WHITE PAPER. Balancing Access to Information While Preserving Privacy, Security and Governance in the Era of Big Data.

Transcription

1 WHITE PAPER Balancing Access to Information While Preserving Privacy, Security and Governance in the Era of Big Data. EXECUTIVE SUMMARY This white paper explores the critical role that privacy, security and governance play in ensuring appropriate access to information in the age of Big Data. Table of Contents Executive Summary 1 Big Data is a technology that has been used extensively for about 10 to 15 years by Google, Netflix and major social media applications. With the ability to economically scale to handle vast datasets, Big Data lets companies easily aggregate varied and diverse data sources quickly, providing them with the ability to innovate and rapidly respond to changing business requirements. However, until now, Big Data has suffered from weak privacy, security and governance controls, essentially preventing certain organizations - namely those in healthcare, the public sector and large corporate enterprises - from realizing the other competitive benefits that come from Big Data. There are now innovative technology providers who are addressing the very real challenges of privacy, security and governance in such a way that organizations can effectively mine and analyse their data for insight, while still protecting an individual s privacy rights. Privacy deals with who is authorized to access certain information. Security provides the technical methods to safeguard private information from unauthorized persons, while governance covers the stewardship and enforcement of roles, and the checks and balances to support the business needs. It is critical to adopt a new technology architecture that strikes the balance between privacy, security and governance while still ensuring appropriate and necessary access to information. With the new architecture in place, organizations will be able to roll out innovative services ranging from population health management to business intelligence to Open Data information sharing. Introduction The Role of Big Data 2 Unlocking Data to Drive Innovation and Competitiveness Integrating Big Data in your Privacy, Security and Governance Strategy Privacy 3 Privacy by Design Sophisticated Access Controls that Scale Identity Management De-Identification and Redaction On-Demand Security Security at Rest Security in Flight Governance Audit logs Data Immutability Version Control Rollback Data Verification Retention Policy Data Validation Data Veracity Separation of Roles About PHEMI About PHEMI Central About PHEMI Dictionary of Terms References 10 1

2 INTRODUCTION The average cost of a healthcare data breach is estimated to exceed $3.5 million, cumulating in a potential cost to the healthcare industry alone of as much as $5.6 billion dollars annually. The impact to corporate reputation, fines, lost business and senior executive careers has been felt across industries. The average cost to a company for a data breach was $3.5 million in US dollars and 15 percent more than what it cost last year. 1 It is well understood that a majority of breaches can be traced back to improper employee handling of data, highlighting the importance of proper data governance and privacy controls that go beyond traditional perimeterbased firewall and security infrastructure. Privacy, security and governance each play an integral role in ensuring appropriate access to information. Too much control can dramatically limit business competitiveness and profits as information protection stifles efficiency and adds unnecessary cost. It can also mean that patients die with their privacy intact largely because doctors can t access the right information at the right time. Too little control means that personal and other private information can be compromised, costing businesses millions of dollars in fines, damaging personal and corporate reputations, with a subsequent loss of business and trust. A new approach is required - one that embeds privacy, governance and security - into the core of the data warehouse technology. The approach must allow the data to be mined for knowledge and insight, while simultaneously ensuring the data is used only for permitted purposes - guaranteeing that an individual s privacy remains intact. THE ROLE OF BIG DATA Invented over 10 years ago by Google and Yahoo, Big Data has quickly evolved to become a cornerstone technology for internet companies. Today, Big Data is commonly used by hundreds of millions of consumers daily whenever they visit Google, Netflix, Amazon, ebay or a social media website. The business case for adopting Big Data tools is well established and compelling. 60% potential increase in retailer s operating margins possible with Big Data 2 $300 billion potential annual value to US healthcare 2 Manufacturing industries - up to a 50% decrease in product development and assembly costs 2 Big Data and successful analytics credited as a key differentiator in the US 2012 presidential election campaign 3 Unlocking Data to Drive Innovation and Competitiveness Big Data 4 is widely credited for three core attributes that distinguish it from the traditional relational database approach: 1. Big Data is proven to economically scale from Terabytes to hundreds of Petabytes at a third the cost of a relational enterprise data warehouse. 2. Big Data is able to quickly aggregate a variety of information from relational databases to unstructured documents such as Microsoft Word, 2

3 PDF, text, images, or telemetry - all without requiring complex schema changes. 3. Big Data gives organizations the agility to quickly innovate, develop new applications to mine the data, and rapidly respond to changing business requirements. However, with its roots in the internet and social media sector, Big Data has long-suffered from weak privacy, security and governance capabilities. Consequently, public sector, healhcare and large enterprises have been relegated to observers, experimenting with and piloting this promising new technology. Integrating Big Data in your Privacy, Security and Governance Strategy The evolution of computing services has been driven by an ever increasing volume of information that is now available in the digital economy. Government and the private sector are focusing on harvesting this data to provide better, quicker and more valuable services to citizens and customers. Within the datadriven economy, challenges arise with respect to potential security and privacy breaches because of the volume and variety of data types. Conversely, the value held within the data cannot be realized without access. Privacy, security and governance used to be the purview of applications to stand guard and protect the data. However, initiatives like Privacy by Design (explored in more detail later) are actively engaging Big Data and policy management in the uniform enforcement of privacy, security and governance across an organization. PRIVACY Privacy deals with the rights of an individual to control when, how and to what degree personal and private information is visible for use. Managing what constitutes appropriate use of information at a fine-grained level, across a large data warehouse, can be an enormous challenge fraught with serious consequences if not structured and administered properly from the outset. This problem is particularly evident when considering Personally Identifiable Information (PII) or other information classified as private or sensitive within documents or databases - information that may span multiple data sources, data owners or data sharing agreements. Although Privacy Impact Assessments may document policies, procedures and risks, a technical solution must play a role in managing and enforcing policy adherence. Privacy by Design To address these challenges, a Privacy by Design 5 framework has been defined and recognized as the global privacy standard in a landmark resolution by the International Conference of Data Protection and Privacy Commissioners in Jerusalem. Since then, the 7 Foundational Principles of PbD have been translated in over 30 official languages. Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must become an organization s default mode of operation. 3

4 Privacy by Design at PHEMI Whereas many systems view privacy and security as an afterthought, PHEMI Central was designed from the ground up to incorporate the 7 Foundational Principles of Privacy by Design: 1. PROACTIVE NOT REACTIVE; PREVENTATIVE NOT REMEDIAL PHEMI Central contains a sophisticated Governance Policy Manager that data stewards use to define what data may be stored, how it may be manipulated, and who is allowed to read the data. Permitted personal information can only be collected in the PHEMI system if enabled by the Governance Policy Manager. The data steward creates all policies for user access to the system and datasets. A policy enforcement layer in the PHEMI architecture enforces strict policy rules. 2. PRIVACY AS THE DEFAULT SETTING Data can only be stored in PHEMI Central once the data steward establishes a privacy policy. Furthermore, the system default prevents anyone, other than the data owner, to access the data. The data steward can relax these defaults to allow specific users and roles to access virtual databases within the Big Data Warehouse. The PHEMI solution was designed on the foundation that privacy policies determine what data can be accessed through the de-identification/anonymization processes defined by the Governance Policy Manager. Policies include fine-grained write-only, read-only and read/write permissions. 3. PRIVACY EMBEDDED INTO DESIGN As PHEMI Central ingests data, it converts it into a digital asset comprised of the data itself plus metadata a wrapper that embeds privacy/governance rules, policies and semantics for the digital asset being gathered and stored. A policy enforcement engine ensures that all users have the appropriate access privileges throughout the Big Data Warehouse. Users can only view digital assets if they have been granted access in a policy established by the data steward using the Governance Policy Manager. Fine-grained policies enforce deidentification of information. 4. FULL FUNCTIONALITY POSITIVE SUM, NOT ZERO SUM PHEMI believes an individual s privacy rights can co-exist with an organization s legitimate interests and objectives based on an individual s consent. PHEMI s ground-up approach to privacy works symbiotically with clinician needs for complex data analysis. PHEMI s treatment of data as digital assets means that healthcare data can be enriched and analyzed for meaningful statistics and patterns, with privacy enforcement underpinning the process. No complicated overhead or tradeoff is needed for policy enforcement because users only interact with approved data that has passed through the Governance Policy Manager. 5. END-TO-END SECURITY FULL LIFECYCLE PROTECTION PHEMI brings lifecycle privacy to Big Data. All digital assets are immutable and only accessible through the PHEMI Governance Policy Manager. Our metadata tagging enables automatic data retention enforcement, access controls and compliance management. For example, if a digital asset has metadata indicating that the asset must be held for ten years, then the data will be automatically deleted on the tenth anniversary. Furthermore, all assets are version controlled so the data steward can review and recover any changes. Additionally, the audit and logging system in PHEMI Central uses the same digital asset approach to store and manage log files, ensuring that logs are also immutable and only accessible to specific administrative roles. 6. VISIBILITY AND TRANSPARENCY KEEP IT OPEN PHEMI s privacy policy implementation is transparent and accessible to data stewards. De-identification and anonymization process rules can also be easily provided to individuals and organizations. PHEMI produces detailed audit logs to verify privacy policy enforcement. 7. RESPECT FOR USER PRIVACY KEEP IT USER-CENTRIC PHEMI recognizes an individual s paramount right to privacy and our technology core reflects this. With default privacy settings and a sophisticated governance and policy management approach, we ensure an individual s privacy remains intact. Yet our unique implementation also enables clinicians and researchers access to a rich dataset of healthcare information for pioneer medical innovation and research based on patient consent. 4

5 Sophisticated Access Controls that Scale The traditional role-based access control model, consisting of users/roles/ privileges, has been the mainstay of access control for decades. However, as the number of users and datasets grow, the variety of privacy policies governing the appropriate use of information can quickly become overwhelming and the risk of a data breach increases. A Big Data warehouse needs to seamlessly migrate from simple role-based access to a more scalable and versatile attribute-based access control. A scalable access control system should be able to leverage metadata to describe the attributes of a user and the attributes of the content. These access control rules also need to cover data processing functions and MapReduce jobs. Modern access control capabilities can then simply enforce arbitrarily simple or elaborate access control rules, marrying user and content metadata attributes. As an example, the Affordable Care Act and Accountable Care Organizations stretch across the continuum of care and are quickly pushing the limits of rolebased access controls. For example, cardiologists who practice in the General Hospital Electrophysiology clinic are allowed to view a person s preliminary and final ECG while they are on the hospital network. Other physicians are not allowed to see the preliminary reports - only the final interpretation. Researchers, however, are only allowed to see a de-identified/redacted version of the patient s interpreted ECG. And no-one is permitted to see the ECG outside of the General Hospital network. This complexity can only be managed through attribute-based access controls. Standards such as XACML provide a flexible and dynamic access control policy framework. Identity Management Traditional identity management and security technologies create a protective wall around data sources and applications. Security zones, firewalls and identity and access management (IDAM) systems govern coarse grain-access to resources and services, including authenticating users to ensure (with a certain level of assurance) that the user is who they purport to be. These security and IDAM systems have focused on service level access management, which enforces policies at this coarse grain level to the service but not the fine-grained content itself. There is an implied trust between the access management service and the data objects and without some form of entitlements management solution, that trust becomes a key point of fragility within the system. In transactional systems, this works because it is often a push to a system consuming the transaction and that system has the ability to accept or reject the request/message based on their own policies. Although there still needs to be security and access management services, the risk factor is different than that of data/information based systems where data mining and the extraction of data has different privacy implications. In the event that a transactional system is being used for querying or updates of personal identifiable information (PII), all the same rules are true and it would mean that the system providing the data would need to provide fine grain access control as well. This would imply that user identity information is embedded within the transactional messages. Traditional IDAM service level access control creates a number of issues in an environment with sensitive data: Does not provide the full solution that is often required to meet regulatory and legal compliance. IDAM and security systems are a add-on that are outside of the core system thus they do not meet PdB requirements 5

6 Programers often embed code to enable fine-grain access control, providing less scalability IDAM provides the front gate authorization but does not provide entitlement management to the actual digital assets within the system Often a network based trust model is set up between systems with all queries going through a single user within the data source system Auditing for compliance is much more difficult without the ability to track access controls at the digital asset level. PHEMI Central is a Big Data platform that enables a PbD framework and unlocks the potential for fine-grained access control and policy management for individual digital assets. Through the governance management capability, a data steward can impose policies on digital assets that are then enforced through the PHEMI Policy Enforcement engine. Access control can be provided to the element level within the meta data or derived data extracted right from the digital assets themselves. The ability to anonymize or mask some data elements elements and expose those that the user or system is entitled to provides a very high degree of assurance that the right information is being delivered to the right person, at the right time for the right reason. With PHEMI Central, the power to manage risk is given to the data steward directly and is not being passed on to programmers or trusted system interfaces that are susceptible to privacy breaches. A much richer set of data is available, along with a much more powerful policy management system that is compliant with Privacy by Design principles. De-Identification and Redaction On-Demand An important part of any privacy strategy is the ability to de-identify personal information. This includes the ability to disallow the sharing of personally identifiable information by masking the information, or redacting an image or using more sophisticated data dependency algorithms to reduce the risk of re-identification. Based on specific policy rules, the de-identification process should be able to be enforced on-demand when the data is read, to reduce data sprawl and the risk of data consistency errors. SECURITY Whereas privacy rules describe who is allowed to see what, when and how, security describes the technical methods by which privacy and access are safeguarded. Relational database installations, like first-generation Big Data solutions, rely on a trusted relationship between the data repository and the application. As more and more personally identifiable information is aggregated, the consequences of a data breach increase, driving the need for a more robust security strategy. A Big Data Warehouse should embrace multiple layers of security. Security at Rest A Big Data warehouse should be able to encrypt data at rest within the data repository. For performance reasons, it is usually unnecessary to encrypt all data. Instead, encryption of only personally identifiable information is advised. 6

7 Security in Flight All communications between data sources, data consumers and the Big Data warehouse should be encrypted using either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol with 256 bit encryption. GOVERNANCE According to the American Health Information Management Association (AHIMA), only 11% of healthcare organizations consider their information governance program as mature. 6 An effective IT governance strategy defines and enforces user roles with appropriate checks and balances to ensure appropriate behavior throughout the data lifecycle (creation, storage, use, archiving and retiring of information). An effective IT governance strategy should include the following key capabilities. Audit logs A Big Data Warehouse must maintain complete audit logs of system and user operations including account creation/modification/deletion; policy creation/ modification/deletion; dataset creation/modification/deletion, etc. These log files must be completely tamper-proof for all users. However, approved users should be able to filter log files and export the information for downstream analysis. Data Immutability Unlike typical relational database systems that only protect certain columns (keys), an effective Big Data Warehouse should store all data in a write-only data system that is never modified and data can only be deleted at a pre-specified end-of-life date. This approach provides assurance of data integrity for audit and compliance requirements. Version Control A typical enterprise data warehouse is unable to recover data that has been accidentally modified or deleted, making corrections a time consuming process of searching through system backups to find old data to restore. A Big Data Warehouse should be able to keep a simple history of old revisions and allow administrators to trace changes over time, including the ability to audit who made the change and when. This approach provides a complete record of data history for audit and compliance requirements. Rollback A system administrator should be able to trace changes to data and rollback changes as appropriate, while honoring Data Immutability, Audit Log and Version Control requirements. Data Verification All data collected and derived in the Big Data Warehouse should include a checksum held in metadata. This approach allows the system to quickly detect if data has been corrupted or tampered with. Retention Policy A Big Data Warehouse should be able to prevent users from deleting data during a configured retention period and should also automatically de-identify, delete or otherwise process information when the retention period expires. 7

8 Data Validation Unlike typical relational database systems where external Extract, Transform, Load (ETL) tools cleanse and validate data, an effective Big Data governance strategy should perform the cleansing and validation process within the system and log all transformation operations to properly track data provenance. Where information is incomplete or out of valid range, an alert should notify the data steward. Data Veracity Data Verification is an anti-corruption feature of PHEMI Central that checks for changes in your data as it gets imported. Our alert system flags you when your data gets corrupted, assuring the integrity of your entire dataset. A traditional data warehouse has no alert system to protect you from your data getting corrupted. As it gets imported, your data can get altered during the transmission process. A traditional data warehouse does not identify errors in your dataset as they arise. Separation of Roles An effective governance strategy must maintain a clear separation of roles such that a single user cannot create accounts, read/write data and modify log files. ABOUT PHEMI About PHEMI Central PHEMI Central is a Big Data Warehouse with capabilities far beyond traditional approaches. The system uses proven Big Data technology to unlock information trapped in non-relational and unstructured data, scaling to petabytes at a fraction of the cost of traditional solutions. Moreover, PHEMI Central incorporates innovative new privacy, security, and governance capabilities to handle the increasing complexity of modern data warehouse implementations. PHEMI Central supports the collection, curation and analysis of rich datasets, enabling organizations to roll out innovative services ranging from population health management to business intelligence to Open Data information sharing. PHEMI Central lets organizations turn their focus from the task of collecting and storing data to the more strategic role of curating data, deriving insights and offering services. PHEMI Central is available as software or as an appliance for deployment in the enterprise data center. Specifically designed to provide the agility necessary to meet the increasing volume, variety and velocity of today s enterprise, PHEMI Central incorporates an innovative Privacy by Design architecture to bring the power of Big Data to healthcare, the public sector and large enterprises with complex data requirements. Break down the information silos and automatically collect and report high quality, real time and comprehensive data. Mine the Big Data warehouse by rapidly adopting new and innovative applications from best-of-breed vendors or developing custom solutions inhouse. Offer applications like Population Health, Business Intelligence, Open Data Information Sharing, Readmission Risk Analysis, Personalized Medicine, Post-Market Surveillance and Research Registries. Improve productivity and data quality by reducing data entry tasks - automatically converting unstructured documents to structured data, and auto-populating known information where possible. Protect information privacy, security and governance without compromising legitimate right to use. Scale to petabytes and beyond at a fraction of the cost of traditional enterprise data warehouse alternatives. 8

9 About PHEMI PHEMI is a process automation and Big Data platform company that unlocks patient data to improve clinic productivity, patient outcomes, and medical research. The PHEMI team architected PHEMI Clinical and PHEMI Central from the ground up specifically for healthcare, life sciences and the public sector, fully incorporating the 7 foundational principles of Privacy by Design as applied to Big Data. PHEMI is based in Vancouver, BC, Canada. For more information, please visit DICTIONARY OF TERMS Privacy Security Governance Controls who is authorized to access certain information. Provides the technical methods to safeguard private information from unauthorized persons. Covers the stewardship and enforcement of roles, checks and balances to support the business needs. Digital Asset A digital asset is comprised of two key components: The data itself whether structured, semi-structured or unstructured Metadata a wrapper that embeds meaningful context around the information being gathered, stored and ultimately mined. Metadata embeds rules, policies and context around that data. Big Data High volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery and process optimization. (Gartner, 2012) Privacy by Design Personally Identifiable Information (PII) The global privacy standard, as defined in a landmark resolution by the International Conference of Data Protection and Privacy Commissioners in Jerusalem. It advances the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must become an organization s default mode of operation. Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Hadoop Open-source software framework that supports data-intensive distributed applications licensed under the Apache v2 license. It supports running applications on large clusters of commodity hardware. Role-based Access Control Attribute-based Access Control A framework for managing access to resources (e.g. data, services, etc.) by defining roles which possess certain access privileges. Subjects (i.e. users) are then assigned certain roles to limit and grant access to resources. This approach is efficient to manage when the number of roles are not too large and remains relatively static. A framework for managing access to resources (e.g. data, services, etc.) for subjects (i.e. users) by specifying logical rules based on attributes of resources, subjects, and environmental context (e.g. network address, time of day, etc.). This approach is advantageous when access scenarios evolve and change as new types of resources and subjects are created. Data lifecycle The backup, custody, access, and management characteristics for a datum from creation to deletion. 9

10 REFERENCES 1. Cost of Data Breach Study: Global Analysis, Ponemon, Big Data: The Next Frontier for Innovation Competition and Productivity, McKinsey Global Institute, The real story of how big data analytics helped Obama win, InfoWorld, Andrew Lampett, This whitepaper focuses on Hadoop-based implementations American Health Information Management Association ehealth Summit, May Great Northern Way Vancouver BC, V5T 4T