This Week Health

Don't forget to subscribe!

February 4, 2020: Azar, Apple, Microsoft and others respond to Epic. Google defends Ascension deal and Azure’s security hole exposed. We have 5 stories that are follow-on to the Epic conversation. You remember that Judy Faulkner wrote the letter which kicked off some things. We have Secretary Azar’s response. We have Apple and Cerner’s response. We have Epic’s response to the response. We are also going to take a look at Dr. Feinberg from Google talking about the patient data practices with Ascension. 

Key Points:

  • Severe Perfect 10.0 Microsoft Flaw Confirmed: ‘This is a Cloud Security Nightmare’
  •  Are Epic’s patient privacy concerns covered with a smoke screen? 
  • Third-party apps are currently not required to follow data blocking policies under ONC’s proposed rule
  • This is the year of interoperability
  • Ascension’s work with Google 

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this week in Health IT News, where we look at as many stories as we can in 23 minutes or less that will impact health it. My name is Bill Russell Healthcare, CIO, coach and creator of this Week in Health. It a set of podcast videos and collaboration events dedicated to developing the next generation of health leaders.

It's Tuesday Newsday, and here are some of the stories we're gonna take a look at. We have about five stories that are follow on to the uh, epic. . Conversation we have, uh, secretary AAR's response. We have Apple and Cerner's response. We have epic's response to the response. So, uh, a lot to look at there. Um, Dr.

Feinberg, uh, at uh, Google talks about the, uh, patient data practices with Ascension. We're gonna take a look at that. And, uh, one, you know, one other thing I wanna make sure we get to is the severe perfect 10 Microsoft flaw. Confirmed this is a cloud security nightmare, is the, uh, headline for the story. So we're gonna get into all of those stories right now.

This episode is sponsored by Health Lyrics. I coach healthcare leaders on all things health. It coaching was instrumental in my success, and it is the focus of my work at Health Lyrics. I've coached CEOs, CIOs. Uh, CTOs, uh, startups, health systems. If you want to elevate your game in 2020, visit health to schedule a free conversation.

Alright, let's get to it. Uh, epic. As you know, Judy Faulkner wrote the letter letter. . Uh, kicked off some things. If you are not familiar with it, go back and listen to last week's episode. I went into it in a great detail, so, uh, I'm not gonna do that again. Here's, uh, secretary Azar, uh, comeback. It was fierce healthcare stories, the one I'm going to be quoting, HHS Secretary Alex Azar on Monday.

Voice frustration over stakeholders fiercely opposing a proposed regulation that would make it easier for patients to access their health data speaking at the office of national Coordinator. For health, it's annual meeting in dc. Azar said Current medical records systems were segmented and balkanized, which hinders patients' access to health information and impacts care.

Appearing to blast electronic health records company Epic, uh, and their effort to drum up opposition against the rule. Azar said Scare tactics are not going to stop the reforms we need. He added, uh, defending the current Balkanized state of status quo is highly unpopular position to take. Which I agree with, uh, the goal of O C's interoperability rule released last year is to enable patients to access their electronic health records at no cost.

Uh, providers should be able to use health IT tools to provide the best care for patients without excessive cost or technical barriers. So that's, uh, secretary Azar, and as I said last week. Whoever wins the argument in the, uh, in the town square in the public opinion, is gonna win this argument. And there was an awful lot coming back at Epic as a result of this.

So you have that's, uh, secretary AAR's, uh, response. You have Apple Cerner call for interoperability rule release. Without further delay highlighting industry rift. Uh, big tech giants, apple and Microsoft are joining health IT vendors and health plans to meet with federal officials. This was last Monday, I believe.

Uh, to voice strong support for efforts to give patients access to health data, the Care and Alliance, a private sector collaboration made up of major health insurers, providers, health IT companies, and tech giants. Announced last week that it is meeting with the OMB to request the agency to finalize and release the proposed interoperability rules.

Without further delay. Uh, here's some of the people that are in the Karen Alliance. Apple, Microsoft, Humana, Walgreens, blue Shield of California. Salesforce, OMATA Health Major Health Information Exchange, manifest MedX and Mount Sinai Health System. Also on the list were, uh, of representatives, were Cerner and EHR vendors, uh, epic.

Oh no, just Cerner and EHR vendor. And competitor to Epic. So I don't know if Epic was at that meeting or not, to be honest with you. I, I doesn't look like they were. Um, so again, you're having, uh, apple, Cerner and the, the lot of 'em saying Release it now. Release it without delay. Uh, let's see. So let's go into this.

So, uh, our epics patient privacy concerns a smoke screen. One industry consultant weighs in. Healthcare Innovation Group, one of my, uh, favorite publications to go to. Uh, let's see. Stakeholders beyond just Epic and other EHR companies have taken issue with the patient privacy elements of the Rule One group, uh, chime our group, a leading association representing healthcare CIOs noted the proposed ONC interoperability rule does not sufficiently address 21st Secretary Cures acts directive to protect patient data privacy and ensure health IT security.

Third party apps are currently not required to follow data blocking policies under O C's proposed rule. According to Chime. What's more? Smartphone apps created by third party developers and not by providers or business associates covered under the health insurance port of HIPAA are not subject to HIPAA rules.

Even if a breach occurs and, uh, while it. I'm gonna get to my take on this. While I agree with all those things, I disagree with chimes conclusions and their conclusion is, uh. I, I, I agree that the fact that the, uh, rule itself does not have those protections, but I, I believe that those protections will be created, and I'll come back to that at the, uh, at the end of all these Epic stores.

I'll come back to why I think that will be created really quickly, because it's a, it's a gaping hole. I don't think it needs to be regulated. I think it just needs to be, uh, addressed as somebody can, can, uh, fill that gap. It could be the HR providers, but, uh, my guess is it's gonna be someone else. Other industry groups such as the AMA and AHA told New York Times last year that they've met with fed federal regulators to push

Four changes in this area without federal restrictions in place. The group argued consumer apps would be free to share and sell sensitive details like patient prescription drug history. I agree. Again, I agree that the gap exists. I disagree that it's gonna exist for long, uh, even if they pass the rule exactly how to it.

Uh, exists today. Epic, uh, agrees per its recently posted statement. They have two problems. Family member data may inadvertently be shared. Uh, apps may take much more of the patient's data than patient intended company officials compared. These two risks to what happened with Facebook and Cambridge Analytica.

Uh, Michael Abrams, managing partner of healthcare consulting firm, Numeroff and Associates, says. The patient privacy is a hot button healthcare topic of the day, and by coming out as a presumptive advocate of patient privacy, epic is trying to look like the good guys. I'm not sure there's anything else they can point to that puts them in that, in that same light, he says, uh, adding that epic's comparison to patient privacy risks in o UNCs proposed rule of, uh, Facebook Cambridge Analytic.

Uh. Situation is completely specious. Some of the players in the industry are attempting to leverage patient privacy in an effort to, once again stonewall change in the industry and maintain status quo, which keeps them in control. Uh, he goes on to say a couple more things just like that, like, you know, epic is, uh, Epic's looking out for Epic, and, uh, the industry's looking out for the industry.

And essentially, uh, there's not really much to see here. So let's take a look at what Epic said. This was on Epic's website. Epic supports patient access to their data. Proposed, uh, proposes ONC Rules Solution oh proposes, ONC Rules Solutions to protect privacy. Uh, epic strongly agrees with the goal, the ONC, to support patient's ability to access their data.

For decades, epic has been doing this, uh, uh, from there, uh, it gives a bunch of care everywhere, share everywhere, uh, type of things. We appreciate that HHS is trying to make their proposal rule for data sharing better for patients, and has been listening to many voices. We recommend necessary solutions before the ONC rule is finalized to prevent serious risks.

To patient privacy. Great. Let's hear what the recommendations are. Recommendations to help the ONC avoid privacy risks for family members and for patients. I want you to listen to this because there's one thing that's missing by requiring health system to send patient data to any app requested by the patient.

The ONC rule inadvertently creates a new privacy risk. According to the recent study, 79% of healthcare apps resellers share data. And there is no regulation requiring patient approval of this downstream use. There are two highly likely patient privacy risks. Uh, family member data may inadvertently be shared.

Goes on to talk about that after surgery. Jim's doctor wants to prescribe an opioid. He looks at it. And, um, when Jim's health data is sent to an app and that data is used, shared or sold, Ken's addiction status, uh, may become public . Uh, without Ken's knowledge or permission, Jim and Ken's story is similar to what happened in Facebook, uh, friends, um, who did not give their approval for the information to be harvest harvested by Cambridge Analytica.

Uh, apps may take a much more of the patient's data than intended, and it goes on to talk about this and it gives an example. Uh, we have always and will always support patient's right to use their data as they see fit. However, it is the role of government to ensure that the patients have the information they need to make those decisions Knowledgeably.

Like they have four nutrition and food labels so forth. Uh, for patients to benefit from the ONC rule without these serious risks to their privacy, we recommend that transparency requirements and privacy protections are established for apps gathering patient data before the ONC rule is finalized. So that's the recommendation.

Redo it. Essentially establish those rules before it goes and is finalized. Um, and it goes on to say, epic does not typically comment on national policy issues. You know, the thing is, if you're gonna say you're gonna make a recommendation, make a recommendation. That's my only comment on this. All these things are, are accurate.

I, I think, uh, I, I'd like the fact that Epic brought these things up, but your recommendation is essentially put a, put something in place to protect their, uh, their, their privacy and, um, . And, you know, the, and make the requirements more solid. Uh, it's, I dunno, it, it's a, it's a, I really wish there was more meat to this.

I wish there was a link to another page that would say, here's what we recommend as Epic as the leading EHR provider in this industry. As a patient advocate, we recommend these changes to the rules and these things be put in place. That's what I would like to see. So my take, um, you know, the, uh, the argument's interesting.

Uh, to be honest with you, it's an, it's an unpopular argument and I think it's an unpopular argument because it appears to be protecting. Monopolistic practices of the HR providers and, and it's just, it's just the appearance of it. And the other side seems to be being the patient advocate, saying, Hey, shouldn't the patient have their own data?

Shouldn't there be transparency? And so that's, and just from sheer optics, it's always gonna look better. Um, lemme tell you how this is gonna play out. So, uh, you know, um. If it gets approved the way it is, the biggest winner is gonna be Apple and Google. Google. Lemme tell you why. Um, they'll become the security mechanism for health records.

the API will open up the data from the EHR providers and they will bring it into their phone apps. They will bring it into, uh, apple Health and Google, uh, health record. I, I don't know what the Google one is called, but essentially Google's health record, Apple's health record. And because that's gonna be the mechanism, that's gonna be the platform we all bring it into.

So they're gonna be the big winners. Health systems are, are then going to, um, really be forced to put things into place that allow people to come in with their phone. That has their complete medical record stored by Apple, stored by Google. And, uh, give them the ability to give them the record and give the record back to them, uh, when they check out.

So it is gonna become much more trans, uh, transportable as HIPAA was really designed to be a long, a long time ago. Um, the other thing is app developers are gonna be held accountable by those aggregators, by the apples and the Googles. Epic will no longer be the a aggregator. Cerner will no longer be the aggregator.

There will be a new group of aggregators of health data that provide those APIs. And then they will, they will create the security mechanism and they will do that because they are, uh, consumer centric organizations. They know that if they allow that to get out there, uh, that there's gonna be problems.

This is one of the reasons that apple's, uh, privacy and, uh, security play. That their, um, that their marketing is so effective because they see the future. And the future is gonna be about who can protect my privacy. And I, I believe Apple's playing the right, the right game here. Um, I think there's gonna be other players that pop up.

I. here, uh, but they will not be as strong and powerful as Apple and Google. Uh, you know, if I were a health catalyst, I would probably get into this game as well. Um, but that's just my take. This is a done deal. This is gonna happen. We are gonna have to allow access. I think, uh, apple and Google can come to the rescue of the health systems instead of.

Uh, instead of them trying to, uh, put a team in place to manage the APIs, manage the security, manage the access to the record, uh, I think there's a, a potential partnership with Apple and GU here where they can actually do that so we'll, we will see, uh, we'll see how this plays out, but, uh, continues to be a.

Uh, this is the year of interoperability. I, I've talked to a bunch of people this week. This is the year that it truly happens. The vision of the patient, having their record, being able to, on my Apple iPhone, being able to download another app, have them access the data, me knowing what access they're getting, because Apple's providing me records and, uh, and then

Them, you know, doing something and then giving me value back on that medical record. I, that is going to, I believe that is going to really come to the fore this year. We'll get back to our show in just a minute. Galen Healthcare is an award-winning best in class healthcare IT consulting services and technology solutions firm.

One of the areas my company used Galen, when I was the CIO, was for data archiving, migration, and legacy application support services. They had a comprehensive framework designed from years of frontline healthcare experience. Built on a run, migrate, and archive design run was to keep the legacy application running effectively migrate, convert the relevant data from Legacy Systems to the new and archive was to file it away while maintaining access to critical clinical and operational data.

If you find yourself looking at retiring legacy healthcare applications, check out, and we want to thank them for becoming a channel sponsor and supporting the work. . Of developing the next generation of health IT leaders. Now back to our show. Alright, David Feinberg, uh, Dr.

Feinberg defends Google's patient data practices with Ascension Health data management. Uh, so that's the, uh, that's the, uh, article was in health data management. So Feinberg defends practice. Here it is, uh, Ascension chose. . Google as a cloud provider for the records said Feinberg In our cloud services, the information is encrypted in transit.

It's encrypted at rest. We have no access to the information. I can tell you, I can't tell you how many medical records they have, uh, because we actually charge them for storage space, not for specific records. Think of it as a warehouse. The only one that has a key to the record is Ascension, which is, uh, interesting.

Feinberg insists that Google's dealings with Ascension are fully compliant with hipaa. And includes strong security and privacy measures for protecting patient records. He goes on to say there are many times, uh, there may be many times, there may be times where Google employees are exposed to personal health information.

Uh, and this was Feinberg speaking at the Startup Health Festival. Those Google folks are trained in hipaa. It is through a business associated agreement. Ascension has 600 business associated agre agreements. By the way, uh, our privacy and data security practices are consistent with established ship requirements.

Uh, and, uh, and they will follow, uh, strict guidelines. So that's what Feinberg says. It goes on. The article goes on to, uh, quote and Eduardo Conrado, who is the, um, . Uh, chief Strategy Digital Officer for Ascension. Our privacy and data security practices are consistent with established HIPAA requirements, and we will continue to ensure that these are followed.

In short, our work with Google Health has adhered to the same standards of data privacy and security oversight we have used in our work over the many years with numerous healthcare partners, including EHR, register, registry, payer, and analytics vendors, as well as state and federal agencies. Con Creto noted that Ascension's work with Google and piloting.

Of a searchable cloud-based longitudinal clinical record falls under a business associate agreement under, uh, between the two organizations, the clinical data shared with Google Health to pilot this application. It's protected by a series of layered security measures, including encryption, audit trails, limited permissions, who can access this data, all of which is controlled by ascension.

He added clinical information remains in Ascension's private cloud environment, which is controlled, logged, and monitored by ascension when it comes to protected health. Information can readily conclude the PHI available. To the Ascension and Google Health, EHR search pilot teams is limited to a subset of Ascension patients and that the number of team members who access PHI and the amount of that data that any team member's accesses is limited to what is necessary to complete their work.

Okay, so. Here's my take on this. You know, I spoke with, uh, both of these gentlemen at the JPM conference. I was able to, to see the ascension video of this, of the internal Ascension video, the Google, uh, presentation of the Google Health record. That's actually out on YouTube. You can search that. Uh, the, but I saw the, uh, internal ascension presentation of the medical record.

And, um, you know, and I also reported on this when the Wall Wall Street Journal article came out. Uh, there's really nothing to see here. I mean. They followed hipaa. We knew they followed hipaa. There's a lot of lawyers and really smart people at Ascension. There's no way they're just handing the data over to Google and Google's smart enough to not start sharing their information with Google search.

It's just that, I mean, it was almost outrageous, the claims that were being made, uh, after that article, it just went, uh, kind of crazy. Uh, so there's really nothing to see here except . Really what I said back then was, the future of HIEs in the industry is right here. Uh, you know, if I were running an H Hi e, I would be talking to Google right now.

Uh, I would want to know it, you know, what it would take to have their interface on top of, uh, the HIE data for the community that I serve. It is extremely powerful. Um, you know, it's not only search, it's voice navigation, it's graphing and trend analysis. Uh, you know, there's powerful technologies on the background, identifying important information and great design, making it easy to see and find.

And the thing about this to remember to always remember here is that the number one problem that Ascension had to solve was they did not go to a single EHR across their entire system. 110 different health entities, you know, probably 50 to a hundred EHRs. And you're looking at this data and you're going, this is awesome.

This is awesome how they brought that data together. It's awesome. The, uh, presentation of that data, the ability to do analytics trending and an analysis on it. This is the future. It's exciting. I'm looking forward to more. I'm gonna reach out. I, I have reached out to actually both of these gentlemen to be on the show and, uh, they have both agreed.

So we will get that, uh, we'll, we'll get that scheduled and, uh, get that out to you guys as soon as, uh, as soon as we can get it on the calendar. All right, uh, we're running down on time here, so I'm going to, uh, go to this Microsoft Flaw 'cause I think it's a big one. So severe perfect. 10 Microsoft Flaw.

Confirmed. This is a cloud security nightmare. This is a Forbes article. Checkpoints Yaniv. Bais tells me it undermines the concept of cloud security. You can't prevent it. You can't protect yourself. The only one who can is a cloud provider. So MIC Microsoft did quickly fix this vulnerability when Checkpoint approached them in the fall, and customers who have patched their systems are now safe.

The vulnerability is as punchy as it gets a perfect 10. Um. . So, uh, it's huge. I can't even start to describe how big it is. The reason it for the hyperbole is that Alma says his team found the first remote code execution exploit, RCE, uh, on a major cloud platform. One user could break the cloud isolation, separating themselves and others.

Intercepting code manipulating programs. The isolation is the basis of cloud security enabling safe sharing of common hardware. There's no detail when Microsoft patched the flaw, just a short explainer. An attacker who successfully exploited this vulnerability could allow an unprivileged function to run by the user to execute code.

The company said at the time, thereby escaping the sandbox this week, uh, Microsoft Con confirmed their report. Uh, they addressed these issues in 2019 and there's . Uh, CVE 2019 dash 1372 and 1234 addresses those vulnerabilities. Uh. Just a little more detail. There's two vulnerabilities here. The first is a modest, so modest software bug that can be pushed hard to crash a system and escalate that crash to secure user privileges.

And the second is, uh, in, in a lack of security on relatively arbitrary shared services that can be manipulated to break out of the user's own part of the cloud infrastructure and onto a common shared hardware, uh, that great advantage of the cloud. Using what? Um, using only what you need . Just when you need it means that you are a tenant in a server version of an apartment block.

Checkpoints exploit built a master key for all the other apartment blocks, uh, in the building. Alright, so you get the picture here. They figured out a way to, to you go onto the cloud and break off of that cloud. And then any, anything else that . Is in your shared environment, you can start essentially sniffing packets, looking at the code that's being exploited, or code that's being executed, and uh, and you can gather information and do things so they, they've filled that, filled that vulnerability.

So here's my take on it. My take is there are flaws and vulnerabilities in the cloud. Absolutely. You bet. Uh, there are systems. These, these, these are systems made by people, and there will be mistakes and there will be exploits. There's no doubt. Uh, the question isn't, is the cloud foolproof? Uh, the question is, is it more secure than what you are running in your data center today?

Uh, . You know, as health it, our responsibility is to run the most secure environment we can for the people that we serve. And just because we have more control does not mean it is more secure. Um, you know, one of the things here is I think IT departments are gonna continue to use these stories as arguments to protect, uh, protect jobs really for the most part, but also archaic practices, old models.

Um, and, and my encouragement is don't do it. Um, if you inval evaluate cloud security versus what we have onsite objectively today, I would say only about 10% of health systems are going to are, are even gonna be at parity. And, and I, I might even be kind there. Um, the remainder really should just figure out how to get on a cloud provider, uh, as soon as it makes sense.

Uh, that's really what, from a security standpoint, that's what's in the best interest of the people. . That you serve. Now, there are other considerations. Absolutely, you have to consider, uh, the operational costs and, and a bunch of other things, but I'm saying from a security standpoint alone, the cloud is gonna be more secure.

The other thing is, if you're gonna be moving to the cloud, look at technologies that allow you an abstraction layer. , right. So VMware is a sponsor of this show. And I'm not just saying this 'cause it's VMware, it's the one I'm just most familiar with. But VMware gives you an abstraction layer that, uh, gives you the ability to move, uh, from cloud provider to cloud provider.

So if there's a major security breach at AWS, you can then move to Azure and if there's a major breach there, you can move to another cloud provider. So that's what layers of abstraction enable you to do it. It enables you to, to stay away from Cloud lock-in. And that's one of the things, whenever I talk about cloud with my clients, I talk to them about this whole idea of lock-in where you get so, uh, tied into the cloud provider that you cannot get out.

And, uh, there's a lot of mechanisms to make sure you get your data in and it's really hard to get it out. So, uh, keep that in mind. Look for layers of distraction. Look for ways to get the stuff out. Wow, that is 23 minutes. So, uh, I am this year I'm gonna try to be more disciplined. That's all for this week.

Special thanks to our sponsors, VMware Starbridge Advisors, Galen Healthcare Health lyrics and pro talent advisors for choosing to invest in developing the next generation of health leaders. This shows a production of this week in Health It. For more great content, check out the web website this week,, or the YouTube channel.

If you wanna support the fastest growing podcast in the health IT space, share it with a peer best way to do it. Send 'em an email, tell 'em to listen. Uh, we'll get back. We will be back again this Friday for another interview with an industry influencer, and we'll be back next Tuesday for more news that is gonna impact health It.

Thanks for listening. That's all for now.


Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

Transform Healthcare - One Connection at a Time

© Copyright 2024 Health Lyrics All rights reserved