Clouds in healthcare should be viewed as ominous- Quotes from Dr. Deborah Peel

A recent article in FierceEMR written by Marla Durben Hirsch quotes Dr. Peel about the dangers of cloud technology being used in healthcare. Dr. Peel tells FierceEMR that “There’s a lot of ignorance regarding safety and privacy of these [cloud] technologies”.

Here are a few key quotes from the story:

“It’s surely no safe haven for patient information; to the contrary it is especially vulnerable to security breaches. A lot of EHR vendors that offer cloud-based EHR systems don’t take measures to keep patient data safe. Many of them don’t think they have to comply with HIPAA’s privacy and security rules, and many of their provider clients aren’t requiring their vendors to do so.” (Hirsch)

“Many providers have no idea where the vendor is hosting the providers’ patient data. It could be housed in a different state; or even outside of the country, leaving it even more vulnerable. ‘If the cloud vendor won’t tell you where the information is, walk out the door,’ Peel says.”

“Then there’s the problem of what happens to your data when your contract with the cloud vendor ends. Providers don’t pay attention to that when they sign their EHR contract, Peel warns.”

“‘The cloud can be a good place for health information if you have iron clad privacy and security protections,’ Peel says. ‘[But] people shouldn’t have to worry about their data wherever it’s held.’”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The quotes below are from an article written by Alex Ruoff in the Bloomberg Health IT Law and Industry Report.

“Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information. Cloud computing solutions are seen as ideal for small health practices as they do not require additional staff to manage information systems, Peel said.
Cloud computing for health care requires the storage of protected health information in the cloud—a shared electronic environment—typically managed outside the health care organization accessing or generating the data (see previous article).
Little is known about the security of data managed by cloud service providers, Nicolas Terry, co-director of the Hall Center for Law and Health at Indiana University, said. Many privacy advocates are concerned that cloud storage, because it often stores information on the internet, is not properly secured, Terry said. He pointed to the April 17 agreement between Phoenix Cardiac Surgery and HHS in which the surgery practice agreed to pay $100,000 to settle allegations it violated HIPAA Security Rules (see previous article).
Phoenix was using a cloud-based application to maintain protected health information that was available on the internet and had no privacy and security controls.

Demands for Guidance

Peel’s group, in the Dec. 19 letter, called for guidance “that highlights the lessons learned from the Phoenix Cardiac Surgery case while making clear that HIPAA does not prevent providers from moving to the cloud.”

Peel’s letter asked for:
• technical safeguards for cloud computing solutions, such as risk assessments of and auditing controls for cloud-based health information technologies;
• security standards that establish the use and disclosure of individually identifiable information stored on clouds; and
• requirements for cloud solution providers and covered entities to enter into a business associate agreement outlining the terms of use for health information managed by the cloud provider.”

Vast cache of Kaiser patient details was kept in private home

The excerpt below is from the LA Times article Vast cashe of Kaiser patient details was kept in private home by Chad Terhune. This shows both the negligence of Kaiser in caring for their patients, but also the lack of privacy and security that is frequently found in electronic health records.

“Federal and state officials are investigating whether healthcare giant Kaiser Permanente violated patient privacy in its work with an Indio couple who stored nearly 300,000 confidential hospital records for the company.

The California Department of Public Health has already determined that Kaiser “failed to safeguard all patients’ medical records” at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple’s document storage firm kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.

Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients’ names, Social Security numbers, dates of birth and treatment information stored on their home computers.

The state agency said it was awaiting more information from Kaiser on its “plan of correction” before considering any penalties.

Officials at the U.S. Department of Health and Human Services began looking into Kaiser’s conduct last year after receiving a complaint from the Deans about the healthcare provider’s handling of patient data, letters from the agency show. Kaiser said it hadn’t been contacted by federal regulators, and a Health and Human Services spokesman declined to comment.”

Health Care, the Cloud, and Privacy, Jan. 7 Panel

Health Care, the Cloud, and Privacy

Phoenix Park Hotel
520 North Capitol Street, NW | Washington, DC 20001
Georgian Room
Monday, January 7, 2013 | 12:00 p.m. ET

On behalf of Patient Privacy Rights (PPR), you are invited to attend a panel discussion on health care system privacy challenges posed by cloud computing. The one-hour discussion, “Health Care, the Cloud, and Privacy,” will be held on Monday, January 7, 2013 at the Phoenix Park Hotel in Washington, D.C. Boxed lunches will be provided.

With technological innovations that promise better efficiency and lower cost, one of the most anticipated developments is how industry and regulators will respond. That question today is focused intently on cloud computing and the implications for corporations with electronic systems containing sensitive consumer health data. Who is handling patient data? How do HIPAA and other health privacy laws and rights function in the cloud? What can policymakers do to better protect our sensitive medical data?

Our distinguished panel will feature:

Joy Pritts
Chief Privacy Officer
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights (PPR)

Nicolas P. Terry
Hall Render Professor of Law
Indiana University Robert H. McKinney School of Law

Lillie Coney
Associate Director
Electronic Privacy Information Center (EPIC)

Please RSVP to Jenna Alsayegh at jalsayegh@deweysquare.com.

We hope to see you there!

And there is more:
View the Invitation as a PDF
View the Press Release

PPR also sent a letter to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) that urges for more comprehensive guidance on securing patient data in “the cloud.” With the healthcare industry moving their records to electronic databases, PPR sees a number of issues associated with cloud computing services, including compliance with existing healthcare privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, stronger state and federal health information privacy laws, medical ethics, and Americans’ rights to health information privacy. View the letter here.

Dr. Deborah Peel chosen as one of the ‘Top 10 Influencers of Health InfoSec’

Patient Privacy Rights’ very own Dr. Deborah Peel was chosen as one of the ‘Top 10 Influencers of Health InfoSec”. This honor is given by HealthcareInfoSecurity “to acknowledge leaders who are playing a critical role in shaping the way healthcare organizations approach information security and privacy”.

Dr. Deborah Peel was deemed an “outspoken champion of national patient privacy concerns since 1993. As leader of the advocacy group Patient Privacy Rights, Peel often takes controversial positions on key issues, but she has proven successful in drawing attention to important patient privacy matters. She has testified before Congressional committees on genetic data privacy and medical record privacy.”

From Top 10 Influencers of Health InfoSec:

“Each of these top 10 Influencers makes a substantial impact. Their influence ranges from shaping national health data security and privacy regulations to providing real-life breach prevention insights and leading grass-root efforts to help patients deal with data privacy threats.

Our selections include some of the nation’s most recognized leaders in health information technology. But they also include a few individuals who aren’t in the national spotlight, yet are influential nonetheless.

As electronic health records become ubiquitous, and more information is shared via health information exchanges, the nation needs leaders who are willing to take bold action to ensure patient information is protected.

Our editors chose these individuals for the influence they’ve had over the last year, as well as the impact we expect them to have in 2013 and beyond.”

Patient privacy group (PPR) asks HHS for HIPAA cloud guidance

Government HealthIT recently wrote an article about Dr. Peel’s of Patient Privacy Rights’ letter to the HHS Office for Civil Rights pushing for security guidelines, standards, and enforcements for cloud technology being used in healthcare.

Here are a few key points highlighted in the article:

“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.

“Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed ‘if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.’”

“Patient Privacy Rights, a group founded in 2006, is encouraging HHS to adopt guidelines that highlight ‘the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.’”

“In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. ‘HHS and HIPAA guidance in this area, to date, is limited,’ Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.”

Kravis Backs N.Y. Startups Using Apps to Cut Health Costs

The title should have been: “Wall Street trumps the Hippocratic Oath and NY patients’ privacy” or “NY gives technology start-ups free access to millions of New Yorkers sensitive health data without informed consent starting in February”.

Of course we need apps to lower health costs, coordinate care, and help people get well, but apps should be developed using ‘synthetic’ data, not real patient data. Giving away valuable identifiable patient data to app developers is very risky and violates patients legal and ethical rights to health information privacy under state and federal law—each of us has strong rights to decide who can see and use personal health information.

What happens when app developers use, disclose or sell Mayor Bloomberg’s, Governor Cuomo’s, Sec of State Hillary Clinton’s, or Peter Thiel’s electronic health records? Or will access to prominent people’s health records be blocked by the data exchange, while everyone’s else’s future jobs and credit are put at risk by developer access to health data?  Will Bloomberg publish a story about the consequences of this decision by whoever runs the NY health data exchange? Will Bloomberg write about the value, sale, and massive technology-enabled exploitation of health data for discrimination and targeted marketing of drugs, treatments, or for extortion of political or business enemies? Natasha Singer of the NYTimes calls this the ‘surveillance economy’.

The story did not mention ways to develop apps that protect patients’ sensitive information from disclosure to people not directly involved in patient care. The story could have said that the military uses “synthetic” patient data for technology research and app development. They realize that NOT protecting the security and privacy of sensitive data of members of the military and their families creates major national security risks.  The military builds and tests technology and apps on synthetic data; researchers or app developers don’t get access to real, live patient data without tough security clearances and high-level review of those who are granted permission to access data for approved projects that benefit patients. Open access to military health data bases threatens national security. Will open access to New Yorkers’ health data also threaten national security?

NY just started a national and international gold rush to develop blockbuster health apps AND will set off a rush by other states to give away or sell identifiable patient health information in health information exchanges (HIEs) or health information organizations (HIOs)—-by allowing technology developers access to an incredibly large, valuable data base of identifiable patient health information.  Do the developers get the data free—or is NY selling health data? The bipartisan Coalition for Patient Privacy (represents 10.3M people) worked to get a ban on the sale of patient health data into the stimulus bill because the hidden sale of health data is a major industry that enables hidden discrimination in key life opportunities like jobs and credit. Selling patient data for all sorts of uses is a very lucrative industry.

Further, NY patients are being grossly misled: they think they gave consent ONLY for their health data to be exchanged so other health professionals can treat them. Are they informed that dozens of app developers will be able to copy all their personal health data to build technology products they may not want or be interested in starting in February?

Worst of all the consequences of systems that eliminate privacy is: patients to act in ways that risk their health and lives when they know their health information is not private:

  • -600K/year avoid early treatment and diagnosis for cancer because they know their records will not be private
  • -2M/year avoid early treatment and diagnosis for depression for the same reasons
  • -millions/year avoid early treatment and diagnosis of STDs, for the same reason
  • -1/8 hide data, omit or lie to try to keep sensitive information private

More questions:

  • -What proof is there that the app developers comply with the contracts they sign?
  • -Are they audited to prove the identifiable patient data is truly secure and not sold or disclosed to third parties?
  • -What happens when an app developer suffers a privacy breach—most health data today is not secure or encrypted? If the app developers signed Business Associate Agreements at least they would have to report the data breaches.
  • -What happens when many of the app developers can’t sell their products or the businesses go bust? They will sell the patient data they used to develop the apps for cash.
  • -The developers reportedly signed data use agreements “covering federal privacy rules”, which probably means they are required to comply with HIPAA.  But HIPAA allows data holders to disclose and sell patient data to third parties, promoting further hidden uses of personal data that patients will never know about, much less be able to agree to.  Using contracts that do not require external auditing to protect sensitive information and not requiring proof that the developers can be trusted is a bad business practice.

NY has opened Pandora’s box and not even involved the public in an informed debate.

Sizing Up De-Identification Guidance, Experts Analyze HIPAA Compliance Report (quotes PPR)

To view the full article by Marianne Kolbasuk McGee, please visit: Sizing Up De-Identification Guidance, Experts Analyze HIPAA Compliance Report.

The federal Office of Civil Rights (OCR), charged with protecting the privacy of nation’s health data, released a ‘guidance’ for “de-identifying” health data. Government agencies and corporations want to “de-identify”, release and sell health data for many uses. There are no penalties for not following the ‘guidance’.

Releasing large data bases with “de-identified” health data on thousands or millions of people could enable break-through research to improve health, lower costs, and improve quality of care—-IF “de-identification” actually protected our privacy, so no one knows it’s our personal data—-but it doesn’t.

The ‘guidance’ allows easy ‘re-identification’ of health data. Publically available data bases of other personal information can be quickly compared electronically with ‘de-identified’ health data bases, so can be names re-attached, creating valuable, identifiable health data sets.

The “de-identification” methods OCR proposed are:

  • -The HIPAA “Safe-Harbor” method:  if 18 specific identifiers are removed (such as name, address, age, etc, etc), data can be released without patient consent. But .04% of the data can still be ‘re-identified’
  • -Certification by a statistical  “expert” that the re-identification risk is “small” allows release of data bases without patient consent.

o   There are no requirements to be an “expert”

o   There is no definition of “small risk”

Inadequate “de-identification” of health data makes it a big target for re-identification. Health data is so valuable because it can be used for job and credit discrimination and for targeted product marketing of drugs and expensive treatment. The collection and sale of intimately detailed profiles of every person in the US is a major model for online businesses.

The OCR guidance ignores computer science, which has demonstrated ‘de-identification’ methods can’t prevent re-identification. No single method or approach can work because more and more ‘personally identifiable information’ is becoming publically available, making it easier and easier to re-identify health data.  See: the “Myths and Fallacies of “Personally Identifiable Information” by Narayanan and Shmatikov,  June 2010 at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf Key quotes from the article:

  • -“Powerful re-identification algorithms demonstrate not just a flaw in a specific anonymization technique(s), but the fundamental inadequacy of the entire privacy protection paradigm based on “de-identifying” the data.”
  • -“Any information that distinguishes one person from another can be used for re-identifying data.”
  • -“Privacy protection has to be built and reasoned about on a case-by-case basis.”

OCR should have recommended what Shmatikov and Narayanan proposed:  case-by-case ‘adversarial testing’ by comparing a “de-identified” health data base to multiple publically available data bases to determine which data fields must be removed to prevent re-identification. See PPR’s paper on “adversarial testing” at: http://patientprivacyrights.org/wp-content/uploads/2010/10/ABlumberg-anonymization-memo.pdf

Simplest, cheapest, and best of all would be to use the stimulus billions to build electronic systems so patients can electronically consent to data use for research and other uses they approve of.  Complex, expensive contracts and difficult ‘work-arounds’ (like ‘adversarial testing’) are needed to protect patient privacy because institutions, not patients, control who can use health data. This is not what the public expects and prevents us from exercising our individual rights to decide who can see and use personal health information.

How Medical Identity Theft Can Give You a Decade of Headaches

See the full article at How Medical Identity Theft Can Give You a Decade of Headaches.

This article tells us a cautionary tale about how Arnold Salinas had his identity stolen by someone who took out medical care in his name. Now, any time he gets medical treatment, he has to be extremely careful that his records are actually his own or face the possibility that he will get the WRONG treatment.

“Medical identity theft affected an estimated 1.5 million people in the U.S. at a cost of $41.3 billion last year, according to the Ponemon Institute, a research center focused on privacy and data security. The crime has grown as health care costs have swelled and job cuts have left people without employer-subsidized insurance. Making matters worse: The complexity of the medical system has made it difficult for victims to clear their name.”

It is so important that patients control and are kept abreast of their medical records, but the current system does not make this easy. According to the article, medical identity theft cases are some of the most difficult to solve and can take years. What makes it so difficult is that “‘…you have to go provider by provider, hospital by hospital, office by office and correct each record,” said Sam Imandoust, a legal analyst with the Identity Theft Resource Center. ‘The frustrating part is while you’re going through and trying to clean up the records, the identity thief can continue to go around and get medical services in the victim’s name. Really there’s no way to effectively shut it down.’” Another problem is even finding out your identity has been stolen. According to Pam Dixon, founder of World Privacy Forum, “the fractured nature of the health care system makes medical identity theft hard to detect. Victims often don’t find out until two years after the crime, and cases can commonly stretch out a decade or longer”. Banks and other institutions are used to dealing with identity theft, but the medical industry isn’t equipped to handle this kind of infringement.

HIT systems among top 10 health tech hazards, says ECRI

Another story about why health technology is not ready for prime time. Today untested, unsafe health technologies and applications that eliminate patient control over sensitive personal health information are mandated for use by physicians and hospitals.

Today patient health data is widely disclosed and sold through electronic systems See ABC Story about the sale of diabetic patient records for $14-$25 per patient). It will be years until patients can control sensitive information (from prescriptions to DNA to diagnoses) because systems were never designed to comply with patients’ rights to control health records. There is no data map to know where our personal health data is held or what it’s being for (see Prof Sweeney explain the need for a health data map on video).

In addition, health technology also poses serious risks to patient including:

  • -patient/data mismatches between systems (which would not happen if patients controlled the use and disclosure of their information)
  • -interoperability failures with medical devices and health IT systems
  • -Caregiver distractions from smartphones and other mobile devices