Understanding the Chains of Risk: Data and Products

Data has a chain of elements just as a product has a chain of materials. Both create value by combining their respective elements to benefit a person or institution. The end value of data is information; a manufactured product’s value tends to be more tangible, such as a pacemaker, antibiotics, or a car.

The information data produces is only as reliable as its elements. Similarly, a product is only as good as the skill with which it is designed and the materials and manufacturing processes used to create it.

Many manufacturers use robots programmed to perform tasks in a repetitive fashion with extreme accuracy. However, if the programming is wrong or a sensor is defective, the end quality of the product is likely to suffer—this is why quality control of the product is so important. For the same reason, we must have quality control of the data combined to enrich the data chain, so we can use the resulting information to make accurate decisions.

Consider the manufacture of a pacemaker, a device with two main parts—a pulse generator and leads. The pulse generator is powered by a battery and commanded by a computer. The computer has software, and in some cases, allows for wireless or wired communications with clinicians. The leads are implanted into the heart muscle, and the electrical current from the pulse generator causes the heart to contract. Information from the pacemaker is then manually or automatically sent to clinicians and reviewed to manage care and ensure optimal performance.

There is no doubt that pacemakers save lives, but what if the computer contains defective software or the wireless connectivity is not entirely secure? A bad actor could exploit these flaws to harm a patient. This is why end products require all materials (many times from third parties) to be properly designed, manufactured, and tested to a level of quality that delivers repeatable operation. If at any point in the supply chain the assembly of the pacemaker involves defective materials and this is not caught in testing, the end product will be at risk for not performing its job and not deliver on its value proposition.

Figure 1 Supply chain of a pacemaker

Just like the pacemaker, data has a supply chain of elements. When combined, these elements produce information that is valuable for decision-making. For example, a patient medical record contains data elements that, when combined, support healthcare decisions. The medical record starts with personally identifiable information, such as full name, and protected health information such as SSN and medical history. Data, often from third-party devices, is added to the data chain. For example, a healthcare provider may measure blood pressure and other vital signs with non-connected devices. The provider then inputs the data into an Electronic Medical Record (EMR) system, which adds it to the medical record.

Connected devices may also add data to the medical record data chain. For example, new connected devices can integrate the recording of a conversation between a healthcare provider and a patient; the device gathers symptoms, additional medical history, and other information, which the EMR system adds to the medical record. These additions to the chain enrich the information, but can also add risk if there are inaccuracies in the update to the EMR. Thus, in many cases, having a review of the data enriching the chain of the medical record is not only a good practice but should be required.

Figure 2 Data chain of a medical record

The integrations and connectivity used to enrich a product and optimize its creation can also sabotage it. The data integrity in the data chain or the material quality in the supply chain can make or break the performance of the end product. Whenever software is an element of a chain, the risk of sabotage can be unknown until years later, due to defects undiscovered until certain software features and functions are used.

Starting with the design process of the product, technology, security, and legal/compliance teams must scrutinize every part of the supply chain. By involving these teams upfront, security can be built into the product to mitigate likely risks. In particular, legal/compliance’s perspective on the ramifications of not moving forward with proposed changes can be very helpful in mitigating expensive and likely risks—helping protect the company’s financial stability. A risk-based assessment process for third parties that are providing parts and materials for the supply chain is also critically important, beginning with knowledge of every item’s source.
It is also important for the data chain to follow these similar concepts:

1. Include technology, security, and legal/compliance in the design process
2. Know where the data elements will originate so third-party service providers can be assessed using a risk-based approach
3. Require your third parties to perform assessments on their third parties to strengthen the data integrity of the data chain
4. Conduct periodic assessments of third parties

Thus, the elements that make up the data chain for information are very similar to the materials that make up the supply chain for a manufactured product, such as a pacemaker. Many of these elements and materials come from third parties. These third parties can affect the product’s end quality and the reputation of the manufacturer or the steward of the data. In summary, companies must take a risk-based approach to assessments, adapting methods to deal with risks that are continually changing. It is just as important to know the data elements in the data chain that make up a medical record’s information as it is to know the materials and software in the supply chain for a pacemaker.