By David Hoover, Chief Information Security Officer, and Elana Bertram, Senior Director, Legal & Compliance
Personal data has become a valuable commodity in the age of digitalization. Every day, millions of people around the world share their personal information online, often without fully realizing potential risks. Data breaches have become a common occurrence, and they can have serious consequences — particularly when that data contains protected health information (PHI).
Recent high-profile data breaches underline the importance of proper data privacy strategies.
Online therapy provider Cerebral shared the private health data of 3.1 million consumers with advertisers and social media platforms. Data was shared with sites like Facebook and TikTok before Cerebral self-disclosed the data breach to the U.S. Department of Health and Human Services. Shared information included names, phone numbers, IP addresses, and mental health assessment results — the second-largest breach of health data when it was first reported.
Mental health platform BetterHelp was ordered by the FTC to pay $7.8 million to patients after revealing their sensitive data to third parties. Though they denied selling patient data to third-party advertisers, they did admit to using “limited, encrypted information to optimize the effectiveness” of internal advertising campaigns.
In February, the FTC fined online pharmacy GoodRx $1.5 million for failing to notify customers of PHI disclosures.
The sale of deeply private information — often containing clinical appointment dates and treatment details — represents a significant threat. At Validic, we implement data privacy and security protocols to ensure all private information remains private.
Data privacy: Personal information should remain personal
Data privacy advocates operate on a simple principle: private information should remain private. In the healthcare industry, data privacy is particularly important because of the sensitive nature of any stored information. This information is highly personal and can be easily used to identify an individual. Once PHI is compromised, it can be used to commit medical identity theft and fraud. The same data breach can also damage a person’s reputation, cause discrimination, and create high levels of stress.
At Validic, data privacy starts at the collection stage. Our solution gathers the least amount of data necessary to inform accurate care. Programs are highly customized to collect only the information a health system needs. For example, a provider collecting information from a patient’s glucose monitor will not also receive data from their blood pressure cuff. This prevents the storage of excess data and keeps clinicians responsible only for the data they actively interpret.
Keeping data limited and de-identified
Validic also limits information sourced from each data point. For example, our solution will identify only a patient’s area (country) when identifying their location for time zone purposes. This additional layer of protection keeps patients’ exact locations private.
Patient de-identification (removing personal identifiers from healthcare data to protect patients’ privacy) is an absolute must for health technology organizations that deal with patient data. At Validic, we make sure that the keys to re-identify that data are not in our hands. We receive client-generated user IDs – IDs that keep patient data separate during the exchange from patient to provider. We help facilitate that exchange, without ever seeing the patient behind the process.
This extra step isn’t standard across the health technology industry, but it’s an important one. It helps Validic accommodate HIPAA’s Safe Harbor standards and uphold the highest possible standards for data privacy during all stages of the data collection and analysis process.
Data security: Vigilance in protecting patient confidentiality
Health organizations, providers, and individual patients trust Validic to keep their data secure. In the face of cyber threats, ransomware, and other challenges to data security, transparency remains a large priority. Patients deserve to know when their data is collected and how it’s used. Providers deserve insight into the way Validic keeps patient data safe from external vulnerabilities.
As a best practice, data security should be an initiative — not a reaction. Validic adopts a “defense-in-depth” approach to data security. This is an information security strategy that creates multiple protective barriers around our solution and the data that passes through it.
Defense-in-depth typically involves the following layers:
- Multi-factor authentication (MFA) — Users must provide multiple forms of authentication before they can access the Validic system. MFA can combine a password, biometric identifier, particular device, or other forms of verification.
- Role-based access control (RBAC) — Data access is limited only to the person or persons who require it.
- Industry-grade encryption — Algorithms and other secure management practices that protect sensitive data, in transit and at rest, from unauthorized or unexpected access.
Each of these protective layers represent portions of an optimal security strategy, and help to further secure patient information, even before providers analyze it.
Vigilance is key in safeguarding digital patient data. As an illustrative example, the Privacy Shield once helped to regulate data transfers between Europe and the United States. This statute helped to limit the collection of personal data, uphold transparency standards in data usage, and create accountability for all parties responsible for analyzing that data.
Once the Privacy Shield was dissolved in July 2020, organizations like Validic had to find new ways to protect personal data during the data exchange process. Like many organizations, Validic engineered additional security standards to address new vulnerabilities the Privacy Shield could no longer protect against.
Proactive vulnerability response
Security vulnerabilities are ever-changing. They take new forms and represent new challenges to organizations like Validic, working hard to keep patient data safe.
To appropriately respond to emerging data security threats, Validic implements a proactive vulnerability response process:
- Notification — News channels or internal industry sources indicate the emergence of a new vulnerability.
- Research — Validic engineers explore the specifics of the vulnerability to assess its specifics and identify a potential path forward.
- Vulnerability assessment — A comprehensive audit helps to identify the threat level that a particular vulnerability might pose.
- Resolution — Patches are implemented that neutralize the vulnerability and prevent any re-emergence.
Validic has learned to adopt a timeline-less approach to vulnerability response. Where many members of the industry might create a roadmap to patch a vulnerability, our solutions team operates with an “ASAP mentality.” This means that patches are implemented as quickly as possible, without compromising the current solution. All patches are tested in a development environment before they are rolled out. Validic solutions engineers always test patches with “dummy” data; no actual patient data is ever used to test a vulnerability patch.
Organizations like Validic should lead with data security. We work hard to make patients and providers comfortable with the solutions we provide — from data collection to improved patient outcomes.
Stay updated with Validic in 2023 by following us on Twitter and LinkedIn.
View More >