Frank Baitman

@frankbaitman

Talking Points
A Conversation:
Risks vs. Rewards in the Sharing of Personal Information

Incentives
It is in the publics interest, and for their benefit, that the government makes available its
large collections of data to individuals and
organizations. Opening up data to external
users exposes it to new systems and cultures
that are well-suited to interpret the data and
make it useful to more people and for multiple
new purposes.

seemingly isolated data points from which it

originated, potentially compromising individuals privacy interests. With more information
accessible, seemingly useless or benign pieces of information may, in combination with
others, become quite significant.

structured agreements, and put some limits on

the use of the data it supplies.

Stakeholder and Public Engagement

A distinct part of the due diligence in information sharing is to engage stakeholders within and outside of your organization. Although
Once data is made available to a wider audithe overall public health and welfare may be
ence, it can be combined with other data sets the goal of a big data project, it is important
and de-anonymize the individuals involved.
that the individual has a say in the use of their
Government agencies are best positioned as a Allowing more access to information decreases information and an understanding of any risks
major source of information and data and pri- the ability to control its use and when data
involved in the secondary uses of their information.
access relies on large communities of particivate sector actors are well equipped to anapants, there is a greater chance of competing If an individual understands the outcome and
lyze, develop, and adapt information to add
risks, they are better engaged in his/her health,
value. However, government agencies are not interests (economic and social). With an exand perhaps as important are engaged in the
panded
audience
there
are
more
possibilities
always the best equipped to make the most of
privacy and security of their data.
for
malicious
actors
to
access
and
exploit
the
the data they acquire, due to fixed resources
open
data/shared
data
platform.
Such
large
and finances, so allowing private sector access
Likewise, there are stakeholders that may not
can improve innovation and increase the value data sets inherently make themselves targets work within the healthcare field, but may have
for those who exploit PII/PHI.
of combined public and private data sets.
solutions on how to best mitigate risks in a big
data or information sharing program. Although
Due Diligence/Documentation
Private sector actors can interpret and reuse
the rules and sensitivities may differ for varying
data, republishing it in a more profitable/useful The size and nature of the federal government
sectors of information, it doesnt mean that
form, making it more available and consuma- gives it the ability to reach a wide audience
potential solutions should be siloed among
ble than it would have been without the inand, given its vast responsibilities to provide
those sectors.
volvement of the private sector. The availability various services to the community, it needs to
of a centralized source of information also
have the resources to develop tools in a com- Overall Context of Risk Models
provides a substantial benefit to the private
mercially reasonable way.
In order for the government to derive value
sector. The government has already done
from opening up their data sets to the public,
Partnering with private sector organizations
most of the work: gathering, categorizing, and
they need to insure that the data they provide
gives the federal government the potential to
modeling the datasets. All that is required is for
meet communities needs and to foster innova- is meaningful/useful, i.e., the data would proindividuals, organizations, and companies to
vide some sort of quality that would incentivize
tion at the same time. However, in order for
access the data and use it to develop new
this partnership to operate effectively, the gov- the private sector to use the governmentproducts, services, etc.
ernment needs to ensure that some set of best provided data set over others. However, the
government does not want to compromise the
practices are followed so the identification of
Uncertainty
privacy and civil liberties of those about whom
high-valued
data
sets
are
well
protected.
Taking publicly available datasets, reanalyzing
it has gathered data. Creating valuable data,
and remodeling them in a way that makes
The business model behind these partnerships that has structure, meaning, context, etc., crethem more valuable for public and private sec- should ensure that the data be made available,
ates a value for the private sector, but a risk for
tor participants, has benefits as well as risks.
but that the rules protecting the quality of that the public sector. Once data is taken out of the
The government may take steps to reduce the data are stringent and effectively implemented.
secure environment and made available for
exposure of PII and PHI; however, it is impos- Developing roadmaps, rules, and processes
public consumption there is a greater potential
sible to anticipate all potential, future uses of
will help guide the selection of participants. In for exploitation, but there is also a greater
government datasets (malicious or otherwise). order to avoid any potentially adverse impacts
chance that it will be made accessible to those
And with uncertainty, comes risk.
from its private sector partnerships, it is imwho, under normal circumstances, may be
Aggregating information creates data sets that portant that the federal agencies exercise
limited in their ability to access such information.
some control over data access, implement
reveal a composite much greater than the

Creating an open environment has the potential to augment the quality and quantity of services the federal government may provide, with
the added benefit of possibly decreasing the
costs of development. While it is impossible to
protect against all possible future threats to the
use and exploitation of data, structuring partnerships and controlling the context of data
usage, is the best, though not infallible, way
that the government can avoid compromising
the security of the PII it is charged with protecting while also promoting an open data forum.

ing the best possible methods to keep information secure. Rather than looking to regulate,
encouraging collaboration among the public
and private sectors may enhance the sharing
of cyber threat and vulnerability information.

HHSs Big Data Programs

HHS has put into effect several open data

initiatives which utilize big data, leverage public
-private partnerships, and expand access and
resources to a wide variety of participants.
Most importantly, HHS has taken steps when
commencing and maintaining these initiatives
Identified Risks and Costs
to minimize the risk the Department is assumBackground
ing. Operational divisions have leveraged the
The majority of attacks on federal agencies
key resource they have: size. In the initiatives
relating to large collections of data focused on that follow, it is notable that HHS OpDivs asacquiring data and accessing servers/systems; sume the role of facilitator, bringing together
the majority of attacks targeted non-public or private, public, academic, and entrepreneurial
personal data. The anonymized datasets com- parties to collaboratively utilize the data collectprising data sharing efforts were not much of a ed and create cost-effective solutions to retarget. Attackers exploited vulnerabilities in
search questions and common problems.
security measures or in software. Where reHealthData.gov is a growing inventory of
peated attacks were seen, it was due the fact
publicly available data resources, easily
that the previously exploited vulnerability was
accessible at a centralized location. The
not addressed or fixed adequately, and monipurpose behind such a program is to make
toring or updating database controls had not
high value health data more accessible to
been completed. Agencies collaborating to
entrepreneurs, researchers, and policy makestablish risk analysis and mitigation strategies
ers with the ultimate goal of promoting better
can minimize the likelihood of privacy/
health outcomes/products/services. By makconfidentiality breaches. However, the mere
ing such key health-related data resources
fact that an aggregated dataset provides multiavailable, the government is targeting priple layers of information from different sources
vate-sector innovators and entrepreneurs
will inevitably make it a target of exploitation;
who may not otherwise have access to such
cross-cataloging data, using multiple sources,
vast amounts of data.
can facilitate the identification of patterns and
effective re-identification of subjects. Expanding
NIHs Big Data to Knowledge (BD2K)
access and combining datasets can produce
initiative centers around a conceptual frameidentifiable information; mitigation security conwork The Commons a digital environcerns and disclosure threats requires using reament that allows efficient storage, manipulason and imposing rules/restrictions for access.
tion, and sharing of digital research objects
from any domain. NIH sees The Commons
Stats
as a global biomedical research enterprise
The average cost per U.S. retail store that was
that supports and accelerates biomedical
the victim of a successful cybercrime/breach
research and interdisciplinary interactions
between 2013-2014 was $20.8 million. Finanand uses. The Commons forum members
cial institutions are utilizing big data solutions
are called the Consortium; in order to be in
to combat fraud and financial crimes; the softthe Consortium, the members agree to abide
ware/services will cost global financial instituby a set of rules and also to provide sertions $2.8 billion by 2016.
vices, application programming interfaces,
Legislative Reaction
all with the goal of making access to the
Given the numerous breaches experienced by
research objects, tools, and analysis of rethe private sector recently, there has been a
search objects easier and informative.
push for legislation to strengthen, regulate, and
CMSs Virtual Research Data Center is a
unify standards applicable to the U.S. cyber
virtual research environment that provides a
environment; however, reflexively adopting
secure way of accessing program data. It
regulations could have an adverse effect on
allows authorized users to directly access
innovation, to say nothing of the cost. It could
approved data files, download aggregated
also promote the wrong mindset with compareports/results, and conduct analysis within
nies and federal agencies worrying more about
CMSs secure environment.
complying with standards than about develop-

National Cancer Institutes Cancer Genomics Cloud pilot program is perhaps the
best example of a facilitator of big data sharing. This initiative investigates the possibility
of public cancer knowledge clouds or repositories that are co-located wand have
advanced computing resources; this enables
researchers to bring their analytic tools/
methods to data. In this way, the cloud program presents large amounts of collected
data to any interested researchers and innovators which is a much more effective method of disseminating information and reaching the appropriate audiences in the most
efficient way.
FDAs OpenFDA provides an open-source
application programming interface for FDAs
drug, device, and food data that creates
easy access to public data. It seeks to ensure the privacy/security of public FDA data,
but also to establish a new level of openness/accountability that could be used to
educate the public and spur innovation. FDA
sees this as a platform for the public to interact
with one another and with the FDA experts.
CDC BioSense 2.0 is a collaborative data
exchange system where users, who have
agreed to share health-related data, can
track health issues as they develop, allowing
this information to be shared with other public health agencies and jurisdictions. This
system collects and shares information with
a multitude of public and private sector entities and also has extensive privacy protections and confidentiality conditions that it
enforces with these authorized users. CDC
sees this initiative as a direct response to
the challenges some resource-strapped
state/local health departments face. This
system aims to contribute information for
public health situational awareness, improve
the ability for emergency services to detect
health threats, etc.
Network and Information Technology
Research and Development Programs
Big Data Senior Steering Group (BDSSG)
was formed to identify big data research and
development activities across the federal
government. Similar to many of the HHS big
data initiatives, it focuses on a coordinating
research and development efforts to increase the overall effectiveness and productivity of federal research and development
investments. By making information readily
available, researchers can avoid duplication,
leverage their strengths among a larger
audience, and increase the interoperability
of their systems by gaining access to other
researchers and developers.