Data Flow Mapping The Good, the Bad, and the Ugly Kristen Knight, CIPP/US Senior Director/Senior Privacy Officer Philips Healthcare & Philips North America March 7, 2013 12:45PM to 1:45PM
Data Flow Mapping The Good, the Bad, and the Ugly
Kristen Knight, CIPP/US
Senior Director/Senior Privacy Officer Philips Healthcare &
Philips North America
March 7, 2013
12:45PM to 1:45PM
WELCOME!
IN THIS SESSION WE WILL DISCUSS:
Experimenting on people who KISS while peeling onions
(in 3D)…
If you are expecting something different,
you may be in the wrong session.
DISCUSSION OUTLINE
• Brief Intro
• The Journey
• How Data Flow Mapping fits into the Privacy Program
• Key Take-Aways
• Open discussion / questions
PHILIPS HEALTHCARE ORGANIZATION
Acquisitions Expanding care settings
CV/X-Ray
MR
Our foundation Global footprint
Philips Neusoft (2004)
Goldway (2008)
Dixtal Biomedica e Technologia (2008)
VMI-Sistemas Medico (2007)
Alpha (2008)
Meditronics (2008)
4
Marconi (CT 2002)
ATL (Ultrasound 1998)
Stentor (Radiology IT 2005)
TOMCAT (Cardiac IT 2008)
XIMIS (Radiology IT 2007)
VISICU (Critical Care IT 2007)
ADAC (Nuclear Medicine 2000)
Agilent (Patient Monitoring 2001)
Agilent (Patient Monitoring 2001)
Witt (Cardiac IT 2006)
Intermagnetics (MR 2006)
EMERGIN (Cardiac IT 2007)
Traxtal (2009)
InnerCool Therapies (Emergency Care 2009)
Medel (2008)
Raytel (2007) Lifeline (2006)
Respironics (2008)
Interactive Medical Developments (2008)
Healthwatch (2007)
Allparts Medical (2011)
Sectra AB (Mammography 2011)
$11.85 Billion in sales in 2011
38,000 People employed worldwide in 100 countries
450+ Products and services offered in over 100 countries
SO… WHY DO WE NEED
COMPREHENSIVE OVERVIEW OF DATA FLOWS?
• We have IT System Architecture layouts …
• We have process diagrams, right?
• We have a general idea of where our data is…
That’s why…
TRIPTIK VS. MAPQUEST
A (drill-down) data flow map of a process or system, in isolation, is to an organizational data flow map as …
ANOTHER ANALOGY
WHAT’S IN IT FOR US?
Data Flows can reveal:
• Areas for improved (or new) efficiencies
• Business processes
• IT systems
• IT controls
• Areas for risk mitigation (actively managing business risk)
• Data life-cycle management (gaps, best practices)
• Opportunity for Data Classification/inventory
• Ideas for annual budget planning
• Training opportunities
ESTABLISHING THE APPROACH
STEP-BY-STEP
The Sales Pitch: Ensure (the right) stakeholders understand the need (and recognize the potential benefits.
How do I convince them?
The Troops: Resourcing the Data Flow Mapping Project
Who’s going to do all the work?
The Plan: Developing the Project Plan
Where the heck do we start?
The End Result: Defining the deliverables
What do I do with it, once I know where it is?
THE BUY-IN
• Executive support - Buy-in from the top however you can get it!
• Communication - (a/k/a begging for help)
• Establish credibility - “Hi, we’re from corporate, and we’re here to help.”
• Share the ideas – ask for feedback, promise minimal interference, identify time-commitments upfront, etc.
PICK THE TEAM
• Identify the skills needed to drive the project relative to your organization’s structure / size, and business needs.
• Hire/Appoint/Volun-tell the poor sucker who is willing to take it ideal resource.
DEVELOP THE PLAN
• Methodology (the how)
• Deliverables (the what)
• Schedule (the when)
• Add’l resources (the who)
• Pilot
GETTING THE INFO
Trust your (privacy professional) gut!
Think about high-risk areas for overall business
(industry, applicable regulation, potential damage)
Identify the roles associated with those areas
(e.g., marketing, customer service, etc.)
Make a list, check it twice
Splitting the onion where to start
FORM VS. SUBSTANCE
It’s not the format that matters….
It’s the information you have, and how useful it is.
WHAT YOU NEED TO KNOW
The basics: Collection
Minimization
Classification
Handling/Storage
Transmission and transportation
Manipulation
Conversion or alteration
Release
Back-up
Retention
Destruction .
Of course… there may be
additional elements needed,
depending on your business
needs and the project
objectives
Keep It Super Simple
K.I.S.S.
AND… HOW TO GET IT
• Workshops and Interviews
• Pre-filled data-flows / maps
• Develop Questionnaires
• Request lists of applications, server location, etc.
• BUT STAY FOUCSED! Keep peeling the onion, no matter how much it makes you cry.
EXAMPLE:
Do you have access to personal data? (list examples) What categories of personal data do you work with? (again, provide examples) What is the country of origin (of the individuals who’s data you are processing)? (provide lists/check-boxes) Please list applications you access or enter personal data into, in the course of your day-to-day tasks...
METHODOLOGY
• One shot. One kill? Not good – too limited
• Two out of three ‘aint bad? Better, but not great
• 3-Dimensional ? – YES!
Multi-faceted approach gives various layers and levels of perspectives:
Role-based - People
Operational - Processes
Location-based - Places
BUT… REMEMBER
IT’S NOT JUST ABOUT IT!
• Understanding (and mapping) business operations outside of IT is CRITICAL to capturing risks and potential control gaps.
• Human action (malfeasance, nonfeasance, misfeasance) is usually a requisite to data-related security / privacy incidents.
“There are two kinds of spurs, my friend. Those that come in by the door; those that come in by the window.” Tuco: The Good, the Bad and the Ugly
THE RISK MANAGEMENT PROCESS
So… where does this fit into the overall privacy compliance program?
Data Processing Registry
Data Flow Mapping
Privacy Impact Assessment
Data Classification
Process / System Third Party
Access
Risk-based Prioritization (Triage)
Vendor
Assessments
Data Processing
Agreements
Business
Associate
Agreements
. . .
PRO-Active Risk
Management !
Risk-based prioritization Triage
Privacy Impact Assessment Questionnaire
Evaluation & Mitigation Plan
EXAMPLE TOOLS
PILOT EFFORTS
• What worked The Good
– Focus on people
– Get front-end buy-in
– Give pre-filled data flow maps
– Hold workshops / interviews
– Maximize resources (brain picking)
– Ask for feedback on approach, process, tools, etc. (and use it)
– Be flexible
THE PILOT
• What didn’t work The Bad
– Inflexible time-lines
– Assuming priority is shared
– Trying to “stop and fix” along the way
– Open ended questions
– Staying focused on IT
NOW WHAT? THE UGLY
– Our priority doesn’t make it everyone’s priority. Balancing Business objectives and compliance efforts
– Keeping focused is HARD!
– Business cultures (and, appetite for change) differ across parts of the business
– Global cultures vary In a global market, populations have varying concerns about data protection. Advancing business objectives is the higher good (for us, that is innovation in quality healthcare!)– THERE IS A BALANCE!
KEY TAKE-AWAYS
Keep peeling the onion (stay focused) No matter how much it makes you cry
3-D is the KEY People, processes, places
Orient around HUMANS not: IT architecture, applications or systems
KISS … more than usual The more simple, the better!
Test the theory - Include Stakeholders & non-subject matter experts, test drive templates, process & methodology.
IN THIS SESSION WE DISCUSSED:
Experimenting on people who KISS while peeling onions
(in 3D)…
THE LONG AND WINDING ROAD
BACK AT THE OFFICE…
- Have the discussion about whether Data Flow Mapping is right for you. (how could this benefit you?)
- Run the idea by members of your team/outside your functional area. (phone a friend)
- Determine if efforts are underway elsewhere that might benefit from such an effort (and offer to
“share” in the fun/cost/pain).
- Start thinking about people, onions, and KISSing.
OPEN FLOOR
• Anything to add?
• Any questions?
• Any experiences to share?