Security Alert: How Federal Health Agencies Can Protect Health Data

As federal health agencies modernize to improve security and enhance efficiencies and insights, IT leaders cannot overlook the security of health data itself. Data security ensures the privacy, integrity, and availability of this valuable information, forming the bedrock of effective data modernization.

But health data is unique. Not only is it incredibly sensitive and personal, but data is constantly shared among various stakeholders in the federal health system, from doctors to researchers to public health officials, to coordinate care, support public health initiatives, advance research, and more. To ensure successful data modernization, without sacrificing the safety or security of data, federal health IT leaders must establish a framework built on three core principles: strong data governance, effective de-identification, and comprehensive protection throughout the entire data lifecycle. To successfully implement this framework, federal health IT leaders must prioritize clear and transparent communication with both internal stakeholders and the public.

Data Governance: The Foundation of Data Security
Data governance is the cornerstone of a strong data security framework, providing a clear roadmap for how health data should be handled, accessed, and secured. Establishing robust data governance ensures agencies utilize high-quality data that is accurate, complete, and reliable. As agencies modernize, governance also fosters a culture where data security is a top priority, encouraging employees to adopt secure data handling practices and report potential risks.

But what does strong data governance look like in practice? First, it needs a clear structure with well-defined roles and responsibilities. Think of a data governance council and data stewards who are in charge of creating and enforcing data policies, standards, and procedures. This framework should cover data quality management, making sure data is accurate, complete, and reliable through regular checks and improvements.

Beyond this foundation, strong data governance also requires robust measures to protect sensitive information, ensuring everything complies with privacy laws and regulations. It should also promote easy data sharing and exchange across different systems. Finally, to remain effective, data governance practices need to be regularly updated and adapted to handle new challenges and changes in the legal and regulatory landscape.

Take the National Institutes of Health (NIH), for example, which manages sensitive health data. A strong data governance framework would ensure that this data is not only securely stored and protected in compliance with all privacy regulations, but also carefully organized and curated to maximize its usability and findability for researchers.

De-identification: Safeguarding Patient Privacy
Once strong governance is in place, federal agencies can implement other best practices for securing health data, such as de-identification. De-identifying health data is crucial for protecting patient privacy. It involves removing or modifying Personally Identifiable Information (PII) like names, addresses, or social security numbers. This reduces the risk of patients being re-identified, even if the data is breached or accessed without authorization. To further enhance security, agencies can proactively scan for any residual PII that may be present in datasets, even those that have undergone de-identification.

The importance of de-identification is highlighted by the 1980s AIDS epidemic. At the time, a lack of trust in the security of health data had dire consequences. Many people did not seek medical care or disclose a possible HIV diagnosis for fear of social stigma if their health records were revealed. This lack of trust in data security hindered the public health response and fueled the spread of the disease. Modernized health data systems that prioritize de-identification can help agencies establish trust with the public, encouraging individuals to seek care and participate in research without fear of their private information being exposed. This not only promotes individual health and well-being, but also supports a more effective public health system overall.

Protection Throughout the Data Lifecycle
Even with de-identified data, it’s essential that data is protected both while it is at rest and as it moves throughout the value chain. As this data moves between stakeholders, it runs the risk of being modified or accessed inappropriately at every touchpoint, whether by third-party contractors or by more malicious actors like cybercriminals. Inappropriate access or modification of health data can lead to breaches of patient privacy – causing potential reputational or legal damage – hinder public health initiatives like disease monitoring, or undermine the validity of research findings.

To mitigate these risks, agencies can leverage advanced technologies like Zero-Knowledge Proofs (ZKP) and homomorphic encryption. ZKP enables verification of data integrity and authenticity without exposing the underlying sensitive information. Homomorphic encryption, on the other hand, allows for computations on encrypted data, ensuring its security even during processing.

In turn, protecting data throughout the value chain supports more trustworthy data sharing across health departments and agencies, ensuring data integrity and accuracy for research and analysis. To achieve this, federal health leaders should implement robust security measures at each stage of the data lifecycle.

The Importance of Communication
Establishing this data security framework will be ineffective without clearly communicating it both internally and externally. Internally, communication ensures all employees understand the importance of data security in the context of broader modernization initiatives. It helps employees proactively identify potential weaknesses or data threats and builds trust among data owners that others will utilize data safely and effectively.

Externally, communication fosters transparency and accountability, facilitates greater collaboration and partnerships with other healthcare stakeholders, and builds public trust. By prioritizing safety and security in data modernization efforts, federal health IT leaders can unlock the full potential of data-driven insights, leading to breakthroughs in research, improved patient outcomes, and a more efficient and effective healthcare system.

About Ratima Kataria

Ratima Kataria is the Chief Strategy and Growth Leader for Health Analytics, Research and Technology Line of Business at ICF. Ratima Kataria is a seasoned and effective growth leader with 26+ years of success driving business in new and emerging markets, technology transformations, building strategic partnerships, management consulting, CIO/CXO advisory, P&L management, organizational development, and providing outstanding customer service. 

Ratima is a thought leader in federal health IT, served previously both in the public and private sector including as deputy chief information officer for the Department of Health and Human Services’ Operating Division of HRSA and as a senior business development and P&L executive at large and mid-size companies such as CGI Federal and Net ESolutions (now NTT Data). She is a trusted advisor for federal executives in areas of emerging technology, data modernization, C-suite advisory, change management and management consulting. Ratima has achieved much success in disruptive digital and organizational transformations and has won multiple awards for her leadership and contributions.