has to be maintained for compliance purposes, but also disposing of data safely when it is no longer useful.

One of the first steps in establishing a data governance program is knowing where data exists, Potter said. That’s not always obvious: it could be in the form of spreadsheets, paper records, email, images or videos. An added wrinkle is the cloud, which she said is not always a mature space and not always secure. “Getting players to play by HIPAA rules is not always easy,” she said.