HIPAA Isn't Enough: All Our Data is Health Data

Author: Mona Sobhani, PhD

UPDATE: see the full post on Medium here and my conversation with Charlie Warzel of the New York Times Privacy Project here.

I’ve been thinking for a while now that the definition of Personal Health Information (PHI) is outdated and I’ll explain why below.  Because of this fact, one of two things are true.  Either the federal law that protects PHI, HIPAA: (1) should apply to all types of personal data, including location, activity, and social), or (2) is no longer relevant, and broader personal data regulations are needed to encompass all data related to health.   

Screen Shot 2019-01-29 at 8.09.39 AM.png

To be clear, HIPAA is a wonderful legislation that protects patients.  Without HIPAA, a health plan could sell a patient’s data without the patient’s permission to, let’s say, an employer who could use it for company decisions, or to a bank who could use the information to deny a loan.  The problem with HIPAA is that it makes one huge assumption: that health status can only be inferred by the types of personal health data covered by HIPAA. 

In this era, though, can we confidently say which personal data is related to health and which is not?  Social determinants of health, such as poverty, education, gender, ethnicity, and employment account for ~60-80% of our health (1–3) – and all those types of information can be collected, or at least inferred, by the massive amounts of personal information that is now readily collected online.  Beyond social determinants of health, specific social network data and physical activity, sleep, and social interaction data correlates with, and can even predict, depression, suicide risk, and mental illness (4–8), as well as risky behavior that can lead to bad health outcomes (9).  The predictions are so strong that Facebook has a suicide prediction and intervention program (10).  If all of this personal data can help predict past, current and future health states, shouldn’t it also be protected?

Some may argue that, yes, with all this de-identified, aggregated data, we can predict health trends, but it’s all anonymous, so what’s the issue?  In fact, many companies and organizations have claimed that sharing de-identified data is not a privacy risk.  However, we now know that it can be rather easy to re-identify many different types of data.  For example, a recent study showed over 90% accuracy of re-identifying individuals from physical activity data and demographic data (11).  Re-identification has also been found to be possible using online search data (12), movie rating data (13) , social network data (14), genetic data (15), social network metadata (16), and wearable data (17).  A recent, and terrifying, New York Times article (18) shows how location data can be used to identify individuals, because it turns out there’s only one person who lives where you do, works where you do, and that has your exact daily routine. 

 Even if the definition of PHI were to change to include these other data, tech companies would probably still not be considered “covered entities” – even though they are the largest hoarders of our personal data.  With the current digital landscape, either HIPAA needs to be updated to cover all relevant data and entities, or maybe we need new regulatory frameworks.

 

REFERENCES

1.        O’Neill Hayes T, Delk R. Understanding the Social Determinants of Health.; 2018. https://www.americanactionforum.org/research/understanding-the-social-determinants-of-health/#_edn9.

2.        Racial and Ethnic Health Disparities What State Legislators Need to Know.; 2013. http://myhealthoutcomes. Accessed January 25, 2019.

3.        Magnan S. Social Determinants of Health 101 for Health Care: Five Plus Five. NAM Perspect. 2017;7(10). doi:10.31478/201710c.

4.        Eichstaedt JC, Smith RJ, Merchant RM, et al. Facebook language predicts depression in medical records. Proc Natl Acad Sci. 2018;115(44):11203-11208. doi:10.1073/PNAS.1802331115.

5.        Wang R, Chen F, Chen Z, et al. StudentLife. In: Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing - UbiComp ’14 Adjunct. New York, New York, USA: ACM Press; 2014:3-14. doi:10.1145/2632048.2632054.

6.        Rabbi M, Ali S, Choudhury T, Berke E. Passive and In-situ Assessment of Mental and Physical Well-being using Mobile Sensors. Proc . ACM Int Conf Ubiquitous Comput  UbiComp. 2011;2011:385-394. doi:10.1145/2030112.2030164.

7.        Puiatti A, Mudda S, Giordano S, Mayora O. Smartphone-centred wearable sensors network for monitoring patients with bipolar disorder. In: 2011 Annual International Conference of the IEEE Engineering in Medicine and Biology Society. IEEE; 2011:3644-3647. doi:10.1109/IEMBS.2011.6090613.

8.        De Choudhury M, Gamon M, Counts S, Horvitz E. Predicting Depression via Social Media. http://course.duruofei.com/wp-content/uploads/2015/05/Choudhury_Predicting-Depression-via-Social-Media_ICWSM13.pdf. Accessed June 13, 2017.

9.        Rivers C, Lewis B, Young S. Detecting the Determinants of Health in Social Media. 2012. doi:10.1371/journal.pcbi.1002616.

10.      Singer N. In Screening for Suicide Risk, Facebook Takes on Tricky Public Health Role. The New York Times. https://www.nytimes.com/2018/12/31/technology/facebook-suicide-screening-algorithm.html?mc_cid=03a239a9bd&mc_eid=105181941b. Published December 31, 2018.

11.      Na L, Yang C, Lo C-C, Zhao F, Fukuoka Y, Aswani A. Feasibility of Reidentifying Individuals in Large National Physical Activity Data Sets From Which Protected Health Information Has Been Removed With Use of Machine Learning. JAMA Netw Open. 2018;1(8):e186040. doi:10.1001/jamanetworkopen.2018.6040.

12.      Barbaro M, Zeller T, Hansell S. A Face is Exposed for aol searcher no. 4417749. The New York Times. https://www.nytimes.com/2006/08/09/technology/09aol.html?mtrref=www.google.com&gwh=82E5F9FB0A49332F37DFB3048879099B&gwt=pay. Published August 9, 2006.

13.      Narayanan A, Shmatikov V. Robust De-anonymization of Large Sparse Datasets. In: 2008 IEEE Symposium on Security and Privacy (Sp 2008). IEEE; 2008:111-125. doi:10.1109/SP.2008.33.

14.      Narayanan A, Shmatikov V. De-anonymizing Social Networks. In: 2009 30th IEEE Symposium on Security and Privacy. IEEE; 2009:173-187. doi:10.1109/SP.2009.22.

15.      Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying Personal Genomes by Surname Inference. Science (80- ). 2013;339(6117):321-324. doi:10.1126/science.1125339.

16.      Perez B, Musolesi M, Stringhini G. You Are Your Metadata: Identification and Obfuscation of Social Media Users Using Metadata Information.; 2018. www.aaai.org. Accessed August 15, 2018.

17.      Lane ND, Xie J, Moscibroda T, Zhao F. On the feasibility of user de-anonymization from shared mobile sensor data. In: Proceedings of the Third International Workshop on Sensing Applications on Mobile Phones - PhoneSense ’12. New York, New York, USA: ACM Press; 2012:1-5. doi:10.1145/2389148.2389151.

18.      Valentino-DeVries J, Singer N, Keller MH, Krolik A. Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret. The New York Times. https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html. Published December 10, 2018.

 

New White Paper with CA GO-Biz: Cybersecurity in Healthcare: How California Business can Lead

We are proud to announce the release of the Health IT Cybersecurity white paper (below), in collaboration with the Governor’s Office of Business and Economic Development (GO-BiZ) !

Cybersecurity in Healthcare: How California Business can Lead

 Goal of Health IT Advisory Board White Paper

To evolve the concepts and practices that foster a business-friendly environment in California so that best-in-breed cybersecurity practices and solutions are available and adopted by digital health companies for their products and services.

Introduction

A primary objective of the Governor’s Office of Business and Economic Development (GO-Biz) is to support the growth and innovation of major industries in California, including healthcare.  As the healthcare industry seeks to innovate through the use of connected information technologies (IT), which has the potential to improve global health access and outcomes, cybersecurity education and implementation of practices are central to providing leading products that are safe and can be trusted.  To that end, GO-Biz has partnered with the University of Southern California Center for Body Computing to establish a Health IT Advisory Board comprised of public and private experts to encourage greater understanding and utilization of cybersecurity tools and products.  In this white paper, the Health IT Advisory Board outlines key issues and suggested public and private initiatives to encourage and foster leading healthcare cybersecurity practices within the state.

Background

This white paper was created by the Health IT Advisory Board, a multidisciplinary group of  experts appointed by the California Governor's Office of Business and Economic Development (GO-Biz). We represent California based technology, cybersecurity and healthcare IT educators and providers, legal experts, public and private companies and California state technology policy makers.  

Health IT and Digital Healthcare

The vitality of cybersecurity issues in Health IT has been highlighted by the increased attacks on health IT systems in recent years, so much so that in 2018 major national conferences of computer scientists and hackers (Defcon, Blackhat) have dedicated specialized talks and panels on the issue.  Additionally, legislation (California Consumer Privacy Act of 2018 (AB 375)) has recently passed in California, aiming to stem some of the emerging Health IT issues.  As this white paper will outline, there are many possible places for the state to guide development, but we recommend that it focus on the responsible refinement of the major regulation framework.  The Health IT Advisory Board can provide thought leadership on the pathway forward. 

Health information technology is information technology applied to health and health care. It supports information management across computerized systems and the secure exchange of health information between consumers, providers, payers, and quality monitors. Technology has greatly improved healthcare and healthcare outcomes, such as improving medication adherence in heart failure (Talmor 2018), improving glycemic control and reducing complications for patients with diabetes (Prahalad 2018), as well as increasing access to healthcare (Saxon 2016, Kvedar 2014). Continued innovation in healthcare requires commercial investment in health information technology and a deeper understanding as to how to create a robust system of security around the mass of data that these solutions are expected to generate.  Security will include not only technical components but workforce training and policies for upgrading software and handling data breaches, as well (Kruse 2017, Murphy 2015). 

Digital healthcare is supported by health IT and is a new model of healthcare delivery and management. This model of healthcare has the promise of more fully engaging the patient and collecting and providing continuous and more personalized healthcare information, education, disease prevention, security, and care (Shinbane & Saxon 2017). Digital healthcare is also unique in that it can provide healthcare without having to have the patient and care provider in the same place at the same time. This allows for unprecedented access to healthcare and requires the creation of new models of care, regulation, privacy and reimbursement. Digital healthcare has the potential to extend the reach of healthcare companies, systems and their experts by using IT technology and can reduce costs associated with bricks and mortar healthcare. Another benefit that digital healthcare and healthcare IT solutions provide is the ability to re-invent healthcare as a service.  In the same way that Uber changed transportation by providing on-demand access to transportation that focused on the needs of the transportation consumer, healthcare software and services can transform individual patient access and use of information.   

Creating a favorable environment in California for healthcare IT and digital healthcare innovation to occur requires incentives for individuals and organizations to take the risks to create, test and validate their solutions. Creating a hub of innovation in healthcare IT in California has the potential to establish California as the hub for solving the most complex challenges in healthcare.  This activity can drive improvements in the health and economy of California and opens the door to providing worldwide access to these solutions.

From a cybersecurity standpoint, protecting health IT and digital healthcare information and systems is complex. There are existing laws that provide data privacy and security provisions for safeguarding medical information, such as the Health Insurance Portability and Accountability Act (HIPAA).  However, HIPAA may apply to information collected with digital health tools in some but not all situations.  There are a myriad of other cybersecurity considerations that do not fall under HIPAA regulations but are critically important to ensuring the availability of health IT technology and its ongoing safe and effective use  (Cooley 2018 pt.1, Cooley 2018 pt.2). Cyber protections need to extend beyond confidentiality and include safeguards for data integrity and availability. This will protect against potential exploits such as manipulating and falsifying medical data, as well as protecting against denial of services (DDoS) attacks that can prevent access to medical data systems (WannaCry, Petya). 

Currently, cybersecurity legislation for digital healthcare is not yet well established. However, there are a number of pending state and federal bills.

Our board recognizes that cybersecurity awareness and practices have to be implemented on an individual and institutional basis. Like environmentalism, these practices are continuous and require education, research, multidisciplinary engagement, policy and robust public-private partnerships. In order to create and foster an environment for companies in California to produce leading edge digital health solutions with robust cybersecurity protections, we identify and recommend activity in the following areas:

 

Area Recommendations

Education

●      Workforce development: Developing and maintaining secure medical technology and IT systems will require a workforce that is properly trained in the areas of security, as well as in the unique intersection of technology and healthcare. According to the cybersecurity job site Cybersee.org, as of August 2018 there are approximately 35,000 open cybersecurity jobs in California alone. Manufacturers will require these resources to ensure that products are developed in a secure manner and healthcare providers will require these resources support the secure implementation and ongoing operations of healthcare technology in the clinical environment. California is uniquely positioned to address this challenge as it is home to some of the world’s premier medical technology, healthcare delivery and academic institutions. We recommend that these organizations come together to build programs and curriculum to educate the next generation workforce  at the K-12, community college, and university levels as well as current healthcare workers through continuing education opportunities.  A recent example of work in this area is the California Cyber Innovation Challenge hosted by California Polytechnic State University.

●      Patient/Care Provider Education: The increasing utilization of technology in the healthcare delivery chain by both healthcare professionals and patients requires these users to have a deeper understanding of the impact that security of that technology has on its safety and effectiveness. Similar to how personal hygiene of both healthcare providers and patients (e.g. hand-washing, wound care) is critical to safe and effective treatment of disease, digital hygiene is becoming increasingly critical to the safe and effective delivery of healthcare. A medical device connected to a patient’s smartphone provides both healthcare providers and patients new opportunities to better manage their disease and health anywhere and anytime, but also requires that patients maintain the health of their smartphone to ensure its effective operation within the medical device ecosystem. We recommend the formation of a consortium of health IT companies, providers and government agencies to address the cyber literacy of patients. Create a public/private initiative to drive a cultural awareness campaign that highlights best cybersecurity practices and the understanding that cybersecurity is a shared responsibility.

Ethical Use of Data

●      Patient/Care Provider Education: There is increasing attention to the ethical collection and use of personal data collected by online service providers. Digital health data provides a significant opportunity to improve patient outcomes through improved disease management, patient engagement and clinical performance improvements in medical devices and products. In order to achieve these objectives through the use of patient health data there must be trust between service providers and patients that health data will only be used for its intended purpose and not beyond what the patient has authorized. This is a complex issue that has national and even global attention, especially with the EU’s Global Data Protection Regulation (https://www.eugdpr.org/) (read summary here) going into effect earlier this year (May 2018). The NIH has also outlined intent to provide guidances on the topic (https://www.nih.gov/about-nih/who-we-are/nih-director/testimony-21st-century-cures-implementation-updates-fda-nih).  It is beyond the scope of this committee to address this issue to the level it requires given the time available. We recommend that the medical technology, patient and healthcare provider communities collaborate to develop standards for the ethical use of medical information and mechanisms to provide transparency to patients. As example of this is the recently published privacy best practices published by the consumer genetic services companies, which covers issues such as informed consent, privacy, and accuracy (https://fpf.org/2018/07/31/privacy-best-practices-for-consumer-genetic-testing-services/)

Public - Private Partnerships 

●      Information Sharing & Collaboration: Cyber threats can emerge and spread rapidly impacting critical healthcare services. Open and trusted sharing of cyber threat information has been an effective mechanism for combating cyber threats in many industries. The Financial Services Information Sharing and Analysis Center or FS-ISAC has been the model for effective information sharing to minimize the impact of cyberthreats (https://www.fsisac.com/). The National Healthcare Information Sharing and Analysis Center (https://nhisac.org/) is similarly focused on the sharing of cyberthreat intelligence among a trusted community of critical infrastructure owners and operators in the Health Care and Public Health sector and the International Pharmaceutical & Medical Device Consortium (https://www.ipmpc.org/about) facilitates sharing best practices around data privacy.  California has also formed an organization, California Cybersecurity Integration Center (Cal-CSIC) (https://calcsic.org/), focused on identifying and responding to cyberthreats. Another good example of a public-private partnership with a life science focus is the Critical Path Institute (C-Path; https://c-path.org/).  We recommend that California develop incentives for healthcare organizations to participate in these information sharing organizations at both the federal and state levels. Additionally, we recommend that appropriate stakeholders from within the healthcare ecosystem are engaged at the state-level. FDA has led the way with incentivizing open information sharing in their Postmarket Management of Cybersecurity in Medical Devices guidance (https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf).

●      Cybersecurity Incentives: According to the U.S. Department of Commerce the medical device industry is responsible for almost 2 million jobs in the United States. However, 80% of the medical device companies have less than 50 employees and many are start-ups with little to no revenue (https://www.selectusa.gov/medical-technology-industry-united-states). Developing innovative medical technology that addresses complex clinical problems, while also ensuring appropriate cybersecurity protections can be challenging for many medical technology companies given their limited resources and the availability of cybersecurity experts as discussed above. We recommend that resources be made available to smaller medical device companies through information and sharing collaboration organizations as previously discussed. This could take the form of the development of minimum cybersecurity standards, cybersecurity resource centers, as well as in-person and virtual forums to facilitate collaboration. Additionally we recommend that public policy and purchasing organizations incentivize the development of secure products in a manner similar to incentives for innovation and time to market.

●      Public-Private Advisory Groups: For expert recommendations on information sharing and cybersecurity incentives, public-private partnerships should be forged, such as the Cybersecurity Task Force (http://www.caloes.ca.gov/Cal-OES-Divisions/Cybersecurity-Task-Force) from the California Governor’s Office of Emergency Services and the California Department of Technology, and the Precision Medicine Advisory Committee from the California Initiative to Advance Precision Medicine (http://www.ciapm.org/).

Research and Development  

The healthcare ecosystem is a complex network of varying stakeholders with different incentives and levels of technical sophistication. Introducing the complexity of cybersecurity into this ecosystem increases the risk that the opportunities provided by health technology will not be effectively realized. Significant research is needed to understand how to strike the right balance between effectively addressing cybersecurity in healthcare while also encouraging innovation and adoption of health technologies by care providers and patients.  Results of such research can then be incorporated into development guidance documents, such as the FDA’s Guidance on Premarket Submissions for the management of cybersecurity in medical devices (https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf). This includes research into ways of better protecting digital health solutions, as well as methods used by organizations to respond to cybersecurity vulnerabilities when they occur, including models for coordinated disclosure and risk notification and response. Research should also be done to better understand the interactions between cybersecurity and the use of health technology and implications on clinical outcomes. This research will be even more important as patients have more opportunities to be directly involved in their care through the use of technology, and as a result, also responsible for the security of that technology. We recommend that incentives be developed to encourage research into the critical area of healthcare cybersecurity. 

Government Policy/Legislation

There are numerous legislative and regulatory efforts related to cybersecurity and privacy that are occurring at both the state, national, and international levels. In addition to existing regulations like HIPAA, various global privacy regulations (e.g. General Data Protection Regulation, “GDPR”, https://www.eugdpr.org/), and FDA guidance on cybersecurity,  numerous other proposals are being considered around privacy and cybersecurity of Internet of Things (IOT) devices, which many times include medical technology. Given the size of many medical technology companies (discussed above), addressing the myriad of complex cybersecurity and privacy regulations can be cost prohibitive, if not impossible. Additionally, many of these regulations are focused on punitive actions after a cybersecurity incident or breach has occurred. We recommend that policymakers look to developing legislation and regulatory frameworks that encourage and support many of the proposals discussed in this paper including:

●      Workforce Development & Provider/Patient Education – Ensuring a capable workforce is available to develop security medical technology and that care providers and patients are equipped to effectively manage the cybersecurity of this technology.

●      Security Standards – Establishing flexible and responsive organizations and processes for the development of minimum security standards. Cyberthreats change quickly and standards organization need to be developed to respond accordingly.

●      Information Sharing – Encouraging open and trusted communication between healthcare organizations is critical to being able to respond to security threats and minimize impact to critical healthcare services; can build on current activities and organizations, such as the FDA’s activities including FDA post-market management of cybersecurity in medical devices, the Department of Homeland Security, the Energy and Commerce Committee, the CISO council and Health Information Trust Alliance, and the Health and Human Services Cybersecurity Task Force Report.

●      Cybersecurity Research – Incentives to encourage research to better understand how to effectively address cybersecurity risks in healthcare while encouraging innovation and adoption of technology solutions, which can lead to improved clinical outcomes and lower costs.

Policy efforts should focus on accelerating market access for organizations that develop and maintain secure medical technology in accordance with accepted cybersecurity standards.

Conclusions

There is massive potential for California companies and organizations to ethically lead and create digital health solutions that can improve the health of the globe. Already, California leads the world in technology innovation. We recognize that the protection of digital health data and use of this data is paramount to realizing the promise of digital health. We also acknowledge that providing protections for the consumer is a continuous process and will be a shared responsibility. The market for digital health is rapidly changing and, in the future, the emphasis will be on the consumer.  The effect of the evolving market on the individual, as well as the broader California economy, should be addressed now.  This white paper provides a template for defining, growing and encouraging activities that should occur in tandem to motivate California healthcare company growth and digital innovation.  

 

Advisory Board Members:

●      Darin Andersen, MBA, Co-Chair Economic Development Subcommittee, Cybersecurity Task Force, California Governor’s Office of Emergency Services

●      Bill Britton, Vice President of Information Technology and Chief Information Officer, California Polytechnic State University

●      Wainwright Fishburn, JD, Partner and Global Head, Digital Health Practice, Cooley LLP

●      John Mattison, MD, Chief Medical Information Officer and Assistant Medical Director, Kaiser Permanente

●      Leslie Saxon, MD, Executive Director, USC Center for Body Computing

●      Jesse Torres, Deputy Director/CA Small Business Advocate, GO-Biz

●      Chris Tyberg, Division Vice President Information Security, Abbott Medical Devices

●      Sid Voorakkara, Deputy Director, External Affairs, GO-Biz

●      Andrew Thompson, Chief Executive Officer, Proteus Digital Health

Want my digital health data? Convince me.

Author: Mona Sobhani, PhD

On the spectrum of personal data privacy, you’ll find me nestled far closer to the side of “none of my data is anyone’s damned business”.  Maybe I’ve been radicalized, having read one too many articles on the nefarious uses of personal data by governments and corporations.  Indeed, one look at my Netflix list would reveal my paranoid leanings.  Maybe I’m too skeptical, but news stories like the recent Facebook-Cambridge Analytica scandal don’t do much to relieve my concerns. 

So when I think about the topic of digital health, which aims to use emerging digital technologies and advanced analytic methods to forge progress on healthcare, I can’t help but react defensively. I find myself wondering why it’s not enough that you have my location, social, and purchasing personal information.  Now you want my health information, too?

But digital health needs our data and I was reminded why after attending a meeting last week.  The ultimate promise of digital health, as I see it, is to help solve personalized health.  What I mean by solving personalized health is that we want to move from a “sick care” system to a “health care” system where health problems are identified and treated early, or even prevented, on a personalized basis. The “X” factor needed to do that with unprecedented and exceptional efficiency is to have a lot of data from humans in various states of health on which to train algorithms.  Without that, digital health solutions may make healthcare more efficient by, say, improving communication between stakeholders and making it easier to give/get a prescription – but it won’t solve health.

However, that idea does not make it any safer to provide personal data.  The risks of cyber breach are still very real, and the average patient may not fully understand what those risks are.  To help patients make more informed decisions, it should be the responsibility of digital health solution providers to provide examples of risks, as well as explanations of how they intend to mitigate risks.

Realistically, it may take a long time to get to the point where the combination of the digital health wearable sensors and apps I’m using will be able to detect things like reduced immune functioning.  Take genomics as an example.  We have decoded the human genome, but we are not close to having every gene-to-gene-environment interaction mapped out, because research and development take time. This should be communicated to patients so they do not feel duped.

It should be the responsibility of digital health stakeholders to convince me to provide my data by using their product.  They can do that by properly communicating the issue of why they need my data, what are the possible harmful outcomes, and why it may take a while to see results. This way,  every patient will not feel as though digital health is another ruse for private companies to acquire my personal data for their personal profit.  And digital health can march forward to its goal of solving health.