Federal investigators probe Ascension, Google project

https://www.beckershospitalreview.com/cybersecurity/federal-investigators-probe-ascension-google-project.html

Image result for nightingale project

The Office of Civil Rights of HHS is asking for more information about Google’s “Project Nightingale” with St. Louis-based Ascension, according to a Nov. 12 The Wall Street Journal report.

Investigators “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” OCR Director Roger Severino told WSJ.

Ascension and Google partnered last year to gather and share patient information to create healthcare solutions. Physicians and patients from 21 Ascension locations were not informed that information was being shared with Google. It is estimated that Google will gather data on 50 million patients.

Patient data that is being secretly shared with Google includes lab results, diagnoses and hospitalization records, reports WSJ. In some instances, Google has access to patients’ complete health history, including names and dates of birth. 

Although Ascension employees have questioned the ethical and technological ways Google is gathering data, privacy experts said it appears to be acceptable under federal law. Hospitals are generally allowed to share data with business partners without informing patients if the information is used “only to help the covered entity carry out its healthcare functions.”

An Ascension spokesperson said patient data wouldn’t be used to sell ads, reports WSJ.

“We are happy to cooperate with any questions about the project. We believe Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security and usage,” a spokesperson for Google said in a statement to WSJ.

Legislators on Nov. 12 also commented on the project. Presidential hopeful Sen. Amy Klobuchar of Minnesota said that there needs to be government oversight for the amount of data Google is handling, adding there are “very few rules of the road in place regulating how it is collected and used.”

Google has mapped out plans to develop a search tool that would aggregate patient data into a central location. Ascension physicians would then be able to use the tool to more quickly access patient information.

Ascension leader Eduardo Conrado, executive vice president of strategy and innovations for Ascension, shared his reactions to the WSJ Nov. 11 report on Project Nightingale on Nov. 12. Find his commentary here.

 

 

 

Healthcare’s number one financial issue is cybersecurity

https://www.healthcarefinancenews.com/node/139027?mkt_tok=eyJpIjoiTURRMk1tVTFaVE15TkRjMiIsInQiOiJPNUYydDU5cFVodjB4bnlnb2M0eVhDNjg2YU53NDl6MWFRQlVpUEpmTzV5cEcrVVZMWldhd1AzbHNlckIwUWJHczlhOVRMZUxxSngyWk02VVhXTktXRjN1OE9mbkQ2V2FhQlBqVFIzOWpMS0pNUEdCYWh0SUQyZWZHRmpBQjRFWiJ9

Image result for hospital cybersecurity

The cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity and reputation.

Cyber attacks affect the finances of every hospital and insurer like no other.

“I’ve seen estimates of over $5 billion in costs to the healthcare industry annually,” said Lisa Rivera, a partner at Bass, Berry and Sims who focuses on healthcare security. “That’s enormous and is not going away.”

Beyond the cost to find a solution to fix breaches and to settle any civil complaints are fines from the Department of Health and Human Services Office of Civil Rights. In 2018, OCR issued 10 resolutions that totalled $28 million.

The HHS Office of Civil Rights is stepping up breach enforcement of private health information, according to Rivera, who is a former assistant U.S. Attorney and federal prosecutor handling civil and criminal investigations for the Department of Justice.

What officials want to see is that the hospital or insurer has taken reasonable efforts to avoid a breach.

“There is no perfect cybersecurity,” Rivera said. “They say it’s not perfection, it’s reasonable efforts. That’s going to require an investment up-front to see where data is located, and educating the workforce on phishing incidents.”

Also, hospital finance professionals who are relying more on contractors for revenue cycle management and analytics should take note on the security issues involved in sharing this information.

“Every sector of business has attacks, but healthcare is experiencing the largest growth of cyber attacks because of the nature of its information,” Rivera said. “It’s more valuable on the dark web.”

It’s also not easily fixed.

If an individual’s credit card is stolen, the consumer can cancel his or her credit card. But in health records, the damage is permanent.

THE IMPACT

Despite the number of breaches, healthcare has been behind other sectors in taking security measures. Four to seven percent of a health system’s IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry, according to Rivera.

Hospitals are behind because first, it’s a challenge to keep up with the move to more information being in electronic form.

“There’s no hospital that doesn’t have mobile EHR information,” Rivera said. “Then there was this transition with incentives from the government to go to electronic medical records. There were vast routes to doing that without a lot of experience involved in doing it. The push to become electronic began happening with this enormous uptick in cyber attacks.”

Also, the focus of healthcare has always been patient care. The population health explosion also involves the sharing of information.

And consolidation across the healthcare industry can potentially make covered entities more vulnerable to lapses in security during the transition and integration phases.

RECOMMENDATIONS

The number one way to cut costs is to prevent a breach. Once one has happened, hospitals must be able to identify it as soon as possible and then be able to respond to it.

Hospitals should be able to determine where certain data goes off the rail, Rivera said. For instance, large systems doing research have outcome information that may not be within the system of protection.

“You don’t want to learn about a data breach because the FBI saw it on the dark web,” Rivera said. And some hospitals have.

It’s a constant battle of software updates and checks. Criminals are pinging systems thousands of times a day. It’s like locking down doors and windows.

The first thing that’s needed for systems large and small is a risk assessment. This is the first thing the OCR wants to see, she said. Many hospitals use an outside vendor to do the job.

Prices for other cybersecurity measures vary from a software purchase that could be in the millions, to having vendor monitoring.

But the cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity, reputation and the service disruption.

Hospitals can also purchase cyber insurance, which varies in cost and coverage. Some obtain it for purposes of class action lawsuits.

THE LARGER TREND

OCR enforcement activity during 2018 demonstrates the agency’s continued emphasis on enforcing violations of the security risk assessment and risk management requirements, Rivera said.

Covered entities and business associates are required to: conduct a thorough assessment of the threats and vulnerabilities across the enterprise;    implement measures to reduce known threats and vulnerabilities to a reasonable and appropriate level; and ensure that any vendor or other organization accessing or storing private health information is security compliant.
The OCR concluded 2018 with an all-time record year for HIPAA enforcement  activity. The OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This surpassed the previous record of $23.5 million from 2016.

In addition, OCR also achieved the single largest individual HIPAA settlement  of $16 million with Anthem, representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Anthem was held responsible for cyber attacks that stole the protected health information of close to 79 million people.

 

The Tragedy of the Healthcare Data Commons

The Tragedy of the Healthcare Data Commons

Image result for The Tragedy of the Healthcare Data Commons

Once the system can discriminate on a multitude of data points, the commons collapses.

A theme of my writing over the past ten or so years has been the role of data in society. I tend to frame that role anthropologically: How have we adapted to this new element in our society? What tools and social structures have we created in response to its emergence as a currency in our world? How have power structures shifted as a result?

Increasingly, I’ve been worrying a hypothesis: Like a city built over generations without central planning or consideration for much more than fundamental capitalistic values, we’ve architected an ecosystem around data that is not only dysfunctional, it’s possibly antithetical to the core values of democratic society. Houston, it seems, we really do have a problem.

Last week ProPublica published a story titled Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates.  It’s the second in an ongoing series the investigative unit is doing on the role of data in healthcare. I’ve been watching this story develop for years, and ProPublica’s piece does a nice job of framing the issue. It envisions  “a future in which everything you do — the things you buy, the food you eat, the time you spend watching TV — may help determine how much you pay for health insurance.”

Unsurprisingly, the health industry has  developed an insatiable appetite for personal data about the individuals it covers. Over the past decade or so, all of our quotidian activities (and far more) have been turned into data, and that data can and is being sold to the insurance industry:

“The companies are tracking your race, education level, TV habits, marital status, net worth. They’re collecting what you post on social media, whether you’re behind on your bills, what you order online. Then they feed this information into complicated computer algorithms that spit out predictions about how much your health care could cost them.”

HIPPA, the regulatory framework governing health information in the United States, only covers and protects medical data – not search histories, streaming usage, or grocery loyalty data. But if you think your search, video, and food choices aren’t related to health, well, let’s just say your insurance company begs to differ.

Lest we dive into a rabbit hole about the corrosive combination of healthcare profit margins with personal data (ProPublica’s story does a fine job of that anyway), I want to pull back and think about what’s really going on here.

The Tragedy of the Commons

One of the most fundamental tensions in an open society is the potential misuse of resources held “in common” – resources to which all individuals have access. Garrett Hardin’s 1968 essay on the subject, “The Tragedy of the Commons,” explores this tension, concluding that the problem of human overpopulation has no technical solution. (A technical solution is one that does not require a shift in human values or morality (IE, a political solution), but rather can be fixed by application of science and/or engineering.) Hardin’s essay has become one of the most cited works in social science – the tragedy of the commons is a facile concept that applies to countless problems across society.

In the essay, Hardin employs a simple example of a common grazing pasture, open to all who own livestock. The pasture, of course, can only support a finite number of cattle. But as Hardin argues, cattle owners are financially motivated to graze as many cattle as they possibly can, driving the number of grass munchers beyond the land’s capacity, ultimately destroying the commons. “Freedom in a commons brings ruin to all,” he concludes, delivering an intellectual middle finger to Smith’s “invisible hand” in the process.

So what does this have to do with healthcare, data, and the insurance industry? Well, consider how the insurance industry prices its policies. Insurance has always been a data-driven business – it’s driven by actuarial risk assessment, a statistical method that predicts the probability of a certain event happening. Creating and refining these risk assessments lies at the heart of the insurance industry, and until recently, the amount of data informing actuarial models has been staggeringly slight. Age, location, and tobacco use are pretty much how policies are priced under Obamacare, for example. Given this paucity, one might argue that it’s utterly a *good* thing that the insurance industry is beefing up its databases. Right?

Perhaps not. When a population is aggregated on high-level data points like age and location, we’re essentially being judged on a simple shared commons – all 18 year olds who live in Los Angeles are being treated essentially the same, regardless if one person has a lurking gene for cancer and another will live without health complications for decades. In essence, we’re sharing the load of public health in common – evening out the societal costs in the process.

But once the system can discriminate on a multitude of data points, the commons collapses,  devolving into a system rewarding whoever has the most profitable profile. That 18-year old with flawless genes, the right zip code, an enviable inheritance, and all the right social media habits will pay next to nothing for health insurance. But the 18 year old with a mutated BRCA1 gene, a poor zip code, and a proclivity to sit around eating Pringles while playing Fortnite? That teenager is not going to be able to afford health insurance.

Put another way, adding personalized data to the insurance commons destroys the fabric of that commons. Healthcare has been resistant to this force until recently, but we’re already seeing the same forces at work in other aspects of our previously shared public goods.

A public good, to review, is defined as “a commodity or service that is provided without profit to all members of a society, either by the government or a private individual or organization.” A good example is public transportation. The rise of data-driven services like Uber and Lyft have been a boon for anyone who can afford these services, but the unforeseen externalities are disastrous for the public good. Ridership, and therefore revenue, falls for public transportation systems, which fall into a spiral of neglect and decay. Our public streets become clogged with circling rideshare drivers, roadway maintenance costs skyrocket, and – perhaps most perniciously – we become a society of individuals who forget how to interact with each other in public spaces like buses, subways, and trolley cars.

Once you start to think about public goods in this way, you start to see the data-driven erosion of the public good everywhere. Our public square, where we debate political and social issues, has become 2.2 billion data-driven Truman Shows, to paraphrase social media critic Roger McNamee. Retail outlets, where we once interacted with our fellow citizens, are now inhabited by armies of Taskrabbits and Instacarters. Public education is hollowed out by data-driven personalized learning startups like Alt School, Khan Academy, or, let’s face it, YouTube how to videos.

We’re facing a crisis of the commons – of the public spaces we once held as fundamental to the functioning of our democratic society. And we have data-driven capitalism to blame for it.

Now, before you conclude that Battelle has become a neo-luddite, know that I remain a massive fan of data-driven business. However, if we fail to re-architect the core framework of how data flows through society – if we continue to favor the rights of corporations to determine how value flows to individuals absent the balancing weight of the public commons – we’re heading down a path of social ruin. ProPublica’s warning on health insurance is proof that the problem is not limited to Facebook alone. It is a problem across our entire society. It’s time we woke up to it.

So what do we do about it? That’ll be the focus of a lot of my writing going forward.  As Hardin writes presciently in his original article, “It is when the hidden decisions are made explicit that the arguments begin. The problem for the years ahead is to work out an acceptable theory of weighting.” In the case of data-driven decisioning, we can no longer outsource that work to private corporations with lofty sounding mission statements, whether they be in healthcare, insurance, social media, ride sharing, or e-commerce.

Originally published here.

2018 July 27