The Facebook and Cambridge Analytica debacle created much furore in the data community, and the threat of user data being exposed to companies without their knowledge became the reason for concern. With the rise of social media and other interactive channels, there is definitely a rise in user data and it is of utmost importance to ensure its privacy, or the least, have policies in place that ensure the rightful use of data.
This May, Analytics India Magazine is going to bring out the privacy concerns haunting data — how companies tackle it, policies they are adopting, need for regulations, and others, from professionals across various sectors such as healthcare, digital payment and analytics, among others.
We spoke to Baskaran Gopalan, senior vice president, IT and TMO at Omega Healthcare Management Services Pvt Ltd. Omega is a noted offshore provider of healthcare outsourcing services specialising in billing, coding, accounts receivable management, and other healthcare related services. They deal with a lot of clinical and patient data, and Gopalan shares with us the security measures they adopt to maintain data privacy.
Analytics India Magazine: What are the security measures that you adopt to ensure confidential data stays safe at Omega Healthcare?
Baskaran Gopalan: Omega does not store any Protected Health Information (PHI) or Personally Identifiable Information (PII) within its environment. However, we have implemented safeguards to protect the data at rest and in motion, such as data encryption. In addition, we provide limited access to PHI or PII data only to a particular set of users, based on access control policies. We also ensure data is not transmitted out of Omega network to other third party networks, and ensure all IT infrastructure is HIPAA and HITRUST compliant.
AIM: Given the large data sets that healthcare industry deals with, what are the measures that hospitals should take? What are the specific measures taken by Omega Healthcare?
BG: There are six ways in which hospitals can provide superior security and privacy solutions for securing Electronic Health Records:
- Enhance administrative controls
- Monitor physical and system access
- Identify workstation usage
- Audit and monitor system users
- Employ device and media controls
- Apply data encryption
Apart from these, Omega also follows the standards and regulatory requirements such as ISO 27001 and HIPAA and HITECH compliance.
AIM: What is your take on the recent news regarding data breaches, or apprehensions in making Aadhar Card? How can data privacy be ensured so that users don’t feel deceived by it?
BG: On current Facebook or Aadhar card attacks related to privacy breach —
users post their personal information about location, religion, sex and age but analytics company do profiling and sell this information to third parties for their marketing purpose. These companies should be held responsible for allowing third party companies to allow access to their meta data even though they have committed to users about safeguarding their data. Considering the interconnected world we live in there is lack of user awareness and users should be cautious about such highly-personal information they provide on the virtual domain.
As far as hospitals and the healthcare industry is concerned, they should adopt a strong privacy framework and always take user consent for storing PII data, and limit the exposure of such data both internally and externally. Omega strictly follows the guidelines for ‘Use and Disclosure of Patient’s information’ as mandated in the HIPAA 45 CFR 164.512 Uses and disclosures of PHI.
AIM: How do you train your staff on data security?
BG: On the first day of joining, a new employee undergoes compliance training covering information security and privacy training. They are taught the do’s and don’ts during their employment and how to safeguard customer data during their day-to-day work. We also conduct a bi-annual compliance training for all our employees on Data Privacy of Client’s and Omega’s information. We have our own Learning Management system, where we cover individual participation and the passing criterion is set as high as 80 percent.
AIM: How would you mitigate emergencies in case of data breach? Please highlight some of the measures that you are equipped with
BG: We have not faced any data breach since inception. Breaches can happen because of external attacks and insider attacks too. Nowadays companies have the best IT security controls in terms of preventive technologies but need to also focus on detection, response and recovery mechanisms. We have in place a 24×7 cyber security operation centre and have tied up with a leading IT service company to further strengthen our security.
AIM: How do you scrutinise data security methods?
BG: Omega Healthcare deploys the best data security measures so the business is technology-enabled with no compromises on data security. We also ensure all data security methods meet or exceed industry best practises, and we have rigorous evaluation and selection criterion for adopting any new data security processes or systems in our organisation
AIM: As the technology is changing rapidly, how do you cope up with the changes, as they might compromise your methods, software and tools?
BG: Today the primary challenges faced by IT departments is mostly related to scalability. Converged technologies are being considered by most of the organisations as the way forward to address these challenges. Omega Healthcare has also adopted virtualisation and deployed hyper-converged solutions in its environment. We also develop applications in-house embracing trending technologies such as AI, big data and ML.
AIM: Do you hire employees based on data security knowledge? What are the various positions in this role and the skill sets that you look for?
BG: We have a dedicated information security department in our organisation. Some of the positions include information security and compliance roles. The basic skill-sets we look for are knowledge of information security domain, an experience of minimum three years and industry certification such as CISA, CISM, CRISC and ISO lead auditors.