Data Flow Mapping The Good, the Bad, and the Ugly

Data Flow Mapping

The Good, the Bad, and the Ugly

Kristen Knight, CIPP/US

Senior Director/Senior Privacy Officer Philips Healthcare &

Philips North America March 7, 2013

WELCOME!

IN THIS SESSION WE WILL DISCUSS:

Experimenting

on

people

who

KISS

while

peeling onions

(in

3D

)…

If you are expecting something different,

you may be in the wrong session.

DISCUSSION OUTLINE

• Brief Intro

• The Journey

• How Data Flow Mapping fits into

the Privacy Program

• Key Take-Aways

PHILIPS HEALTHCARE

ORGANIZATION

Acquisitions Expanding care settings

CV/X-Ray

MR

Our foundation Global footprint

Philips Neusoft (2004) Goldway (2008)

Dixtal Biomedica e Technologia (2008) VMI-Sistemas Medico (2007) Alpha (2008) Meditronics (2008) 4 Marconi (CT 2002) ATL (Ultrasound 1998) Stentor (Radiology IT 2005) TOMCAT (Cardiac IT 2008) XIMIS (Radiology IT 2007)

VISICU (Critical Care IT 2007) ADAC (Nuclear Medicine 2000)

Agilent (Patient Monitoring 2001)

Agilent (Patient Monitoring 2001)

Witt (Cardiac IT 2006)

Intermagnetics (MR 2006)

EMERGIN (Cardiac IT 2007)

Traxtal (2009)

InnerCool Therapies (Emergency Care 2009)

Medel (2008) Raytel (2007)

Lifeline (2006)

Respironics (2008) Interactive Medical Developments (2008)

Healthwatch (2007) Allparts Medical (2011) Sectra AB (Mammography 2011)

$11.85

38,000

450+

Products and services offered in over 100 countries

SO… WHY DO WE NEED

COMPREHENSIVE OVERVIEW OF DATA FLOWS?

• We have IT System Architecture layouts … • We have process diagrams, right?

• We have a general idea of where our data is…

TRIPTIK VS. MAPQUEST

A (drill-down) data flow map of a process or system, in isolation, is to an organizational data flow map as …

WHAT’S IN IT FOR US?

Data Flows can reveal

:

• Areas for improved (or new) efficiencies

• Business processes • IT systems

• IT controls

• Areas for risk mitigation (actively managing

business risk)

• Data life-cycle management (gaps, best practices)

• Opportunity for Data Classification/inventory

• Ideas for annual budget planning

• Training opportunities

ESTABLISHING THE APPROACH

STEP-BY-STEP

 The Sales Pitch: Ensure (the right) stakeholders understand

the need (and recognize the potential benefits.

How do I convince them?

 The Troops: Resourcing the Data Flow Mapping Project

Who’s going to do all the work?

 The Plan: Developing the Project Plan

Where the heck do we start?

 The End Result: Defining the deliverables

THE BUY-IN

• Executive support - Buy-in from the top however you

can get it!

• Communication - (a/k/a begging for help)

• Establish credibility - “Hi, we’re from corporate, and

we’re here to help.”

• Share the ideas – ask for feedback, promise minimal interference, identify time-commitments upfront, etc.

PICK THE TEAM

• Identify the skills needed to

drive the project relative to

your organization’s structure /

size, and business needs.

• Hire/Appoint/Volun-tell the

poor sucker who is willing to

DEVELOP THE PLAN

• Methodology (the how)

• Deliverables (the what)

• Schedule (the when)

• Add’l resources (the who)

• Pilot

GETTING THE INFO



Trust your

gut!



Think about high-risk areas for overall business

(industry, applicable regulation, potential damage)



Identify the roles associated with those areas



Make a list, check it twice

Splitting the onion

where to start

FORM VS. SUBSTANCE

It’s not the format that matters…. It’s the information you have, and how useful it is.

WHAT YOU NEED TO KNOW

The basics:

 Transmission and transportation

 Manipulation  Conversion or alteration  Release  Back-up  Retention  Destruction .

Of course… there may be additional elements needed, depending on your business needs and the project

objectives

Keep It Super Simple

K.I.S.S.

AND… HOW TO GET IT

• Workshops and Interviews

• Pre-filled data-flows / maps

• Develop Questionnaires

• Request lists of applications, server location,

etc.

• BUT STAY FOUCSED! Keep peeling the onion,

no matter how much it makes you cry.

EXAMPLE:

 Do you have access to personal

data? (list examples)

 What categories of personal

data do you work with? (again,

provide examples)

 What is the country of origin

(of the individuals who’s data you are processing)? (provide

lists/check-boxes)

 Please list applications you

access or enter personal data into, in the course of your day-to-day tasks...

METHODOLOGY

• One shot. One kill?

Not good – too limited

• Two out of three ‘aint bad?

Better, but not great

• 3-Dimensional ? –

YES!

Multi-faceted approach gives various layers and levels of perspectives:

Role-based - People

Operational - Processes

Location-based - Places

BUT… REMEMBER

IT’S NOT JUST ABOUT

IT

!

• Understanding (and mapping)

business operations outside of

IT is CRITICAL to capturing

risks and potential control gaps.

• Human action (malfeasance,

nonfeasance, misfeasance) is

usually a requisite to

data-related security / privacy

incidents.

“There are two kinds of

spurs, my friend. Those that come in by the

door; those that come in by the window.”

THE RISK MANAGEMENT PROCESS

So… where does this fit into the overall

privacy compliance program?

Data Processing Registry Data Flow Mapping

Privacy Impact Assessment

Data

Classification Process / System Third Party Access

Risk-based Prioritization (Triage) Vendor Assessments Data Processing Agreements Business Associate Agreements . . . PRO-Active Risk Management !

Risk-based prioritization

Triage

Privacy Impact Assessment Questionnaire

Evaluation & Mitigation Plan

EXAMPLE

PILOT EFFORTS

• What worked The Good

– Focus on people

– Get front-end buy-in

– Give pre-filled data flow maps

– Hold workshops / interviews

– Maximize resources (brain picking)

– Ask for feedback on approach,

process, tools, etc. (and use it)

– Be flexible

THE PILOT

• What didn’t work The Bad

– Inflexible time-lines

– Assuming priority is shared

– Trying to “stop and fix” along the way

– Open ended questions

NOW WHAT?

THE UGLY

– Our priority doesn’t make it everyone’s priority. Balancing Business objectives and compliance efforts – Keeping focused is HARD!

– Business cultures (and, appetite for change) differ across parts of the business

– Global cultures vary

In a global market, populations have varying concerns about data

protection. Advancing business objectives is the higher good (for us, that is innovation in quality healthcare!)– THERE IS A BALANCE!

KEY TAKE-AWAYS

Keep peeling the onion (stay focused)

No matter how much it makes you cry

3-D is the KEY

People, processes, places

Orient around HUMANS

not: IT architecture, applications or systems

KISS …

more than usual The more simple, the better!

Test the theory - Include Stakeholders & non-subject matter

IN THIS SESSION WE DISCUSSED:

Experimenting

on

people

who

KISS

while

peeling onions

BACK AT THE OFFICE…

- Have the discussion about whether Data Flow

Mapping is right for you.

- Run the idea by members of your team/outside

your functional area.

- Determine if efforts are underway elsewhere

that might benefit from such an effort

- Start thinking about people, onions, and

OPEN FLOOR

• Anything to add?

• Any questions?