What Can a Data Classification Program do for Healthcare Companies?What is Data Classification?As healthcare companies work toward becoming HIPAA compliant, one of the obstacles many are encountering is how to treat and handle the many types of data used each day. Because Healthcare companies, whether a hospital, PPO, physicians group, or processing center, encounter a large amount of personally identifiable information, methods to ensure this information is treated properly can substantially reduce your risk exposure. A large majority of corporations admit that the primary threat to the security of their information assets is from internal employees. Many times this threat can be substantial due to a lack of procedures around data handling. One way to reduce this risk exposure is with a data classification program. A data classification program looks at the different types of data an organization handles, classifies those pieces of data based on sensitivity, and establishes procedures to make sure each of these pieces of information is treated properly. The big picture rationale of a data classification program is to reduce risk and bring enterprise-wide consistency to data handling. In addition, it is important to understand that data classification is a non-technical, common sense approach to risk management. How Can Data Classification Help Healthcare Organizations?Although most healthcare related companies understand the importance of safeguarding the information they posses, an exact and consistent method used to protect the information across the company is usually non-existent or not widely implemented. During interviews Itillious conducted with various healthcare business professionals, one observation was clear - all participants viewed the data they encounter everyday as very sensitive. People in the healthcare community inherently understand the sensitivity of patient information, which makes the industry unique. With awareness already established, data classification programs are usually easier to implement in healthcare companies than in other industries, such as manufacturing. The one downside, however, is that this view of sensitive information within healthcare companies makes it easy to consider all information to have the same sensitivity. If all information were considered sensitive, then wouldn't everything be handled in a secure manner? Not usually. Many times if all information is considered to have the same sensitivity then the problem of relaxed handling measures comes into play. We have found that daily handling of the same types of information tends to form less secure data handling habits. In addition, precise procedures on what to do with different pieces of data is important to ensure the information is properly protected. Data classification programs in healthcare companies help to break up the different sensitivity levels and direct the handling measures to assist in keeping an aware and cautious sense of data handling across the organization. To better illustrate this point, this is not to say that all information within a healthcare company should be considered very sensitive and protected in the same manner. There are always different levels of sensitivity spread across healthcare organizations. These levels of lower sensitivity can easily be overlooked because they don't have the same level of understanding as personal health information. Of course it depends on the organization, but one noteworthy subset of data in healthcare organizations with high sensitivity is proprietary company information. Ranging from rate information to certain internal reports, these pieces of data could give competitors valuable insight into how to get the upper hand in the next quarter. Is Data Classification Just for Electronic Information?Although most people focus on the IT aspect of information security, data classification extends to all points of data handling. A lot of healthcare companies are now turning to scanning documents to better handle the increasing number of patient records, insurance claims, detailed reports, and rate contracts. However, there are still many issues outside of IT security with which to be concerned when safeguarding your data. In a number of situations, Itillious has observed that it would be easier to obtain patient identifiable or company proprietary information by simply going to the physical location of the data than trying to access those same records electronically. What Does a Data Classification Program Include?There are three basic phases to developing a data classification program.
A data classification program differs from company to company, but for the most part, there are several key deliverables. The first phase is a report on how your organization currently views data classification and how different internal classifications are currently used. For instance, one department may use the term "Classified" where another department may use the term "Restricted." It is important to discover these existing protection measures to ensure a smooth implementation of the environment. In addition, the first phase gives a baseline of perceived threats and current protection measures. The second phase of a data classification program will provide you with the majority of the "Classification" work. Different pieces of data with varying degrees of sensitivity are put into a matrix under the appropriate classification. Depending on the sensitivity of the information and the risk associated with that information, the information will be placed into one of three or four classifications. Not only does this matrix classify different pieces of information into classes, but it also lists procedures for each classification. For example, if you have to fax a piece of information that is classified as "Highly confidential" you may have to call the person receiving the fax so the information will not be left unattended at the receiving fax machine. Procedures like this one, although very simple and easy to perform, can fill the gaps where your organization may have weaknesses and or inconsistencies in information protection. The final phase of data classification is the most significant for a successful implementation - training. Many companies have data classification programs with detailed procedures outlining exactly what to do with certain pieces of information. However, since these documents are usually in hardcopy form that no one wants to read, the program never really gets off the ground, resulting in quite a bit of wasted time and effort. Depending on the organization, different methods of training may work better than others. Some organizations already have a significant training infrastructure they could be web based or instructor driven. Whatever the method, it is critical to conduct mandatory training courses for all members of the organization. ConclusionOverall, a data classification program is a fairly simple, non-complex way to help healthcare companies become and remain HIPAA compliant as well as reducing the risk of sensitive information getting into the wrong hands. Companies, especially in the healthcare industry have a difficult time looking to simple, non-technical solutions for initiatives such as information protection. However, as you can see, a common sense approach to handling not only electronic documents, but hardcopy documents as well, can be implemented in a relatively short period of time with a rather high rate of return when compared to expensive technical solutions. |
|||||||||
|
|
|||||||||
| ©2001-2003 by Itillious, Inc. All
Rights Reserved. |
||||