Protecting Personally Identifiable Information (PII) and Protected Health Information (PHI) is no small task for organizations and their records management teams. Government agencies in particular deal with PII and PHI all the time, because they often include mission-critical information like:
- Full Name
- Address
- Date Of Birth
- Assigned Identifiers (e.g., Social Security Number, Passport Number, Known Traveler Number, etc.)
- Biometric Data (e.g., Fingerprints)
- Medical History (e.g., Lab Results)
- Etc.
This kind of data could be potentially used to identify individuals and, in extreme cases, to steal their identities. For that reason, federal, state, and local regulations typically require agencies and businesses to apply special protections to PII/PHI.
That’s easier said than done, however. Records managers must overcome three significant challenges in dealing with PII and PHI.
Challenge #1: The Sheer Volume of PII/PHI Data
The first major challenge is the sheer abundance of PII/PHI. It’s everywhere: it can be found on virtual every device, in every data repository, in all forms of media, throughout an organization. In fact, many agencies have so much data that is so scattered that records managers may not even be able to accurately identify all the places where this data lives or is used. That’s what happens when data proliferates without being pruned.
One key tactic is to minimize the amount of data you’re storing.
Many organizations fall into the trap of saving virtually everything “just in case.” Certainly, it’s imperative to adhere to applicable retention laws, but most information has a finite lifespan. At a certain point, the information loses value. In this case, the information should be destroyed. From a records management perspective, this is straightforward: the fewer records and the fewer data repositories you need to manage, the easier the records management task will be.
Challenge #2: The Lack of Insight into PII/PHI Data
Closely related to the first challenge, this issue is about not having adequate visibility into what is being done with PII/PHI data. In other words, to properly protect PII/PHI, personnel must be able to track and monitor where the data lives, who is accessing it, and how it travels through an organization. Most importantly, they need some means of automatically identifying unusual behavior or exceptions/violations related to this data. For example, does your organization have visibility into when/if protected information is being shared in an unusual way?
Here, technology plays a pivotal role.
It’s all but impossible to actively manage this data on a human level. Instead, records managers must rely on some level of automation from the records management technology they use. Different platforms vary greatly in this regard, though, so it’s worth making sure your Electronic Records Management (ERM) tools offer the tracking and privacy functionality required to keep PII/PHI safe.
Challenge #3: Uncertainty About the Cloud
Can organizations safely and securely store PII/PHI in cloud environments? Many records managers and even technologists hesitate at this question. Unfortunately, keeping PII/PHI separate from normal cloud environments immediately causes two problems:
- It bifurcates the records management process into separate workflows. This will almost always lead to duplicative work, inefficiencies, and possible errors.
- It may expose the PII/PHI to even more risk because in-house data environments are often less secure than cloud environments.
That last point is important to understand. While it’s true that not all cloud environments can be trusted to store sensitive or protected information, certified cloud environments can.
FedRAMP certified environments, for example, are well-resourced and offer continually updated security and regular threat reviews. In fact, all too often, organizations that don’t trust the cloud’s security are themselves lagging. The administrators of trustworthy cloud environments, for example, will apply security patches immediately. In-house IT teams can easily fall behind schedule on security patches as other priorities overwhelm their calendars.
Here, the answer is simply to ensure you’re using the right cloud paired with the right technology platform to meet all the security and privacy protections your organization requires.
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.