How to Safely Navigate Beyond Masking

samwehbe-200By Sam Wehbe, Marketing Director, Privacy Analytics
Twitter: @privacyanalytic

Healthcare organizations realize the only way to stay ahead of the game is to leverage data for strategic insight. When you operate in the healthcare industry, you run into the challenge of unlocking PHI for secondary use. The insights you need to drive new innovations and improve patient outcomes are typically locked away because of the potential risks associated with their use.

Masking tools provide Safe Harbor compliance, but this comes at a steep cost. Data quality is rendered useless for analysis when masked to Safe Harbor compliance. Alternatively, if masking tools remove too little information or the wrong information, this leaves your organization open to fines for non-compliance or re-identification attacks. Attacks on healthcare data are becoming a real threat. With the explosion of personal data available, it is easier than ever to link datasets and re-identify individuals.

There’s a common misperception that using a brand name masking product means your data will always be compliant. When you need to share information for analytics purposes within your organization or with outside recipients, it is very tempting to leave in one or two identifiers or a little more date information to make the data useful. After all, what is the point of sharing data that carries no utility?

As soon as there are demands to share and use sensitive data for analytics purposes, people will try to preserve as much granularity in the data as possible. Herein lies the challenge – and why we need to look beyond masking techniques. Balancing privacy compliance with data utility is an emerging discipline that requires new ways of thinking. It’s a risk management problem.

Current masking tools often apply a one-size-fits-all approach which removes the utility of the data, notably, date information. By Safe Harbor standards, all date information except year must be removed. When tracking the progression of a disease or efficacy of treatments, the lack of granularity proves stifling.

Fortunately, it is possible to balance use with privacy and legal requirements. Risk analysis is key to finding this balance. Most masking tools do not provide a view into the risks that threaten patient privacy when using data for analytics. There are now automated tools which offer a risk-based approach to de-identification, providing visibility into the risks that are required to manage these challenges.

This article was originally published on Privacy Analytics and is republished here with permission.