Privacy Risks in the Digital Health Era

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:16] Hello and welcome to CyberPHIx. The audio resource for information security, privacy, and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from thought leaders and healthcare information, security, and privacy. Today, we'll be speaking with Carter Groome, who is the CEO of First Health Advisors and a board member for AEHIS or AEHIS. Carter and I will be talking through some of the trends and privacy regulations, breaches, and third-party privacy considerations. Before we get to our interview, I want to let you know about some exciting new educational and information resources we here at Meditology and the CyberPHIx team have created this year. We're launching a new podcast chapter this month called The CyberPHIx Roundup, where we bring information and brief summaries of news items, trends, and some of the leading best practices from some of the clients and customers that we work with on tackling the industry's toughest cybersecurity and privacy challenges. We will be releasing those every few weeks, so you can keep on top of the latest events and best practices. We've also just launched our new Meditology Services Resource Center. The new platform serves as a knowledge hub to share the vision and pragmatic implementation approaches for addressing healthcare's constantly evolving business and threat landscape challenges from the country's top providers, payers, regulators, and business associates. The Resource Center is accessible for Meditology's website at meditologyservices.com and clicking on the Resource Center location. OK, so let's get to our interview with Carter on privacy risks. 

Brian Selfridge: [00:01:56] Hello and welcome to CyberPHIx. This is Brian Selfridge, your host. I would like to welcome my guest, Carter Groome. Carter is the CEO of First Health Advisory, which focuses on organizational assets and data and building risk management programs for government and commercial healthcare delivery organizations. Carter's leadership background includes roles in Provider, HIT product, and management consulting organizations. Also as an AEHIS board member, Carter is active in public policy, congressional activities and health-specific privacy and security legislation that may impact providers and consumers alike. I'm excited to speak to Carter today about trends and privacy controls, regulations, third-party privacy risks, and more. Carter, thanks so much for joining us, and welcome to the CyberPHIx. 

Carter Groome: [00:02:40] Yeah, thank you, Brian. Great to be here. 

Brian Selfridge: [00:02:43] So let's talk privacy, Carter. I'm always used to talking so much about security. I feel like privacy gets left behind more than it should. So I'm excited to see what 2020 and beyond has to offer us. There seems to be a big push late last year into this year from the Department of Health and Human Services around promoting interoperability for electronic health records, digital patient information, in between systems, across platforms. A lot of really good, exciting stuff. Could you give us a little high-level overview of what are those new interoperability rules all about and what are they designed to do? 

Carter Groome: [00:03:19] Yeah, I mean, certainly the word interoperability has been around for a while. It's been kind of a buzzy thing. But I think 2020 is the year where, you know, things are really going to happen in this space. And there are two proposed interoperability rules that were born from the 21st Century Cures Act. I look at them as companion rules that we're awaiting the final versions of really any day now, but one is from ONC and one is from CMS. With the idea of promoting seamless exchange of patient data, you know, there's payer side considerations. You think about API standards, are they going to go with fire? There are provider side considerations for this, when you think about event notifications and omit discharge transfers. And really kind of the promotion of this; the billboard really says that the rules are designed to increase efficiency and transparency. Now, that's pretty broad, but if you boil that down, there are two key areas: information blocking and really expanding how patients access their healthcare information. And I view it as kind of using more of a stick to promote compliance through OCR fines or withholding Medicare payments. But that said, the foundational goal of promoting interoperability is a net positive for healthcare and population health and outcomes and all the things that we talk about in this field. However, I feel a more deliberate approach would better serve providers and consumers versus, you know, I guess the market as a whole or really what they call the innovators out there in the marketplace. 

Brian Selfridge: [00:05:20] I saw the Health and Human Services language talks about unleashing data for researchers and innovators and that term unleashing just scared the daylights out of me from the privacy and security perspective. Am I overreacting to this or does that sort of raise the little hairs on the back of the net for for you as well or your customers? 

Carter Groome: [00:05:43] I'm in that camp as well. Absolutely, it raises concerns. And, you know, these rules are kind of marketed as all about the patient. And I do agree that data can be used in innovative ways to do innovative things, as we move into this era of consumerization in healthcare. The challenge, as I see it, is that all this data that gets mixed, this healthcare data that gets mixed in with consumer data, the lines start to get blurred a little bit between what should be protected and what's fair game for any company, whether it be Google or Amazon or Microsoft or you name it. And so when this information goes out to third-parties, you know, you think about those companies and they're not regulated. I think there's going to be a lot of questions around how that information is being used and how it impacts the individuals whose data can ultimately be re-identified. I mean, we're thinking about HIPAA rules that were created 20 years ago and the technology is there to re-identify that data. That's a concern. And I'd say I'm definitely a privacy advocate through the work that we do. So my personal scale tips a little bit more towards a GDPR CCPA like policy because I worry that self-regulation and voluntary codes of conduct will ultimately not be enough. And I think the question is really what's the right balance between availability and confidentiality? And are all the stakeholders being heard through this process? 

Brian Selfridge: [00:07:36] So tell us a little bit about GDPR and CCPA. What did they look like from a privacy perspective? Are they the same? Are they headed in the right direction, just from your perspective, do they seem to have the right provisions or not? 

Carter Groome: [00:07:50] CCPA just went into effect this year. You know, it's going to be enforced more towards the middle of 2020. And I think, you know, there's probably 25 states now that have either done something or, you know, will most likely do something in this year. I think about Washington State. They're working on a pretty ambitious privacy law that didn't pass last year, but with some revisions, it probably will this year. Nevada passed a kind of CCPA lite version. New York went even bigger than California, in my mind, with a bill that, you know, kind of made companies data judiciaries. And so they're even more obligated to protect the privacy of that information than even CCPA. And so all of these are kind of, you know, a GDPR offset. And the challenge, maybe we'll talk about this later, is if you're going to have all of these states have different interpretations of the law, and the federal side is not doing anything or putting out any, you know, laws above all of that, you know, who's going to be in the right? That's what I am concerned about. 

Brian Selfridge: [00:09:15] You bring up a great point. What have you seen on the federal side? Usually, it's you know, the federal, the US sort of catches up to states regs. And in this case, the international communities are leading some of the way with GDPR. But there have been murmurs and proposed bills coming through Congress. What's that? The Health Bill was one that put HHS and OCR a little bit more front and center with respect to privacy. What have you seen out there on the congressional side? Do you think any of that is going to stick? What do those bills look like? 

Carter Groome: [00:09:49] I think a lot of people thought 2019 was going to be the year where we saw, you know, some action. And certainly, we were hoping that would be spurred by GDPE. But, you know, there was really kind of a big dud in 19. Now I'm wanting to be optimistic about 2020. You mentioned the health bill and that addresses technologies that just simply weren't around when HIPAA became law. And you think about just wearable tech, cloud-based science, genetic testing companies. You know, it really tries to address the gaps to strengthen privacy around using data for marketing purposes. I think that's real positive development. And it would also direct OCR to take into account what organizations are doing to better their hygiene. And so if they're adopting NIST as a framework or, you know, 4 or 5 D practices, for example. Maybe there's some level of safe harbor when OCR comes in or, you know, knocks on the door. 

[00:10:59] Some of the others that I'm certainly tracking are the Lift app. So that's out of energy and commerce. And, you know, it's part of a larger infrastructure bill that had trouble getting funded this year. But it's still out there. And there's a carve-out in that act that provides 2 billion dollars over the course of five years for hospital infrastructure, promotion of security, and certainly, privacy is a part of that and, you know, even things like replacing outdated devices. And so this would be a huge boost for security where budgets are really tight. And organizations that, I see, are making risk deferment decisions every day. The last one that we're tracking is TEFCA and that's the trusted exchange framework. And there is a coordinating entity called Sequoia, the Sequoia Project that's developing the common agreement to enable, you know, EHI, Electronic Health Information, exchange across, you know, HIEs, across health plans, providers. And it works to kind of embed standards in that exchange. And so you think about state-based exchanges, well those states have never in the past exchange information interstate. And I give an example of opioid use. And the problem that we've had with that, while states haven't been able to share information across borders, and so something like TEFCA would allow for that to happen. So I see this as a real positive. I want to be optimistic about these activities. They just haven't materialized yet. 

Brian Selfridge: [00:12:49] So here comes our chance to look into the future and figure out when some of this is going to hit. So more specifically, a lot of times my clients and constituents will ask me, you know, when do you think the regulatory enforcement, in particular, is going to happen? You know, if it's GDPR, obviously that's got its own timetable and process. But a lot of healthcare organizations don't have GDPR in scope or manage data relevant for EU citizens and members and those types of things. But California, obviously, you know, if you're going to be in one of your state laws, is applicable, and that timing jumps right in. But for the federal side, if you had a guess at it, and I know that's not a fair question, I'm going to put it to you anyway. You know, when do you think should we start building processes, security officers, privacy officers, start building processes now to anticipate some of these controls and enforcement or just play the wait and see the game and then jump on it when it becomes real? 

Carter Groome: [00:13:48] Yeah, great question. I live in Washington, D.C., and so I kind of get a chance. And then the work we do on the federal side, get a chance to see how things happen, how decisions are made. But I believe it's a little early to say it's a lost cause. I've heard and read, you know, that is maybe, at this point, but, you know, doing kind of the downstream impacts, whether they're positive or negative, from these new state-based laws, is a little early as well. And so maybe at the federal level, they want to learn from some of those lessons and bake that into a broader policy. You know, nonetheless, if I'm a CISO or a chief privacy officer, that fuzziness of, you know, what's going to happen would be enough to scare me. And we advise our clients, listen, let's start paying attention now. Even if you're not in California or Nevada or New York or Utah, where some of these things are already on the books. You know, if you're forced to send your data to non-covered entities and OCR is telegraphing that they're going to play pretty hard in this space, you know, you might want to make sure that your security and privacy standards or safeguards are up to date, because I just, even if there's a breach of that information that you put out there and you're not necessarily in legal harm's way because you've got, you know, safe harbor, there's a reputational impact that may come with that. 

Carter Groome: [00:15:33] Because that organization might say, well, they sent us the data, you know, and we did everything we could and whatever the answer is. If that healthcare organization created the information and sent it out, it could somehow come back to bite it. I just worry about that. And I don't think about it at the federal level, though. You know, the FTC, they're going to get involved in this game too. And they think about, you know, unfair methods of competition, as it relates to third-party apps and also possibly with the EHRs. You know, is there a monopoly on the information, and is there an unfair competitive advantage as it relates to that? So these are all things that we're watching. But as a CISO and a chief privacy officer, we are highly encouraging those individuals to start paying attention, looking at policy and, you know, adopting this forward stance as possible. 

Brian Selfridge: [00:16:31] So for organizations that believe that it is the right timing to take action and to be proactive about privacy regulations or just privacy controls for the use cases you mentioned of sharing information with third-parties and all of that, things that can happen when that goes wrong. What processes or first steps would you see organizations taking apart perhaps from just putting some updated policies, paper policies on the books? Are there steps that folks can do to start auditing their third parties for privacy or what do we do? 

Carter Groome: [00:17:09] There are, you know if you think about on the security side, you know, I'm starting to see a lot more activity around SOC 2 type 2 , HITRUST, your adopting NIST. On the privacy side, there's an organization I'm aware of called Externsha. They've created some standards for data transfers whereby perhaps an EHR that's going to connect with those third-parties would, you know, kind of certify them. VHR wouldn't certify, but they'd say, listen, you need to be Externsha certified, or even health systems might be considering that with their business associates. One of the things that, you know, we have organizations do is look at accounts payable and understand, get an inventory of everybody that you work with. I mean, if you've made payments to some third-party out there, well, could there be data associated with that? And then taking that and building out kind of a mapping of where your data is and ultimately classifying the risk around that data is a good place to start. And these are pretty straightforward common approaches. But I'm surprised every day at organizations that are still just trying to get their arms around basic security blocking and tackling. And as a result, they haven't even addressed privacy. 

Brian Selfridge: [00:18:38] Have you noticed at organizations that you work with, if whether or not their inventories of third-parties, the whole business associate agreement angle that OCR has been upfront saying organizations need to have their BAA inventory together and need to make sure they know who they're doing business with. Have you seen organizations really having a handle on that or not so much? OCR has been vocal about it, which usually means there are gaps. But I'm curious if you've seen that as well. 

Carter Groome: [00:19:08] You know, there are gaps. And, you know, we used to kind of walk in with assumptions that everybody has their ship and order, as it relates to being VAAs. And, you know, we've often found the opposite. And so it does become a project. And it's not just a simple task of putting that together and assessing the risk of those third parties. It's an ongoing program in my mind. But certainly, I'm seeing in the last year, organizations start to pay attention to that much more than in years past. 

Brian Selfridge: [00:19:46] What do you think those audits would look like? I'm sure there are some organizations doing it. But what do you think the audits, the privacy audits, should look like for third parties? Is this something we team up with the security team because they've been doing security audits of their parties forever and they may have some processes? Is it the same stakeholder groups you're dealing with, even at the third-party vendor or not? I just wonder if there's any shell of what you think those audits should look like or how you go about conducting them efficiently. 

Carter Groome: [00:20:18] Yeah. It does get a little bit out of my swim lane. But, you know, audits are evolving for sure. And where it used to be, you know, within the walls of the privacy department that it is certainly extending, you know, to the security team, the I.T. team, the legal team, executive leadership, and as it should, to the workforce as a whole and gaining awareness around privacy practices. And then, you know, what we talked about before, knowing where your data resides is essential to classifying the risk. And, you know, creating controls around that information is a great place to start. And we've seen it really begin in AP departments and helping understand who you're doing business with is a good practice. 

Carter Groome: [00:21:20] So we lump all of our third parties into one bucket, perhaps at our peril. But there are some third parties that have special asterisks and get special attention. I'm thinking of the very large organizations, the Googles, the Amazons, the large electronic health record providers, or anybody that's amassing huge volumes of patient information across healthcare delivery organizations and payers and otherwise. I know there are some in the field that are getting really antsy about the privacy controls that big, big organizations put in place, particularly in situations like the Facebook Cambridge Analytica situation, where arguably there was quite some abuse of privacy protections there, as put it lightly. What are you seeing with some of the big organizations? Should we be looking at any of those in particular or as a group any differently than we do the rest of third parties from a privacy perspective?

Carter Groome: [00:22:22] You know, this gets into the real kind of scary stuff. I mentioned FTC and they're getting kind of more into the mix. And so organizations need to be paying close attention to what FTC is doing. But, you know, take Google and Ascension and Project Nightingale, for example. If you look at that as a bellwether, I don't necessarily think the Ascension patient base was too excited to learn, without their consent, about Project Nightingale. And so saying to the consumer, Well, we have a BAA and your data is D identified is not necessarily going to, you know, build more trust with the consumers. And that information is now being in the hands of Google or Amazon or Microsoft. And I think as consumers become more aware, I have faith that they will someday, but as they become more aware of what can be done with their data, there will be reckoning or certainly more push back on providers to create partnerships like that, you know, with these large organizations or smaller. Look, this happens every day. We just heard about the Google one because it's such a big deal. But it happens with third-party applications every day. And navigating, you know, the hype and the marketing prowess around an organization like Google is hard enough for those that don't work in our space every day. So I think about how that message hits the layperson out there that found out that their information, without their consent, is now public domain. So I think organizations just need to think about that. The impact of trust and what it may mean to their organizations, if consumers start to get a little bit savvier, and they may choose a different organization as a result. Feeling like their information is more protected. 

Brian Selfridge: [00:24:40] What are some of the use cases that these business associates, the big ones or the small ones, are using this data for beyond the sort of the immediate purpose of care and treatment? That has folks worried, like are they selling the data? Are they repurposing it? Do you have a sense of how, I know it's a broad question, but how some of these organizations are reusing the data? 

Carter Groome: [00:25:04] The stories that you hear now are really can they bring that information together to market specific products and back to you. I mean, that's kind of what you hear more than anything. So, you know, could they take the information on a specific segment of the population, put it together with a zipcode or, you know, an area code or your phone number and say, gosh, you know, this particular population, as you know, I think they're more susceptible to X disease. And as a result, I'm going to, perhaps, sell or trade or share this information with an organization that's interested in that data. And that information can then be, you know, sort of used in a marketing type purpose. That's what I hear about it more than anything else. I mean, we've all heard the story of oh, your insurance company might get information on you being a smoker or having a pre-disposed disease or something like that. And then they could make determinations. I don't see as much of that as I do around the marketing side of this and how it could impact, you know, those types of things. 

Brian Selfridge: [00:26:21] Is there anything we can learn from privacy breaches that have occurred like the Facebook, Cambridge Analytica or I was sort of spooked by this other Facebook issue, where they said, "We accidentally turned on the cameras to watch your eyes, to see what you're scrolling through and actually paying attention to," which just pushed it over the top for me like that is beyond the privacy acceptable limits for me. You can actually watch my face, so you could figure out which stuff I'm going to buy. But is there anything we can learn from how those have played out and the industry and public's reaction to that, that you think we might apply to healthcare and these projects like Project Nightingale and Google and the rest? Or is it still so new that we just don't even know what to do yet as consumers? 

Carter Groome: [00:27:10] I think that healthcare can learn from some of these challenges and breaches. And, you know, I think about something like Cambridge Analytica and Facebook. And, you know, the problem is that if you start to lose trust in an organization and protecting your information or they're using it with only good intent or not, the industry of healthcare is going to face a really kind of big reckoning, if consumers lose their trust and confidence and what they do with their information. And so in some ways, could become a competitive advantage for organizations that are better judiciaries of that data. It's a little bit early to see, but I do believe there are some lessons learned in that. And I think some think maybe it's too late. I don't necessarily believe that, but it's something to consider learning from other industries and how to apply it in healthcare. 

Brian Selfridge: [00:28:32] What are some measures you think that consumers can take today if they do get spooked and worried about their data being shared or mis-shared or misused at their local healthcare organization? Let's say they only have one hospital in the area. They're going to go there either way. Be nice to say, you know, I'm not going to go to the emergency room when I need it, but it's not always an option. What can consumers do today? Like Facebook, ok, I can delete my Facebook account or stop using it, ok that's easy. Is there some communication or can they make their voice heard somewhere? What do you recommend? 

Carter Groome: [00:29:08] I can say with laws like CCPA coming out, and as you see how they're enforced and certainly there are some HIPAA carve-outs there. But you know, how those laws are interpreted are going to determine how consumers, you know, in the healthcare setting can take advantage of their information but also, have influence in how it's protected. And so I think it's a little bit early for the consumer to have some power to create change. But it's a possibility if the broader, you know, as a country and if at the federal level, we go towards a GDPR type model. The flip side of it is your data is just going to be everywhere, and you need to live with it and figure out how to get through that as best you can. 

Brian Selfridge: [00:30:09] Are there any other trends that you've seen in privacy heading into, you know, with the front end of the year here, that you think should be on the radars of our, not only our privacy officers but security officers or a lot of our listeners are in the security space as well. Any other trends you're seeing coming up that we should start preparing for that we haven't covered here today? 

Carter Groome: [00:30:30] Well, I think, you know, going back to the beginning of our discussion, Brian. Tracking those final rules that are going to come out of ONC and CMS is going to be huge in terms of where we're headed. And certainly, you know, from an administration to administration as that changes, you know, there are different viewpoints on that. But those are the two biggest things that we are tracking and sharing with our client base, you know, as we prepare for what's to come. Beyond that, to kind of develop strategy might be a little bit more premature because it could change at a moment's notice. 

Brian Selfridge: [00:31:20] Carter, thank you so much for taking the time to join us today. This has been a fantastic discussion on the trends of information privacy in some of the breach events and areas that organizations need to start looking at. I think we've got a long way to go on this, and perhaps we'll have to come back again and see how it all plays out sometime down the line. 

Carter Groome: [00:31:38] Yeah. Thank you so much, Brian, and thanks for having me on CyberPHIx. 

Brian Selfridge: [00:31:50] Again, I would like to thank our guest, Carter Groome, who is the CEO of First Health Advisors, for an enlightening conversation about privacy trends this year. As always, we'd like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you would like to hear about or thought leader you'd like to hear from. Our e-mail address is [email protected]. That's CYBERPHIX @meditologyservices.com. Thanks again for joining us for this episode of CyberPHIx, and we look forward to having you join us for the next session coming up soon. And don't forget to check out those CyberPHIx roundups we have coming up as well in the coming weeks. Thanks so much and have a great day.