New Guidance, Processes for De-Identifying Healthcare Data
HITRUST, a healthcare industry stakeholder coalition to improve cybersecurity, has created a De-Identification Framework, offering guidance, standards and controls to better understand the processes of de-identifying data.
HITRUST, a healthcare industry stakeholder coalition to improve cybersecurity, has created a De-Identification Framework, offering guidance, standards and controls to better understand the processes of de-identifying data.
This includes clarifying what qualifies as de-identified data and promoting the use of consistency in creating and using such data. The De-Identification Framework maps to HITRUSTs existing Common Security Framework of best practices to assess an organizations cybersecurity preparedness. The new framework includes:
*Use cases for defining levels of anonymization and recommended specific use cases for each variant, such as end-to-end testing of automated workflows and data mining for clinical research;
*Defined criteria for evaluating de-identification methodologies and estimating re-identification likelihood, and certifying expertise in the methodologies;
*Mappings of de-identified data to the Common Security Framework to support analysis of a de-identification process to ensure it complies with existing risk controls and regulations; and
*Technical control standards for mitigating risk associated with use, storage and maintenance of data. These controls will create a baseline security framework for de-identified data and will include controls to mitigate re-identification risks, according to HITRUST.
Data can be partially or fully de-identified, and the HIPAA standard for de-identification of data is a low risk of re-identification, says Kirk Nahra, a partner and privacy/information security specialist at the Wiley Rein law firm in Washington, D.C. Following the De-Identification Framework aids in analyzing data elements removed, who has access to them, how they are being used as part of an overall look at risk to the data, and whether the data is subject to appropriate privacy and security regulations.
In short, there has been confusion of how legal rules apply to use of de-identified data, adds Nahra who provided advisory services during development of the new framework. This is an effort to get everyone on the same page; to put rules in terms people understand and to get people to think of the issues in the same way.
HITRUST will host a web seminar on the framework on March 24, at which time it will be available to download. More information is available here.
Other services from the organization include free monthly cyber threat briefings in partnership with the Department of Health and Human Services, the launching of real but harmless attacks on a participating organization to assess how well it recognizes and responds to the attack (benevolent hacking), Cyber Threat XChange, an automated service to collect, analyze and share threat data; and CyberVision software, which aids in assessing threats in unique environments to find the one or two percent of threats that are most dangerous.
This includes clarifying what qualifies as de-identified data and promoting the use of consistency in creating and using such data. The De-Identification Framework maps to HITRUSTs existing Common Security Framework of best practices to assess an organizations cybersecurity preparedness. The new framework includes:
*Use cases for defining levels of anonymization and recommended specific use cases for each variant, such as end-to-end testing of automated workflows and data mining for clinical research;
*Defined criteria for evaluating de-identification methodologies and estimating re-identification likelihood, and certifying expertise in the methodologies;
*Mappings of de-identified data to the Common Security Framework to support analysis of a de-identification process to ensure it complies with existing risk controls and regulations; and
*Technical control standards for mitigating risk associated with use, storage and maintenance of data. These controls will create a baseline security framework for de-identified data and will include controls to mitigate re-identification risks, according to HITRUST.
Data can be partially or fully de-identified, and the HIPAA standard for de-identification of data is a low risk of re-identification, says Kirk Nahra, a partner and privacy/information security specialist at the Wiley Rein law firm in Washington, D.C. Following the De-Identification Framework aids in analyzing data elements removed, who has access to them, how they are being used as part of an overall look at risk to the data, and whether the data is subject to appropriate privacy and security regulations.
In short, there has been confusion of how legal rules apply to use of de-identified data, adds Nahra who provided advisory services during development of the new framework. This is an effort to get everyone on the same page; to put rules in terms people understand and to get people to think of the issues in the same way.
HITRUST will host a web seminar on the framework on March 24, at which time it will be available to download. More information is available here.
Other services from the organization include free monthly cyber threat briefings in partnership with the Department of Health and Human Services, the launching of real but harmless attacks on a participating organization to assess how well it recognizes and responds to the attack (benevolent hacking), Cyber Threat XChange, an automated service to collect, analyze and share threat data; and CyberVision software, which aids in assessing threats in unique environments to find the one or two percent of threats that are most dangerous.
More for you
Loading data for hdm_tax_topic #care-team-experience...