To fully realize the benefits of personalized medicine while avoiding negative impacts such as breaches, we must minimize the associated privacy and security risks. Personal information, including a patients genetic data, used to support personalized information is considered sensitive information, and is regulated in the US by the Genetic Information Non-Discrimination Act (GINA) and the HIPAA Privacy Rule. This prevents abuse of this information, for example for discrimination based on genetic information for employment or health coverage, or breaches.
A best practice in identifying and mitigating such risks is to follow the sensitive information through its lifecycle, identifying and assessing risks, and implementing safeguards to mitigate at each stage. In previous blogs we discussed the collection, use, retention, and disclosure stages. In this blog I’ll focus on the disposal stage. This last stage is often overlooked in privacy and security risk assessments, and can be the source of security incidents such as breaches. Several examples of breaches resulting from improper disposal of protected health information can be seen on the HSS Breaches Affecting 500 or More Individuals, by searching on “disposal.”
More examples can be found globally, for example in Britain: Buy A Computer On eBay, Find Sensitive Health-Care Records!, where computers containing sensitive patient health information (that as not properly disposed of) were sold on eBay. As we can see from this last reference, impacts of such breaches can easily run into several hundreds of thousands of US dollars. In fact, the impact of such breaches can even run into millions of dollars as reflected by the Ponemon 2013 Cost of a Data Breach Study which found that in the US breaches on average cost US $5.4 million.
In order to minimize these kinds of risks, a best practice is to securely dispose of patient information used for personalized medicine when it is no longer required for the purpose to which the patient has consented, and is outside of any regulatory/legally or policy imposed mandatory retention periods. Disposal could also be explicitly requested by a patient. In this case the healthcare organization should inform the patient of the benefits of retaining their information, for example to ensure the completeness of their longitudenal patient record. However, in the event that the patient record must be securely disposed of, the last thing a healthcare covered entity or data controller wants is to have a breach and then have it further exacerbated by the scope of the breach include patient information they should no longer have.
To accomplish secure disposal, all of the sensitive data for a given patient, throughout the personalized medicine process needs to be securely disposed of. It is helpful to review some of the key data records created in personalized medicine process.
This starts with blood or saliva samples taken from patients, then the raw genetic data produced from sequencing the DNA in these samples. A variance file is then produced from the raw genetic data, in comparison with baseline genetic data, to produce a variance file highlighting specific variations in the patient genetics from the norm. Lastly a risk factors report is produced from the variance file that identifies patient propensities to specific traits such as diseases, and pharmacogenetics or the efficacy or toxicity of specific medicines to the patient based on their genetics. We also need to consider any personal information in backups, archives, or offsite for example to support business continuity/disaster recovery.
Any information shared with third parties, known as Business Associates in the US, or data processors in Europe, should also be securely disposed of. Disposal methods can range from incinerating samples, to shredding paper records, to secure wipe of storage media, physical destruction of hardware devices, encrypting and securely disposing of the key, and so forth. In the case of backups and archives it may not be practical to delete a specific record. However, in such cases if the patient record is disposed of in the online tier 1 storage, eventually within a set time period as backups / archives reach end of life, for example after 6 months, the deletion of the patient record will effectively propagate to those backups/archives as well.
There are several places a patients personal information can hide to make this job even tougher. An example is caches, for example in web applications, proxies, performance caches and so forth. Another example is the patients personal health information exchanged with other healthcare organizations through health information exchanges. Fortunately, once exchanged through such HIE’s the patient information retained by another healthcare organization is subject to their regulatory compliance.
Unfortunately for the patient this may mean that they need to go to the various independent entities holding their information and explicitly request disposal of their information if their goal is deletion of their record more broadly than a single healthcare organization. As healthcare workers are increasingly empowered with more devices, apps, online services, and also wearables and Internet of Things, the risk of sensitive patient personal information being retained or transmitted in places or ways that it should not be, increase considerably. Examples today can be seen in Workarounds in Healthcare, a Risky Trend, driven by healthcare workers use of workarounds. DLP (Data Loss Prevention) can be an effective tool in discovering such personal information at rest or in transit, enabling a healthcare organization to securely dispose of it or move it somewhere more secure as needed.
Lastly, but not least, one should keep a good audit log of such disposal activities, to enable effective audit and compliance and implementation of policy, as well as demonstrate due diligence should you ever need to in the event of a breach.
What kinds of challenges are you seeing with securely disposing of health information used for personalized medicine?