OIG: VA Workers Hid ‘Big Data’ Project Privacy, Security Risks
Report on Canceled VA Project Offers Governance Lessons for Others
… “For a project of this nature, there needs to be a data governance committee in place that consists of interdepartmental, multidisciplinary membership beyond only IT and privacy,” says Keith Fricke, principal consultant at tw-Security.
A big data initiative may also need to be reviewed by board members or senior executives, he adds.
“Guiding principles need to be established for who can access which types of data in the dataset, for how long, and for which use cases,” he says.
“A project involving this much data needs to have some checks and balances in place to ensure an accurate portrayal of risk is conveyed. CISOs and privacy officers are generally trustworthy. It is unfortunate that this [VA] situation has individuals that provided misleading information.”
Healthcare sector entities and tech vendors need to take steps to ensure security and privacy risks are properly identified and mitigated before launching ambitious big data projects, he says.
“The first step in identifying the security and privacy risks is to define the parameters involved in this type of initiative,” Fricke says.
For example, several important questions need to be answered, such as where the data will reside, whether vendors or others will have remote access to the data and whether vendors need to have a copy of the data, he says.