Click to learn more about author Julie Furt.
Protecting your organization’s data is complex. Data privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) come with stiff penalties for mishandling protected information. In 2018, Anthem paid a record $16 million to settle HIPAA violations that exposed data of nearly 79 million people. An individual mishandling HIPAA data may face criminal penalties of up to 10 years in prison for each incident. High-profile violations make big headlines, like the 2017 Equifax hack that led to the exposure of data of almost 148 million consumers. Such breaches, in addition to fines, result in loss of consumer trust and weakened brand image.
Given the risks, it isn’t surprising that security and IT strategy are increasingly linked. According to IDG, 54 percent of CIOs say that security strategy is an integral part of overall IT strategy and roadmaps, while 82 percent of CIOs expect their IT and security strategy to be more tightly integrated in the next three years. Insider threats, external threats, and regulatory obligations all pressure organizations to lock up data and throw away the key. So, how can you balance these demands but still leverage the full value of data?
1. Seek to secure all data but know it is an ongoing process
All data of value should be stored securely. This is a large undertaking that requires continual analysis and enforcement as new data is generated and new stakeholders are identified. Too often, leaders are overwhelmed by their data estate and step back from actively managing its security. Develop a strategy for the continual assessment of where your organization is in data security and management. Securing data shouldn’t be an afterthought. It should be a key component of any data estate strategy and design.
2. Track and audit data
Data lineage, or where data comes from and where it moves through the data lifecycle, is extremely important. Equally important is data auditability: who had access to what and when? How did the data change over time? Data lineage and audit tracking are the baseline information required to develop data security plans. Understanding data lineage increases the value of the data, as the data is more likely to be properly leveraged and trusted for the right uses.
3. Keep security as close to data as possible
The best way to secure data is to manage it in a secure database. Other approaches, including shared drives, fall short because they fail to provide access controls at the granular level required to protect the most sensitive elements or records within the data. In other words, securing data at the network or disk level creates an all or nothing paradigm for data access. Employ network-level security and encryption at rest at the disk level as additional security measures, but don’t stop there.
4. Enforce a uniform security model across data
Introduce, manage, and maintain a centralized data security model. Maintaining siloed security models across different applications introduces risk that data access privileges will be handled inconsistently through policy or user error. Enterprise identity management tools play a key role in centralizing the security model.
5. Manage access based on user roles and data attributes
User roles and data attributes are key elements for an effective data security strategy. It is insufficient to assume that a user’s role can be the sole factor determining whether they get access to data. For example, it may be appropriate for a direct supervisor to have access to an employee’s HR record. But what happens if that employee files a complaint against their supervisor? Any information related to the complaint must be kept from the supervisor. The organization may restrict access to the employee’s file while the complaint is being adjudicated. In this case, you need a database that supports role-based access control and attribute-based security down to the individual field or element level.
6. Minimize access to what is required for business need
The best way to prevent misuse of information is to restrict access to it except for when access is needed. Consider what roles have a real business need for each piece of sensitive information. Ensure that you implement separation of duties to protect against insider threats – those who manage the data versus those who access the data. For example, database administrators need to query databases to do their jobs. They do not need to see everything. System administrators need access to encrypted data on file systems but not to encryption keys. Nor do they need to query data. To protect against insider threats, ensure that data is managed in a secured database that is encrypted at rest on disk.
7. Remove sensitive data when possible
Access to a record should not be all or nothing. Data security strategies need technologies that support field or element-level security. For example, not every HR specialist needs access to employee social security numbers (SSN). There will be specific scenarios and roles where social security number access is required or restricted. This is also true when sharing information between organizations and systems. Consider what fields should be included in the data exchanged and limit sharing to partial records that include only required fields.
8. Consider system-based data access or system-to-system transfer
Creating and transmitting system extracts, or exports, is a high-risk way of sharing information. This is especially true when exports are created manually, as in export to Excel, and then transmitted manually, often via email. There is plenty of opportunity for the export to be sent to the wrong person or for the extract to contain information that wasn’t intended to be there. Limit access to data by making individuals log into systems to access sensitive data. If you must transfer it, do so in an automated, secure, highly tested, system-to-system transfer.
9. Mask data when fields are required but actual values are not
Depending on how data is used, the real value of sensitive fields may not be needed. Can your system-to-system transfer of data include a repeatable data masking step? For example, there may be a need to uniquely label individual health patients over time to identify new vs. ongoing disease cases. But the scenario may not require revealing the patient’s name or social security number. In that case, mask data using a repeatable process where the value is replaced masked with the same anonymized information each time.
Avoiding Data Sharing Paralysis
Data is only as valuable as your ability to leverage it effectively. Often, that means being able to share data. In today’s hyper-connected world, in which partners, suppliers, and even customers will likely want controlled access to your company’s network, securing data from the inside is just as important as securing data from the outside (perimeter security). Encryption across the network, plus security of data at rest, is a critical requirement for secure data sharing. Don’t wait for the perfect time-tested plan before starting your data security and sharing plan. Develop an internal strategy for mitigating risk around data sharing, implement it, then monitor and adjust as needs change.