Data protection has been in the news recently because of some notable failures. These problems emphasize the need to improve data protection and continually reassess the challenges.

Today specifically, the Electronic Health Records are needed to track the what and when of COVID 19 vaccine trials. What vaccine was given? When? Were there side effects? Long-term effects? Considering recent data breaches and the vulnerable nature of data storage, is our data system up to the challenge?

About 8 years ago one of my daughters was the subject of a data breach. She is a registered nurse, and part of the licensure process is completing a criminal background check: fingerprints, driver’s license, social security number, date of birth, etc. Quite an expansive list of data. Her information, and thousands of others was required to be housed at the Federal Office of Personnel Management, which then became the subject of a huge data breach.

My daughter’s experience got me concerned about data security including the data in our Electric Health Records (EHR). There’s a big push to have more and more patient-level data – including the EHR data – aggregated but we don’t ever seem to talk about securing that data in a meaningful way. Government-required data asks that purveyors of data “protect” it, but without establishing any standards or enforcement. Are you comfortable with your patient-level information – even aggregated – put into a system with such vague protections?

The “Law of Requisite Variety” from systems theory essentially says that the complexity of a control system needs to be at least equal to that which is being controlled. Let’s apply this to data security issues and systems, which initially had some security features built-in.

We want to prevent the bad guys from getting into our data systems. As we made changes to these data systems, have we made equal or stronger changes to the security mechanisms? The answer is usually no. In addition, the bad guys have become more clever.

There is often a clash between software engineers who design systems to run as efficiently as possible and the need to build strong protections for the attacks that will surely occur once the bad guys know the data is a big pile for them to get all at once. This results in a big mismatch between where the security mechanisms are and where they need to be.

Recent news of a larger data breach of our federal government again raises the specter of data and its securitization. This new data breach involved the highest levels of our federal government.

We design systems at a given point in time but the security mechanisms do not evolve as the system grows and evolves. This has to change. We must constantly and vigilantly look at our data systems from a data security perspective. We must design these systems with a breech in mind, knowing they will targeted. This approach would mean we continually update security as new challenges are identified.

Now is the time we need data systems – urgently and safely. But the lack of appropriate and publicized protections may prevent or inhibit us from having them. If a breach were to occur, a three-year subscription to “LifeLock” isn’t going to cut it.

Our country needs to do a much better job of data protection by ensuring the relevant systems evolve the protections needed as attackers become more sophisticated and new vulnerabilities are identified. We must prioritize data securitization. We must anticipate attacks. It’s time to take more preventive actions upfront – NOW!