Health Data Management 2018 New capabilities, new expectations a tonic for good health Do you need to update your approach? 9 November 2018 Gil Carter @gilcarter
Data Breaches Mandatory Reporting This is not the problem 13 November 2018 Slide 2
Detail in the data breach numbers 15 System Faults Types 91 Human Errors 140 Malicious or Criminal Attacks 245 Data Breaches from Jul – Sep 2018 Overall Top 5 102 “other” Sectors 45 Health services 35 Finance 34 Legal 13 Personal 16 Education Breakdown 25 Human Errors 19 Malicious 1 System Fault 3 4 4 2 4 1 1 4 2 7 3 1 8 1 1 1 4 No BCC Loss of email fax mail (other) Rogue Social Release Verbal Theft of paperwork Hacking Malware Cyber In email paper / Employee Engineering or publish or data storage Ransomware Phishing Incident device Unredact Personal Info to wrong 13 November 2018 Slide 3 Unauthorised Disclosure
Specifics in health 3 4 4 2 4 1 1 4 2 7 3 1 8 1 1 1 4 No BCC Loss of email fax mail (other) Rogue Social Release Verbal Theft of paperwork Hacking Malware Cyber In email paper / Employee Engineering or publish or data storage Ransomware Phishing Incident device Unredact Personal Info to wrong Unauthorised Disclosure 13 November 2018 Slide 4
How many people affected? 13 November 2018 Slide 5
What was lost? 13 November 2018 Slide 6
This is a real issue 13 November 2018 Slide 7
There are lots of them via https://www.healthcareitnews.com/ 13 November 2018 Slide 8
Common Problems 13 November 2018 Slide 9
Privacy and Consent Health organisations must adhere to legislative requirements for information privacy There are three elements to the core Why do we still have these? management of privacy Privacy policy from organisation Data collection statement Informed consent for data usage 13 November 2018 Slide 10
ICT is the ‘ministry of no’ “Oh f#%k” 13 November 2018 Slide 11 Ref: Simon Wardley https://blog.gardeviance.org/2012/07/adoption-cycles.html
Modern ICT thinking looks like this https://public.digital/2018/10/12/internet-era-ways-of-working/ 13 November 2018 Slide 12
Password Management What does “good” look like? • Easily guessed • He can remember it! • Now known by everyone 13 November 2018 Slide 13
Passwords Common tools • Use a password manager • Keypass • 1password • Web browser • Buy a single sign-on system 13 November 2018 Slide 14
Email Phishing – still popular! 13 November 2018 Slide 15
Email Phishing fixes Staff training Use a mail filtering service Footers for suspicious content Geofencing for logins (avoid the Nigerian princes!) Regular dogfooding ICT group sends fake messages to staff, with rewards for reporting as spam / phishing 13 November 2018 Slide 16
Using email as a filing system Very common to keep sensitive information in email Resumes for job applicants Information about providers Referrals for other services Some problems Email account hacked = data breach Retention of personal information such as resumes Management after person leaves? 13 November 2018 Slide 17
Fax machines! Information is potentially insecure Lost pages on receiving end Data quality all pages received? Readable? Fax number correct? 13 November 2018 Slide 18
Fax is hard to stop… 13 November 2018 Slide 19
Here is the challenge • Anyone can use one • Simple, reliable, accurate • Secure (providing access to machine limited) • Works from remote sites • Not affected by ISP outages • Life is harder without them 13 November 2018 Slide 20
Fixing the fax (a small soliloquy) 13 November 2018 Slide 21
Fixing the fax (a small soliloquy) Secure Secure Secure Messaging Message Inbox Message Inbox Client • Backward compatible • Forward compatible • Simplistic installation • Low cost • Invisible management of old tech! • Bundle with SMD services 13 November 2018 Slide 22
Shared network drives • Shared drive used as dumping ground • Limited governance of content and structure • Difficult to maintain between staff • Traceability of client data (“is this everything?”) • Timeline of changes (“is this the current version?” “Who changed this?”) • Retention / disposal of data • Too much kept • Nothing deleted • How to align with policy or programme? 13 November 2018 Slide 23
Limited traceability for data “Find everything we hold on a person!” Could we do it? FOI request / privacy request responses Can we see data about information collected? Are there any secondary uses permitted? Can we tell when to seek consent again? 13 November 2018 Slide 24
Handling Information Lifecycle How to connect data assets to the programme used to create them? Can we tell what is owned by which programme? Can we share patient data between systems? When do we have to seek consent? When can we delete? What can we share outside our organisation? 13 November 2018 Slide 25
Staff changes Key staff member leaves Email archive / network drive / sharepoint site Use of direct email rather than job role Update of contact details Are these processes codified in a data management model? 13 November 2018 Slide 26
Supplier challenges Health often relies on external providers to deliver services Interoperability of data? Sharing of data via secure messaging? Use of email or fax? How to reject suppliers who fall short? 13 November 2018 Slide 27
Self Assessment Time… 13 November 2018 Slide 28
Look at systems in your organisation Health Organisation Enabling Business Clinical Programmes Information Security Functions Governance / Risk Vertical slice Information Management Horizontal slice Applications Environment Technology Platform 13 November 2018 Slide 29
Eight key areas in data governance Choose two scenarios of your own to look at: A vertical business application (eg. A mental health support programme) A horizontal business capability (eg. business CRM system, used across multiple programmes) Twenty minutes to work on both. Work singly, in pairs, or as a table. Map out information scorecard on areas for concern 13 November 2018 Slide 30
Eight key areas in data governance Acquisition Processing & Governance Quality & Storage Analysis Reporting / People / Metadata Lifecycle Sharing / Process / Management Management Publication Technology 13 November 2018 Slide 31
A range of capability levels Ref: Gartner 13 November 2018 Slide 32
Build a matrix to guide forward path Data Level 1 Level 2 Level 3 Level 4 Level 5 Management Basic Opportunistic Systematic Differentiating Transforming Capability Governance Where we Where we need to be are now Acquisition & Storage Quality Processing & Analysis Reporting / Sharing / Publication Metadata Management People / Process / Technology 13 November 2018 Slide 33 Lifecycle Management
More detail in data management domains Responsibility for Authority for work in Approvals within Work with external Role of Data policies and data sets business stakeholders Stewards procedures Governance Monitor Role of Data Working Role of Data Role of Data Users implementation of Group Custodians policies Privacy and consent Structured data Semi-structured data Published data Non-structured data management (eg. Databases) (eg. Spreadsheets) (eg, websites) (eg. Email / docs) Acquisition & Storage Prioritisation of data Data connection & Process Deletion of Security Policy (local / region / natl) source integration documentation unwanted data Accessibility Accuracy Coherence Interpretability Relevance Data Quality Organisational Data Quality Commitment to Timeliness Data Quality Model Environment Ownership Improvement 13 November 2018 Slide 34
Data management domains (cont.) Processing & Recording Use of Analysis Methods Metadata Processing Data Recorded Analysis Reporting / Personal data sharing Use of data for Release of data in Release of data for Freedom of Sharing / in accordance with government public reports public use Information Publication privacy policy reporting Metadata Metadata standards Recording of Business Metadata Technical Metadata Operations Metadata Management (eg ISO 11179) metadata People / Data analyst role Data management Data management Data management Process / definitions and framework platform agreements support Technology Lifecycle Data creation Data storage Data use Data maintenance Data disposal Management 13 November 2018 Slide 35
Group Discussion Present key insights by table Common themes noted on whiteboard Ask questions from audience to experts in residence Forward paths discussed Do nothing Do yourself (cheap, risky, analysis bias) External review (cost, lower risk, more critical) 13 November 2018 Slide 36
Thank you Gil Carter – 0433 299 828 gil.carter@voronoi.com.au @gilcarter
Recommend
More recommend