fear and loathing data monetization final
DESCRIPTION
According to Booz & Company, revenue from monetizing data could represent up to $300 billion per year in the next three to five years in the financial sector alone. With the unabated growth of consumer and health data, privacy officers and data analysts are in the midst of challenging executive discussions, as finance, sales and marketing functions look for new ways to drive additional revenue, growth and margin using the potential value of their data assets. The presentation provides a risk-based framework for not only examining the opportunity of data monetization, but also the legal and situational context for its use. The framework outlines the essential conditions by which data monetization could be considered as a valuable revenue stream, all the while ensuring legal and reputational considerations are taken into account for its re-sale. Privacy, compliance and data analyst professionals will learn: The key business drivers of data monetization; The business case for leveraging their data assets for re-sale; A risk-based framework that identifies the appropriate conditions and context for monetizing data; and, Critical steps that privacy, sales and marketing functions can take to determine whether their data assets should indeed be sold. To listen to the recording, please click here: https://vimeo.com/92972384TRANSCRIPT
www.privacyanalytics.ca | [email protected]
251 Laurier Avenue, Suite 200Ottawa, Ontario, Canada K1P 5J6
WEBINAR: Fear and Loathing of Data Monetization
Considerations for Building a Business Case for
Data Monetization
© 2014 Privacy Analytics, Inc.
Presenters
Chris Wright, Vice President, Marketing and
Today’s Moderator, Privacy Analytics, Inc.
Dr. Khaled El Emam, CEO and founder of
Privacy Analytics, Inc.
Ann Waldo, Wittie, Letsche & Waldo, LLP, and
the Washington Health Strategies Group
© 2014 Privacy Analytics, Inc.
Presenter
Chris Wright, Vice President, Marketing and
Today’s Moderator, Privacy Analytics, Inc.
© 2014 Privacy Analytics, Inc.
1. Please be sure to mute your phones
2. We’ll have a Q&A after the webinar. Please craft your questions in the dialogue box you see to your right
3. And we’re giving away copies of our Risky Business Sharing Health Data While Protecting Privacy to the first 30 people that complete our survey:
Some Housecleaning
http://reportal.euro.confirmit.com/reportal/login.asp
x?PortalId=34258
© 2014 Privacy Analytics, Inc.
1. The Conditions for Monetization
2. Opportunities vs. Risk
3. What are the Legal Implications
4. Risk Assessment for Monetization
5. Its Application to a Case Study
6. Summary - Key Takeaways
7. Question and Answer
Agenda
© 2014 Privacy Analytics, Inc.
About Privacy Analytics
For organizations that want to safeguard and enable their data for
secondary use …
• Software that automates the de-identification
and masking of data using a risk-based
approach to anonymize personal information
• Integrated capabilities to anonymize
structured and unstructured data from
multiple sources
• Peer-reviewed methodologies and value-
added services that certify data as de-
identified using the expert statistical method
under HIPAA
© 2014 Privacy Analytics, Inc.
Webinar Part 1: A Quick Re-cap
• Demonstrating that through anonymization techniques a customer could maintain the essential analytic utility of the original data
• Using a risk-based approach to determine the optimal level of anonymization to safeguard personal information
• Allowing this customer to fully leverage their data for secondary purposes – all within a reasonable range of optimal utility and value
Setting the conditions for organizations to explore the different
business and ethical dimensions of data monetization by:
© 2014 Privacy Analytics, Inc.
Is Data Monetization Like a Bad Comb Over?
Do we discuss it openly, yet responsibly with our friend below? Or do
we ignore it and hope it goes away – in the case below, literally?
© 2014 Privacy Analytics, Inc.
Data Monetization: It’s Already Occurring
By 2016, 30% of businesses will have begun directly or indirectly
monetizing their information assets via bartering or selling them
outright, according to Gartner Research Inc.
© 2014 Privacy Analytics, Inc.
Healthcare Data Ecosystem
Source: Park Associates
We are witnessing an explosion of digital health applications and
software that combined with transactional systems creates a rich
repository of insight into individuals, their behavior and health
© 2014 Privacy Analytics, Inc.
Richer, More Intrusive Data Capture
Source: Proteus interface for an edible mobile device that tracks a patient’s level of activity and rest
The “Internet of Things” is becoming a reality in healthcare, as
organizations move beyond simply Fitbit fitness tracking to more
robust diagnostics associated with patient well being and care
© 2014 Privacy Analytics, Inc.
Data Monetization
© 2014 Privacy Analytics, Inc.
Real Brand and Reputation Considerations
Protecting consumer and patient data is a sacred trust. And even in
the context of a criminal act, a breach of this trust can cause significant
harm to an organization’s reputation and business overall.
Target Profit Falls
46% On Credit
Card Breach
Source: YouGov BrandIndex’s Buzz Post Breach
Social Sentiment Analysis of Target Compared to
Other Retailers Post Breach
Now Imagine if This Were a Deliberate Effort to Monetize Data!
© 2014 Privacy Analytics, Inc.
Section Takeaways
� Just because there ’s more data
doesn’t mean there’s a revenue
stream ...
� What’s the relationship between
my corporate values and my
desire to monetize data ...
� If there is a relationship, what are
the dimensions of the data I want
to share and with whom ...
� As I build a business case, what is
the context for data’s sale and
how will it be used ...
� And what’s the role of internal
and external stakeholders in the
decision to monetize data ...
� Better call a lawyer ...
The Business of Data
14
© 2014 Privacy Analytics, Inc.
1. The Conditions for Monetization
2. Opportunities vs. Risk
3. What are the Legal Implications
4. Risk Assessment for Monetization
5. Its Application to a Case Study
6. Summary - Key Take Aways
7. Question and Answer
Agenda
© 2014 Privacy Analytics, Inc.
Today’s Presenter
Ann Waldo, Wittie, Letsche & Waldo, LLP, and
the Washington Health Strategies Group
© 2014 Privacy Analytics, Inc.
HIPAA/HITECH Compliance: How to Protect PHI
Need multi-layered, strategic approach to protect PHI
(Protected Health Information):
• Policies and Procedures (PnP)
• Thorough implementation of PnP and safeguards
• Documentation
• Risk Analysis of likely threats to data
• Risk Assessment of compliance program
• Vendor (Business Associate) contracting and management
• Robust use of three “magic bullets”
17
© 2014 Privacy Analytics, Inc.
1) Destruction per HHS guidance
2) Encryption per HHS guidance
3) De-Identification per HIPAA standard
HIPAA/HITECH Breach Reporting
18
Three “Magic Bullets”:
© 2014 Privacy Analytics, Inc.
How to De-Identify: Two Methods Under HIPAA
19
See HHS Guidance Regarding Methods for De-identification of Protected Health Information in
Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
© 2014 Privacy Analytics, Inc.
• Once PHI is de-identified, it is no longer PHI and escapes
HIPAA
• HHS has no jurisdiction
• No breach issues
De-Identification Implications
20
Legal and Reputational Risk Management
© 2014 Privacy Analytics, Inc.
Supposed ease of re-identification:
� Increasingly believed by the media, advocates, and the public
� “There’s no such thing as de-identified data”
Re-identification risks are greatly exaggerated:
� Of the known “successful” re-identification attacks, most
were not on healthcare data at all (e.g. movie ratings, internet
searches)
� Most done by researchers
� Of the health care ones, most were not HIPAA de-identified
» A recent hospital discharge set attack did not involve HIPAA de-
identified data
» The only confirmed HIPAA de-identified data attack (ONC study) still
had a re-identification rate that was very small (2/15,000)
De-Identification Controversies
21
© 2014 Privacy Analytics, Inc.
New Challenge to Data Fluidity
• A HIPAA Covered Entity or Business Associate must now get
an authorization from each individual in a data set for any
sale of PHI
• Even if the disclosure is otherwise permitted by law
• The authorization must state that the disclosure will result in
remuneration to the Covered Entity
• Ban on sale applies even to Limited Data Sets (partially masked PHI
that retains zip codes and dates)
22
HITECH Ban on the Sale of PHI
© 2014 Privacy Analytics, Inc.
Ban on the Sale of PHI
Exceptions• Research– BUT exception is narrow.
• Research remuneration is limited to the direct and indirect costs
of preparing and transmitting the PHI (cannot include profit)
• For public health
• For treatment or payment
• Other exceptions - sale of a Covered Entity, patient access, as required
by law
Consequences of Ban on Sale of PHI
• Many predict unintended harmful consequences to research and
analytics – unrealistic to expect big data transfers without dollars
changing hands
• Will it drive need for de-identified data?
© 2014 Privacy Analytics, Inc.
Section Takeaways
� Just because there ’s more data
doesn’t mean there should be a
revenue stream ...
� What’s the relationship between
my corporate values and my
desire to monetize data ...
� If there is a relationship, what are
the dimensions of the data I want
to share and with whom ...
� As I build a business case, what is
the context for data’s sale and will
it be used ...
� And what’s the role of internal
and external stakeholders in the
decision to monetize data ...
� Better call a lawyer ...
The Business of Data
24
Preparing for the Best
vs. the Worst
� Higher public sensitivity around
data sharing and lower trust in
data custodians requires a
proactive and transparent
approach to data stewardship …
� Researchers, industry and public
health professionals are making
stronger demands to access
linked data and de-identified
data, requiring more investments
to facilitate secondary uses and
disclosures ...
© 2014 Privacy Analytics, Inc.
1. The Conditions for Monetization
2. Opportunities vs. Risk
3. What are the Legal Implications
4. Risk Assessment for Monetization
5. Its Application to a Case Study
6. Summary - Key Take Aways
7. Question and Answer
Agenda
© 2014 Privacy Analytics, Inc.
Today’s Presenter
Dr. Khaled El Emam, CEO and founder of
Privacy Analytics, Inc.
© 2014 Privacy Analytics, Inc.
Quick Review: Identifiability Spectrum
Range of Operational Precedents
Re-identification risk thresholds are established precedents used by leading
research organizations depending on how they assess the risk of disclosure. As
such, they use a wide variety of operational precedents to trigger the application of
anonymization techniques. What we’ve done is captured and automated them.
Little De-identification Significant De-identification
5
20
3
2
10
811
16
© 2014 Privacy Analytics, Inc.
Measuring Re-identification Risk
28
© 2014 Privacy Analytics, Inc.
Post-marketing and Public Health Surveillance
Challenges:
• Significant size and complex data set. Held
more than five years of clinical, prescription,
laboratory, scheduling and billing data of
patients
• Data from 2,664 clinics and 5,850 physicians
• Data complexity: 820 columns/73 tables
Case Study: EMR Software Vendor
Analytic Outcomes:
De-identified data to analyze:
• Post-marketing surveillance of adverse events
• Public health surveillance
• Prescription pattern analysis
• Health services analysis
� Wanted to anonymize
data on 535,595
patients from general
practices
� Longitudinal data
needed to be used for
on-going and on-
demand analytics
29
© 2014 Privacy Analytics, Inc.
Assessing Mitigating Controls
Applying industry best practices to secondary
use and anonymization
Establishing standard industry wide practices
for data sharing internally and externally
Automating the evaluation of complex rules
and regulations for data sharing
• Recognized industry best practices
and conventions for access controls,
data protection and accountability
from organizations that include:• ISO
• U.S. and Canadian government / privacy commissioner data protection guidelines
• American Institute of Certified Public Accountants, Inc., and Canadian Institute of Chartered Accountants
© 2014 Privacy Analytics, Inc.
Assessing Motives and Capacity
Auditability of underlying data sharing practices
Transparent and defined approaches for sharing
data for secondary use
Skills audit of potential data sharing partners to
assess expertise
• Evaluates the intent and use of the
requested data based on historical
use and partnership with the data
custodian
• Determines the relative skills of the
data requester, their basic database
and statistical expertise to re-
identify data
© 2014 Privacy Analytics, Inc.
Simulating Invasion of Privacy
� Gauge potential for harm for sharing
sensitivity data for secondary use
� Incorporate Privacy by Design best practices
around consent and data sharing
• Considers the sensitivity of the data
and the potential for harm to the
data subjects
• Assesses the potential number of
patients within a data set that would
be harmed in the event of breach
• Consider the authority, consent and
notice mechanisms that were in
place when the data was collected or
since then
© 2014 Privacy Analytics, Inc.
Applying Statistical De-identification
� Speed time to IRB or ethics board approvals
with detailed and auditable approach to data
sharing
� Automate the application of best practices to
anonymization and gain insight faster
• Ranks the level of mitigating controls that protect personal data
• Scores the data requesters motives and intentions for the data’s use
• Measures probability of re-identification
• Indicates the likelihood that the data set could be breached
• Provides a risk threshold that determines the level of anonymization to be applied
© 2014 Privacy Analytics, Inc.
Section Takeaways
� Just because there ’s more data
doesn’t mean there should be a
revenue stream ...
� What’s the relationship between
my corporate values and my
desire to monetize data ...
� If there is a relationship, what are
the dimensions of the data I want
to share and with whom ...
� As I build a business case, what is
the context for data’s sale and
how will it be used ...
� And what’s the role of internal
and external stakeholders in the
decision to monetize data ...
� Better call a lawyer ...
The Business of Data
34
Preparing for the Best
vs. the Worst
� Higher public sensitivity around
data sharing and lower trust in
data custodians requires a
proactive and transparent
approach to data stewardship …
� Researchers, industry and public
health professionals are making
stronger demands to access
linked data and de-identified
data, requiring more investments
to facilitate secondary uses and
disclosures ...
� Establishing an enterprise-wide
standard enables an auditable
approach, incorporating data
governance principles and best
practices ...
� Anonymization is a contextual
conversation. It requires
modulating the degree of
anonymization based on each
situation ...
� Responsible data sharing needs
hinge on standard practices,
transparent approaches to the
assessment and mitigation of risk
and use of anonymization
practices
� In short, monetization, but
monetization conducted in a
responsible manner
Transparency Works
© 2014 Privacy Analytics, Inc.
Summary: Balancing Privacy with Data Utility
Data Quality1 Analytic Granularity2 Depth of Insight3
Ensuring de-identified
data has analytic
usefulness by minimizing
the amount of distortion
but still ensure that re-
identification risk is very
small
Allowing users to
configure the extent of
de-identification to match
the characteristics of the
analysis that is
anticipated
Enabling analysis of the
total patient health
experience, to compile a
complete picture of this
experience from multiple
data sources and types
The Analytic Benefits of a Risk Assessment Method
© 2014 Privacy Analytics, Inc.
Also, contact me to learn more at [email protected].
We can set up a personalized demo or have a discussion on your
current anonymization needs. Just drop me a line.
We’re giving away copies of our Risky Business Sharing Health Data While Protecting Privacy to the first 30 people that complete our survey:
Anonymization Survey:
• http://surveys.ronin.com/wix/p1834
200753.aspx?src=1
May 21-22, e-Health Initiative, Washington, D.C.
Final Thoughts