Editor's Note: Excerpts of this interview appear in ISMG's Security Agenda magazine, distributed at RSA Conference 2014.
Privacy should be built into the design of all healthcare information technology and related processes, says Michelle Dennedy, who's writing a book on the concept of "privacy by design."
"There's been a great groundwork that's been laid by the universal adoption across many, many nations of 'privacy by design,' the concept that you should start with privacy at the beginning of the design cycle and move out," says Dennedy, chief privacy officer at Intel Security, formerly called McAfee.
"We believe that privacy engineering is a discrete discipline or field of inquiry, and that innovation can be defined in using engineering principles and processes to build the controls and measures into the processes, systems, components, and products that enable authorized processing of personal information," she says. "I think that it helps the developers and engineers to understand exactly what needs to be done when you bake in processes."
Applying "privacy by design" concepts is particularly critical in healthcare because of the sensitive nature of patient information, she notes in an interview with Information Security Medai Group. "Baking in, or engineering in, or planning for [the privacy of] personal information to be respected in healthcare could not be more important or germane.
"When you build in the mechanisms from the technology layer such that information is treated as a design principle, you actually have a much higher chance of being able to spread that respect across a very diverse type of workforce," Dennedy says.
If privacy protections are a more integrated part of the design of health IT, patients will benefit by having their sensitive data more accurately shared with those who need it, whether it's medical specialists or insurers, she says.
"With personalized medicine ... and more measurement going around patient outcomes, I think you're going to start to see the natural extension of that will be ... the baking in of privacy."
In March 2012, the Federal Trade Commission issued recommendations calling for companies to build-in consumer privacy protections at every stage in developing their products.
In the interview, Dennedy also discusses:
- Why engineering students should be required to take privacy training as part of their studies;
- How "baking in" privacy policies into health IT might help healthcare organizations in their privacy and security compliance efforts;
- The current status of the healthcare industry's efforts to build privacy policies into their technology.
As chief privacy officer at Intel Security, Dennedy is responsible for privacy policies, procedures and governance efforts. Previously, Dennedy founded The iDennedy Project, a consulting and advisory company specializing in privacy and security sensitive organizations. Dennedy was also previously vice president for security and privacy solutions at Oracle. She is a co-author of a soon-to-be-published book: Privacy Engineering: Getting from Policy to Code to QA to Value.