#1 Empathy
Just as we develop fluency with organizational patterns, group behaviors, systems thinking and human error, develop fluency with security and privacy, and understand
the connection to real people.
First: What information needs to be safeguarded: personal info.
Second: Who is supposed to be safeguarded? Techniques from UX design serve you well here, personas or roles. A nurse, a patient, a CEO, a sysadmin.
With the superpower of empathy, we can develop controls that are BOTH more effective and cheaper than what the regulations steer you towards.
Concrete application: illustrate with story about "Who's seen my stuff" feature.
For a few years I worked on CommonGround, which is a web app that patients use together with their psychiatrist and care team. It keeps records of each visit, how
things are going, how symptoms are, how self-care is going, etc.
HIPAA privacy rules require covered entities to tell patients, on request, who their private information has been disclosed to. This is the sort of requirement that often gets
muddled up in all kinds of technical excuse-making and finger pointing, analyzing which parties the law applies to, which kinds of disclosures have to be told, what kind
of exceptions are allowed for psychiatric notes. You can wrap this all up inside Terms of Service, pay a lawyer to tell you that everything is “compliant”.
Why does this rule exist? Whats the risk, and how does it show up inside this particular system? Whats the intention? Who is being protected? How can the system work
without introducing lots of extra audit and log review? Who audits the auditors?
Clinical staff, with passwords, often have access to a much larger group of patients than they normally work with, for emergency coverage. Same for doctors,
prescribers, etc. Enforcement typically happens when there is a complaint. How can we detect small scale abuse of power? When 100K records are stolen, that gets