[ PREVIOUS ARTICLE | Table of Contents | NEXT ARTICLE ]

CONFIDENTIALITY CLASSIFICATION
by Sid Adelman

Confidentiality classification provides the basis for the securing of data, and the access to that data. There are varying levels of confidentiality and security requirements. For example, hospitals and medical laboratories must keep strict control on data about certain results such as patients being HIV positive. The disclosure of such information can have profound effects on the patients' lives as well as compromising the integrity of the hospital.

The characteristics of the data would suggest a specific level of security. The characteristics of data would be defined in a process of performing risk and exposure analysis. If data in a system was highly confidential it might get a "Registered Confidential" designation that would limit access to a very select set of personnel on a need to know basis.

A key component is user sensitivity to confidentiality, how well users understand the why of confidentiality; users need to understand why the data should be kept confidential. With this understanding there is more of a chance they will comprehend and adhere to security standards. The classification process should make employees more sensitive to confidentiality requirements, especially when they are involved in the classification. The decision to classify particular information must be made by its originator according to a well-defined set of guidelines. This decision is to be based on the specific content and value of such information.

The identification of the data that is sensitive to contamination, improper access or destruction enables IT and the user departments to implement the appropriate internal controls to help ensure the integrity of this data. Classification will also aid both internal and external auditors in their process of determining if data is adequately protected.

The classification allows for a methodology that approaches a cost-benefit analysis to determine where money should be spent to secure the data that most needs securing. This is both a prioritization capability as well as a means to justify expense for confidentiality.

The following are a set of Confidentiality Categories:

  1. Registered Confidential
  2. Organization Confidential
  3. Organization Internal
  4. Unclassified/Public
1. Registered Confidential - This information is very sensitive. It is not to be disclosed outside of the organization and only given to those with a need to know. Disclosure, oral or otherwise, requires the prior authorization of the originator. Each page on every document in this category will be numbered, using control numbers, and labeled "Organization Registered Confidential - Do Not Copy".

Exposure could result in exposing significant future plans (e.g. Plans to lay off 2000 employees, plans to outsource pharmacy, or plans to purchase or merge with another health care plan)

Exposure could result in loss of prestige or status for the enterprise (e.g. disclosure of sensitive financial information or executive payroll that might appear in the press).

Exposure could result in loss of very significant assets (e.g. money).

Exposure could result in loss of major business revenues (e.g. loss of employer groups or members as a result of loss of confidence or providing a competitor with some material advantage).

2. Organization Confidential - This is sensitive information. Disclosure might result in embarrassment, financial loss or other injury to the organization. The information in Organization Confidential is not to be disclosed outside of the organization and only to be given to those with a need to know. Recipients may disclose the information to their fellow employees and selected providers with a need to know.

Exposure could result in embarrassment to the enterprise.

Exposure could result in loss of prestige or status for the organization.

Exposure could result in loss of significant assets (e.g. money).

Exposure could result in loss of business revenues (e.g. employer group or member confidence or providing a competitor with some material advantage).

3. Organization Internal Use - The information is not to be disclosed outside of the organization. It is intended for internal use only and for purposes related to the endeavors of the organization. Examples of this type of information include: protocols, internal telephone directories and internal guidelines and procedures.

Exposure could result in minor embarrassment to the enterprise.

Exposure could result in minor loss of prestige or status for the organization (e.g. disclosure of privileged parking information that might appear in the press).

Exposure could result in a small loss of assets (e.g. money).

Exposure could result in a small loss of business revenues (e.g. employer group or member confidence or providing a competitor with a minor advantage).

Exposure could result in, at most, little loss to the enterprise, but the exposure still involves data that is not in the public domain

4. Unclassified/Public - This information is not classified and is available to the public.

No additional exposure could accrue to the enterprise since all data is in the public domain and known to be used by the enterprise (e.g. demographic data from a public authority).

Responsibilities

The Owner is the creator of information and is responsible for classifying and labeling the information according to well-defined guidelines in compliance with the organization's and department directives. The Laboratory Director would be responsible for lab data; the Pharmacy Director would be responsible for all pharmacy data.

Managers are responsible for ensuring the accuracy of classification decisions for information originating in their organizations and must ensure that all originators, owners, and recipients of information in their organization understand the information security classification process, properly label classified information, and apply the appropriate classification controls.

Confidentiality Classification Process

  1. Identify the data that may have confidentiality exposure
  2. Categorize the data according to the Confidentiality Categories
  3. Determine the cost of securing the asset
  4. Cost-benefit analysis
  5. Prioritize

Associated Tasks

  1. Identify the owners of the data.
  2. Identify who maintains the owner list

Data in relation to Confidentiality

Data Categorization

External

--Insurance Company
--Vendor
--Suppliers
--Providers

Internal

--Membership
--Clinical
--Laboratory
--Pharmacy
--Providers
--Employees
--Administrative staff
--Supplies
--Facilities

Alternate Data Categorization

--Location
--Sensitivity of data to security violations
--Vulnerability - How easily can the data be incorrectly refreshed or loaded

Importance

Confidentiality is also related to the operations users may perform. Operations each user is allowed to perform:

--Unconstrained access to all of the data, read only
--Access to summary data but not detailed data
--Constrained read access
--The user has no access or update capability

Cost/Benefit categorization of data - What is the data worth? Don't spend $1 to secure information worth 50 cents.

[ PREVIOUS ARTICLE | Table of Contents | NEXT ARTICLE ]