Data Flow Mapping The Good, the Bad, and the Ugly

Kristen Knight, CIPP/US

Senior Director/Senior Privacy Officer Philips Healthcare &

Philips North America

March 7, 2013

12:45PM to 1:45PM

WELCOME!

IN THIS SESSION WE WILL DISCUSS:

Experimenting on people who KISS while peeling onions

(in 3D)…

If you are expecting something different,

you may be in the wrong session.

DISCUSSION OUTLINE

• Brief Intro

• The Journey

• How Data Flow Mapping fits into the Privacy Program

• Key Take-Aways

• Open discussion / questions

PHILIPS HEALTHCARE ORGANIZATION

Acquisitions Expanding care settings

CV/X-Ray

MR

Our foundation Global footprint

Philips Neusoft (2004)

Goldway (2008)

Dixtal Biomedica e Technologia (2008)

VMI-Sistemas Medico (2007)

Alpha (2008)

Meditronics (2008)

4

Marconi (CT 2002)

ATL (Ultrasound 1998)

Stentor (Radiology IT 2005)

TOMCAT (Cardiac IT 2008)

XIMIS (Radiology IT 2007)

VISICU (Critical Care IT 2007)

ADAC (Nuclear Medicine 2000)

Agilent (Patient Monitoring 2001)

Agilent (Patient Monitoring 2001)

Witt (Cardiac IT 2006)

Intermagnetics (MR 2006)

EMERGIN (Cardiac IT 2007)

Traxtal (2009)

InnerCool Therapies (Emergency Care 2009)

Medel (2008)

Raytel (2007) Lifeline (2006)

Respironics (2008)

Interactive Medical Developments (2008)

Healthwatch (2007)

Allparts Medical (2011)

Sectra AB (Mammography 2011)

$11.85 Billion in sales in 2011

38,000 People employed worldwide in 100 countries

450+ Products and services offered in over 100 countries

SO… WHY DO WE NEED

COMPREHENSIVE OVERVIEW OF DATA FLOWS?

• We have IT System Architecture layouts …

• We have process diagrams, right?

• We have a general idea of where our data is…

That’s why…

TRIPTIK VS. MAPQUEST

A (drill-down) data flow map of a process or system, in isolation, is to an organizational data flow map as …

ANOTHER ANALOGY

WHAT’S IN IT FOR US?

Data Flows can reveal:

• Areas for improved (or new) efficiencies

• Business processes

• IT systems

• IT controls

• Areas for risk mitigation (actively managing business risk)

• Data life-cycle management (gaps, best practices)

• Opportunity for Data Classification/inventory

• Ideas for annual budget planning

• Training opportunities

ESTABLISHING THE APPROACH

STEP-BY-STEP

The Sales Pitch: Ensure (the right) stakeholders understand the need (and recognize the potential benefits.

How do I convince them?

The Troops: Resourcing the Data Flow Mapping Project

Who’s going to do all the work?

The Plan: Developing the Project Plan

Where the heck do we start?

The End Result: Defining the deliverables

What do I do with it, once I know where it is?

THE BUY-IN

• Executive support - Buy-in from the top however you can get it!

• Communication - (a/k/a begging for help)

• Establish credibility - “Hi, we’re from corporate, and we’re here to help.”

• Share the ideas – ask for feedback, promise minimal interference, identify time-commitments upfront, etc.

PICK THE TEAM

• Identify the skills needed to drive the project relative to your organization’s structure / size, and business needs.

• Hire/Appoint/Volun-tell the poor sucker who is willing to take it ideal resource.

DEVELOP THE PLAN

• Methodology (the how)

• Deliverables (the what)

• Schedule (the when)

• Add’l resources (the who)

• Pilot

GETTING THE INFO

Trust your (privacy professional) gut!

Think about high-risk areas for overall business

(industry, applicable regulation, potential damage)

Identify the roles associated with those areas

(e.g., marketing, customer service, etc.)

Make a list, check it twice

Splitting the onion where to start

FORM VS. SUBSTANCE

It’s not the format that matters….

It’s the information you have, and how useful it is.

WHAT YOU NEED TO KNOW

The basics: Collection

Minimization

Classification

Handling/Storage

Transmission and transportation

Manipulation

Conversion or alteration

Release

Back-up

Retention

Destruction .

Of course… there may be

additional elements needed,

depending on your business

needs and the project

objectives

Keep It Super Simple

K.I.S.S.

AND… HOW TO GET IT

• Workshops and Interviews

• Pre-filled data-flows / maps

• Develop Questionnaires

• Request lists of applications, server location, etc.

• BUT STAY FOUCSED! Keep peeling the onion, no matter how much it makes you cry.

EXAMPLE:

Do you have access to personal data? (list examples) What categories of personal data do you work with? (again, provide examples) What is the country of origin (of the individuals who’s data you are processing)? (provide lists/check-boxes) Please list applications you access or enter personal data into, in the course of your day-to-day tasks...

METHODOLOGY

• One shot. One kill? Not good – too limited

• Two out of three ‘aint bad? Better, but not great

• 3-Dimensional ? – YES!

Multi-faceted approach gives various layers and levels of perspectives:

Role-based - People

Operational - Processes

Location-based - Places

BUT… REMEMBER

IT’S NOT JUST ABOUT IT!

• Understanding (and mapping) business operations outside of IT is CRITICAL to capturing risks and potential control gaps.

• Human action (malfeasance, nonfeasance, misfeasance) is usually a requisite to data-related security / privacy incidents.

“There are two kinds of spurs, my friend. Those that come in by the door; those that come in by the window.” Tuco: The Good, the Bad and the Ugly

THE RISK MANAGEMENT PROCESS

So… where does this fit into the overall privacy compliance program?

Data Processing Registry

Data Flow Mapping

Privacy Impact Assessment

Data Classification

Process / System Third Party

Access

Risk-based Prioritization (Triage)

Vendor

Assessments

Data Processing

Agreements

Business

Associate

Agreements

. . .

PRO-Active Risk

Management !

Risk-based prioritization Triage

Privacy Impact Assessment Questionnaire

Evaluation & Mitigation Plan

EXAMPLE TOOLS

PILOT EFFORTS

• What worked The Good

– Focus on people

– Get front-end buy-in

– Give pre-filled data flow maps

– Hold workshops / interviews

– Maximize resources (brain picking)

– Ask for feedback on approach, process, tools, etc. (and use it)

– Be flexible

THE PILOT

• What didn’t work The Bad

– Inflexible time-lines

– Assuming priority is shared

– Trying to “stop and fix” along the way

– Open ended questions

– Staying focused on IT

NOW WHAT? THE UGLY

– Our priority doesn’t make it everyone’s priority. Balancing Business objectives and compliance efforts

– Keeping focused is HARD!

– Business cultures (and, appetite for change) differ across parts of the business

– Global cultures vary In a global market, populations have varying concerns about data protection. Advancing business objectives is the higher good (for us, that is innovation in quality healthcare!)– THERE IS A BALANCE!

KEY TAKE-AWAYS

Keep peeling the onion (stay focused) No matter how much it makes you cry

3-D is the KEY People, processes, places

Orient around HUMANS not: IT architecture, applications or systems

KISS … more than usual The more simple, the better!

Test the theory - Include Stakeholders & non-subject matter experts, test drive templates, process & methodology.

IN THIS SESSION WE DISCUSSED:

Experimenting on people who KISS while peeling onions

(in 3D)…

THE LONG AND WINDING ROAD

BACK AT THE OFFICE…

- Have the discussion about whether Data Flow Mapping is right for you. (how could this benefit you?)

- Run the idea by members of your team/outside your functional area. (phone a friend)

- Determine if efforts are underway elsewhere that might benefit from such an effort (and offer to

“share” in the fun/cost/pain).

- Start thinking about people, onions, and KISSing.

OPEN FLOOR

• Anything to add?

• Any questions?

• Any experiences to share?