I attended Elaine Sedenberg’s talk Responsible and Privacy-Preserving Cybersecurity Information Sharing Using Public Health as a Model. This talk was part of the Security/Privacy Track at the 2016 Grace Hopper Celebration. Elaine is a doctoral candidate at UC Berkeley.
At Jefferson I work with PHI and was interested to see how that experience might help with cybersecurity. In the opening keynote, Dr. Lateesha Sweeney spoke about her experiment using released public health records and voter registration data to re-identify a de-identified patient. Ultimately her work contributed to HIPAA which defines what is private data and how it can be shared. What can be learned from HIPAA and applied to cybersecurity in general?
The state of cybersecurity when it first emerged was: a lot of information was available and there weren’t many rules for what to share, with whom or how. The Cybersecurity Info Sharing Act (SISA) provided guidelines.
Ultimately, I’m quite glad I made it to this talk. I thought it would be more technical but it turned out to be about policy. I liked having the history and state of data-sharing explained. To boil it down, Sedenberg tells us that in protecting public health, we learned to
- begin with goals
- emphasize data minimization
- coordinate activities
- foster voluntary sharing
- aim to maximize the sharable data responsible
General cyberdata is similar to health data because its protection is a public good and not all data is generated or controlled by the government. Companies and organizations who collect this data need to be incentivized to share it and share it responsibly.