As part of B2H, we are currently on working on a way to store restricted data. If you are wondering what restricted data is, it can be summarized to often representing health information or specific private information. If you've signed a Hipaa release form at your doctor's lately then you have been in contact with restricted data.
What makes our current work particularly interesting is that the state of California has some very strict rules as to how that data can be stored, viewed, retrieved, and shared when stored digitally. For us, there is no work around. If B2H is going to collect protected data, we must meet the standards and pass different audits.
Let's be honest, figuring out the right way to meet the rules is a cross between head-banging, dead language deciphering, and circular reasoning. More so, dealing with this question in light of the rise of social networking and instant communication is making wonder both the need for some of these rules and, directly related, the need to collect such data.
Let me explain.
From a hardware and software standpoint, the security layers are numerous and costly. The standards are high and difficult to reach and go way beyond just making sure that in case of a breach an intruder would not be able to match the restricted data to a given person. Oddly enough, of all the burdens, this may be simpler one! Like the proverbial onions (or in this case, Dante's circles!) the requirements have many layers and chances are you will start crying as you peel them one by one!
So much so that once all the costs are factored in, an organization would be well off reviewing the projected ROI. It's a very black and white proposition: If you are going to collect this data your system must be able to pass an audit (here is a hint, don't trust the vendor, they will not be the ones paying your legal fees if you get sued)
Is the cost worth it and can you afford to pass it on to your customers (or have it eat your margins)? Do you have an alternative? Do you even need this data (hint number two, if the only reason for collecting data is that you've always been collecting it, you probably don't need it)
This is where things get complex because there is a tremendous gap between the legislation and common sense (I know...what a shock!). The gap grows even greater when looking at people's perception of security/privacy (My data is mine) vs. what they do online ("view the video of my kid on pain killers")
Here are some examples to highlight the problem:
"I really need to know that you are allergic to bees". Do you really? If I am allergic to a bee and get stung, I am bet I will swell up a lot faster than you'll have the time to look at my medical history, even on a printout.
And let's take this example to the extreme: I am stung by Maya and need to be taken to the ER. No ER doctor is going to fully trust a printout of medical conditions for an individual. They are going to treat the emergency.
"Maybe a bee was extreme, I need to know about your kids' peanuts allergy to plan for the meals"... Let's think about this one from a few angles.
Whether it is FERPA data or Hipaa data, we must make sure that this info is secured so that a potential hacker cannot know that it is my kid that has the food allergy. Yet, everyone from the camp counselor to the cook to the chaperons to the other kids will know about the allergy by lunch time as I seriously doubt that the counselor would have kids come behind a screen to pick the meals and then have eat separately to keep the information private.
This is where the legislation falls short: Why restrict it so much in its digital format yet, be lenient in the physical world. Also, if this data can be used to protect an individual, why make it so hard to access it and share it?
The dilemma is similar for adults. If I come to your class and a meal is involved, you are probably more interested in knowing my food preference rather than storing my allergy data. This is what the airlines do when you fly international: They ask you for your meal preference (diabetic) not if you are diabetic. A meal preference is not restricted data and you will be able to plan just as well, without the protected data headache.
"I don't want other people to know about my medical conditions so it should be secured"... I agree, I definitely would not want Pfizer to know about my medical history but in this case, we are no longer dealing with securing the data (I highly doubt that large medical labs try to hack databases to gain market shares by the way!!!) but information sharing and this is an entire different topic. In B2H, we don't share this data. End of the story. But do me a favor, if you are so private about your medical information, don't go to a triathlon forum posting your blood results and asking if you are anemic...consistency is good!
So what to do with restricted data?
The first step for any organization is to really ponder if there is a need to collect that data. For most business there should not be any needs. Truthfully, other than someone working in a medical field, I cannot see who would need to collect this data.
From a legal standpoint, I also hope that the legislature takes another look at the reach of the regulation. If protecting one's data is the prime concern (which I am quite comfortable with), then shouldn't there be much stronger restrictions on how that information can be transmitted in the physical world and how it should be audited?