H-ISAC Hacking Healthcare 4-7-2020 -

TLP White

In this edition of Hacking Healthcare, we take a longer look at the various ways the public and private sector are turning to tech and data-driven solutions to mitigate COVID-19’s health and economic impacts, as well as contemplating the privacy issues that go along with them.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

COVID-19 Puts A Spotlight on Privacy Issues.

COVID-19 has inadvertently brought additional focus to global privacy issues. As governments around the world struggle to contain and mitigate the virus’s economic and health effects, many find themselves pushing for tech and data-driven solutions. In doing so, they have found themselves caught up in discussions about how such solutions may be implemented to benefit response efforts but have also fueled fear and distrust among those worried about security and privacy. These concerns range from skepticism over the relaxation of regulations designed to keep patient data private to concern that COVID-19 is a pretext to install a surveillance state.

At its core, the problem is the same one facing policymakers pre-COVID19: where do you draw the line between an individual’s privacy and the potential benefits to society created by consumer information? COVID-19 has added a literal life-and-death urgency to engaging with that question. While most of the focus on these issues tends to center on the more extreme scenarios of expansive and opaque government surveillance programs, the fear and distrust that fuels those concerns may trickle down into more benign adjacent topics – such as patient data sharing and voluntary open source tracing.

Public Sector

So, what kinds of solutions are countries exploring and where do they fall along this spectrum of impacts to patient and data privacy? The widespread use of surveillance and tracking technology has undoubtedly helped government efforts to curb the virus’ spread and is gaining traction in some unlikely places.

For example, within the European Union, several states are attempting to develop contact-tracing applications for smartphones. These apps would make use of Bluetooth technology to track other devices who remain in close proximity for any length of time deemed reasonable for potential transmission.[1] If an individual was to then test positive for COVID-19, an alert could be sent to all devices that came into proximity advising them to take precautions or to self-quarantine. According to the BBC, a number of states, including privacy-conscious Germany, have been supportive of the effort that may be rolled out in the next week or so.[2]

One of the goals of this initiative would be to make the application interoperable across all EU member states and hopefully reopen inter-EU travel. Experts working on the initiative claim that privacy is a foremost consideration and that records could be anonymized and encrypted. A coordinator of the EU effort went so far as to say, “Even if the data stored in the country data centres is subpoenaed or a hacker steals it, there is no way to trace back the patients or the contact people.”[3] However, as our readers will know, true deanonymization is far more difficult to achieve than is commonly believed, and encryption is only as good as its implementation and stewardship.

There are additional hurdles as well. Currently, the application is envisioned as voluntary and would require an individual to test positive and then enter that positive result into the application. While the act of entering in sensitive personal health data may be deemed a form of consent, avoiding the legal or ethical issues of a healthcare organization or government entering it, there may not be enough of an incentive for individuals to take that step.

There are also those states who make skepticism of these efforts seem well founded. Russia’s introduction of a social monitoring app that “requests access to calls, location, camera, storage, network information and other data to check they do not leave their home while contagious” should not be surprising.[4] The invasiveness of the app, all in the name of public health and safety, raises serious concerns among privacy advocates who are skeptical of how it may ultimately be used.

Then there is China. China certainly possesses a highly developed range of tracking and monitoring capabilities. While these pre-exist the outbreak of COVID-19, the extensive infrastructure that exists would be relatively easy to repurpose. China has also embraced the usage of mobile phone applications like WeChat and AliPay to help spread awareness and slow transmission rates by incorporating them into a state developed tool.[5][6] These apps, which appear to send information back to state entities, “assign people “color codes” to determine whether they should quarantine themselves or may move around freely.”[7] In a country with a more limited definition of privacy, these applications and methods face little public backlash.

Both Russia and China have apparently been using facial recognition extensively in the fight against the spread of the virus. Russia has been using a network of tens of thousands of cameras to track people and is reported to have used it to identify a woman who had recently returned from China and wasn’t adhering to the mandatory two-week quarantine.[8][9] In China, the technology has become advanced enough to even identify individuals who are wearing masks, and in some cases that information can be correlated with temperature sensors to determine if someone is showing signs of being infected.[10]

One often overlooked source of tracking data is vehicles. It can be easy to forget that most modern cars are nearly always connected to the same cellular networks as phones and can be used in much the same way to trace a person’s activities.

South Korea is praised for how well the country has responded to COVID-19, boasting some of the lowest infection growth rates of any major nation.[11] Some of that success is due to the willingness of the South Koreans to accept intrusive COVID-19 tracking and information applications that do away with some of the fundamental privacy rights many in the West take for granted. Apps like Corona 100M and Corona Map not only alert citizens in real-time where patients diagnosed with COVID-19 are and have been, but can give out personal information the individuals name.[12] Perhaps what is most surprising is that nearly 80% of respondents to a Seoul National University’s Graduate School of Public Health survey agreed with sacrificing some privacy rights to help contain COVID-19.[13]

Private Sector

Governments are not the only ones looking to data and technology to drive solutions and products related to COVID-19. Private sector entities are also building out solutions that touch the privacy debate. On the less privacy intrusive side of things are efforts from Google, Facebook, and the Mount Sinai Health System.

Google’s access to smartphone location data has allowed them to release a report by country that tracks changes in movement trends to widely used public spaces.[14] It is their hope that the reporting can be used to help decision makers understand the current situation and help inform policies going forward. While Google’s access to track so many people may be a concern, it shouldn’t be a surprise. The data primarily comes from phone apps where the individual has chosen to download and give Google access to location data. Furthermore, the reports are high level summaries that avoid the type of granular data that could be used to identify individuals.[15]

Facebook has also begun to make use of their enormous reach to track CVOID-19. Starting on April 6^th, Facebook users in the United States may begin to see a pop-up with a COVID-19 voluntary survey.[16] Facebook is working in conjunction with Carnegie Mellon’s Delphi epidemiological research center on this effort.[17] The hope is that Facebook’s reach will give the Carnegie Mellon team a boost in acquiring a large enough sample size to become useful. Additionally, in a similar vein to Google, Facebook is also launching a number of maps aimed at tracking different aspects of COVID-19. The three announced tools look at co-location, movement range, and social connectedness and will make use of a combination of Facebook’s internal data and data from public health organizations.[18]

The Mount Sinai Health System launched their web-based app at the beginning of April. Available to Mount Sinai patients and NYC residents, the tool is used to monitor symptoms. According to Mount Sinai’s release, “Users complete an initial survey with questions about demographics, exposure, and symptom history, followed by short daily surveys about their symptoms through text messages sent to their phones.”[19]

It is Mount Sinai’s hope that this voluntary information will help track the spread and monitor potential new clusters of infections. While it is not publicly stated how this information will be used or who will have access to it, being limited in scope, administered by a well-known healthcare organization in a highly regulated sector, and being voluntary in nature does help ease concerns. However, not all such efforts are as benign.

The more notorious of these private sector initiatives relates to the Israeli NSO Group. The well-known spyware maker is allegedly offering their new analysis tool as a solution to track citizen movements and COVID-19 spread. The tool allegedly “analyzes huge volumes of data…[and] then matches with location data collected by national mobile phone companies that pinpoints citizens who were in the patient’s vicinity.”[20] A source further explained to Vice News, that the “tool tracks citizens by assigning them random IDs, which the government—when needed—can de-anonymize.”[21]

While not altogether different in function than efforts being supported in the EU, the association with the NSO Group’s past activities and the less than open explanation of how it works makes it seem like a low-level sample for their more invasive products. Ultimately, NSO’s offering and other similar products muddy the waters when it comes to defending the use tracing or tracking applications by highlighting the thin line between limited secure privacy conscious applications and invasive mass surveillance.

Conclusion

COVID-19 is providing the impetus for a host of emerging technologies to be implemented sooner, and perhaps more aggressively, than they may have been otherwise. From telehealth to tracking and tracing applications, solutions that would normally undergo years of testing and tiered roll-outs are being thrust into use in an effort to save lives and minimize economic damage. In doing so, countries have ignited fierce privacy debates. But at the same time, big data is having a moment and is displaying its utility. While specific tactics implemented by the government and the private sector certainly warrant considerable scrutiny and oversight, big data is demonstrating its power and value like never before.

Proponents of these measures can contend that saving lives and bolstering the economy are worth the short-term risks associated with untested applications like these. Furthermore, they can argue that COVID-19 has simply pushed everyone further down the path that the new healthcare data sharing and interoperability initiatives across Europe and the United States were already heading for.

Meanwhile, skeptics can rightfully point out how poor and rushed implementations can sour public support of promising technologies. They can point out how, if deemed a success, it sets a dangerous precedent for tracking and tracing citizens for other less novel emergencies. Or, how initiatives like these can harm citizen trust in the government, which may ultimately hurt response efforts.

Regardless of privacy concerns, the next few months will undoubtedly see numerous COVID-19 related tracking and tracing applications put into use by many countries. While these initial efforts may be rushed, unoptimized, and limited in their usefulness, they may also showcase how emerging technologies, interoperability, big data, and the ubiquity of personal cellular devices could revolutionize healthcare responses to national or global emergencies. It may be with that backdrop that the next round of privacy battles is fought.