TLP White: This week, Hacking Healthcare delivers an update on the progress various countries are making on digital contact-tracing and outlines the important role healthcare organizations play in advancing discussion on the topic. Next, we explore growing public and private support for permanently easing rules and regulations that impede telehealth services. Lastly, we brief you on a new federal bill that would create a national research cloud for artificial intelligence and how the bill could benefit the healthcare sector.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)


Welcome back to Hacking Healthcare.


1. Digital Contact-tracing Continues its Uneven Advance.

Whether you are a skeptic or supporter, digital contact-tracing efforts continue to develop across the world. As such, below we provide a brief review of various high-profile developments that have taken place in a number of nations since our last contact-tracing update. As approaches to contact-tracing evolve over the coming months, we will routinely revisit the logistical, legal, political, and technical aspects of this important public health measure to keep you informed.


When we last updated you, the U.K. appeared on track to quickly deploy its own centralized contact-tracing application that was developed by its National Health Service. But preliminary testing of the application that began on the Isle of Wight in early May has not led to a nationwide rollout.[1] Numerous concerns and problems continue to plague the project, and its new timeline suggests that it may not formally launch for another several weeks.[2] Further complicating matters is the assertion from a non-peer reviewed journal article claiming that people who think they have already contracted COVID-19 are less likely to download the application.[3]


At the outset of the COVID-19 pandemic, Singapore led the charge to develop and implement digital contact-tracing efforts. Going as far back as mid-March, Singapore’s TraceTogether application was lauded as a cutting-edge attempt to monitor the spread of COVID-19.[4] Unfortunately, despite the country’s best efforts, TraceTogether’s 20% adoption never managed to reach the critical mass of users required to make it an effective tool.[5] In response, Singapore’s government is now looking at a radical strategy that would entail giving all 5.7 million of its citizens a wearable device that would eliminate the need for a smartphone app.[6] This has led to serious questions and concerns over privacy, confusion about what data the device would record, and a lack of clarity regarding where the data might be sent. It is not yet clear if the government intends to make the devices mandatory for the country’s entire population.[7]


The uneven progress of contact-tracing applications in the United States continues, but there have been some positive developments for privacy advocates in recent weeks. Last week, a bi-partisan Senate bill entitled the Exposure Notification Privacy Act was introduced by Sen. Maria Cantwell (D-WA), Sen. Bill Cassidy (R-LA), and Sen. Amy Klobuchar (D-MN) that requires “public health officials to be involved with any exposure notification systems, mandates user consent for their participation and allows them to request the deletion of their data at any time, and prohibits any commercial use of the data.”[8] This is just one of many pieces of legislation to be introduced recently that calls attention to concerns around healthcare apps and data sharing related to COVID-19.


On the heels of several smaller European countries announcing the launch of their Apple and Google-inspired applications, Italy announced the launch of its own last week. The app, dubbed Immuni, generated 500,000 downloads on the first day it was made available to the public.[9] The notification system itself went live on June 8th, but at this time it is limited to the pilot regions of Liguria, Marche, Apulia and Abruzzo. If all goes well, Italy tentatively plans for a rapid nationwide rollout of the app later this month. Data security and privacy advocates should take note that the source code for the app is publicly available on GitHub.


France, one of the few European countries to decline Apple and Google’s approach for a more centralized, self-developed contact-tracing application, announced that it managed 600,000 downloads in the immediate aftermath of its StopCOVID app release.[10] France has not yet updated its total user numbers, or highlighted its target adoption number, but it has previously commented that urban population centers are the initial priority for the application.[11]


India’s national contact-tracing effort, named Aarogya Setu, was launched just over a month ago and has been an interesting case study for those looking to compare and contrast approaches. Due in large part to the government’s decision to make the app mandatory in certain containment zones and for government workers, it has reportedly already passed 100 million downloads.[12] However, the centralized system does collect location data and other personal details for the government, and it’s “always on” Bluetooth capability has been cited as a privacy and security concern.[13] Much of the unease among citizens over this program comes from the country’s checkered history on privacy issues.


Analysis & Action

** H-ISAC membership required **


2. Support Grows for the Permanent Relaxation of Rules and Regulations Impacting Telehealth.

In addressing the COVID-19 pandemic, unprecedented stay-at-home orders and other actions that required entire populations to shelter in place and avoid non-essential travel meant that routine visits to healthcare facilities became impossible or risky for many. Thankfully, the swift upscaling of online telehealth services was able not only to act as a stopgap, but also provide a trial by fire that emphasizes how efficient and successful telehealth services can be for both patients and practitioners. While circumstances are still far from normal, there is a growing sense that there is enough evidence to support the permanent relaxation of many telehealth rules and regulations that allowed the healthcare sector to meet the challenge of COVID-19.

Last Thursday, healthcare company Premier Inc. sent letters to both Congress and CMS to ask that many of the temporary waivers and enforcement relaxations that were issued to respond to COVID-19 be made permanent. Premier cited advancements in technology, outdated legislation, disparities in insurance coverages, expanded payment options, the ability to improve patient and practitioner experiences, and broadening healthcare access as just some of the reasons behind the numerous regulatory and legislative adjustments they would like to see.[14], [15] Premier believes that COVID-19 “was a pressure test of how to modernize and improve healthcare” and that telehealth has been a shining example of where modern healthcare should look to expand.[16]

Support for revisiting rules and regulations extends beyond the private sector as well. Rep. Robin Kelly (D-IL) and nine other democratic representatives have sponsored House bill 7078, the Evaluating Disparities and Outcomes of Telehealth During the COVID-19 Emergency Act of 2020.[17] The bill would “require the Secretary of Health and Human Services to conduct a study within a year of the end of the emergency period summarizing healthcare utilization patterns during the coronavirus.”[18] Healthcare IT News reports that Rep. Kelly has said that she hopes this legislative effort “can make a case that the relaxed regulations should become the new regulations.”[19]

Analysis & Action

** H-ISAC membership required **


3. Bi-partisan Support for National Research Cloud for Artificial Intelligence.

Emerging technologies continue to be an area where the partisanship of Congress is more often set aside for the national interest. This was most recently evidenced by last week’s announcement of legislation in both the House and Senate that would “develop a detailed roadmap for the development of a national cloud computer for Artificial Intelligence (AI) research.”[20]

Senate bill 3890, the National Cloud Computing Task Force Act, was introduced by Sen. Rob Portman (R-OH) and Sen. Martin Heinrich (D-NM), while its companion bill in the House will be introduced by Rep. Anthony Gonzalez (R-OH) and Rep. Anna Eshoo (D-CA).[21] The legislation promises to establish American leadership in the development of artificial intelligence by bridging the gap between public and private developers and researchers, and ensuring the widest possible access to state of the art supercomputing capabilities.[22]

Sen. Heinrich was keen to point out that “artificial Intelligence is likely to be one of the most transformative technologies of all time. If we defer its development to other nations, important ethical, safety, and privacy principles will be at risk.”[23] The “other nations” portion of his statement appears to imply China, who Sen. Portman specifically called out as the primary threat to U.S.-based leadership in AI.

Analysis & Action

** H-ISAC membership required **




Tuesday, June 9th:

– Senate – Committee on Finance – Hearings to examine unemployment insurance during COVID-19, focusing on The CARES Act and the roles of unemployment insurance during the pandemic


Wednesday, June 10th:

– No relevant hearings


Thursday, June 11th:

– No relevant hearings



International Hearings/Meetings


– No relevant hearings



EU –



Conferences, Webinars, and Summits

— An H-ISAC Framework for CISOs to Manage Identity – Webinar (6/10/2020)

— Life as a CISO by Axonius – Webinar (6/11/2020)

— Practical Posture Testing & Remediation for A Remote Workforce by Safebreach – Webinar (6/16/2020)

–How Authentication Attacks Threaten your Healthcare Environment by Qomplx – Webinar (7/1/2020)

— Securing the IoT Threat in Healthcare by Palo Alto Networks – Webinar (6/24/2020)

— GRF Summit Digital Series – The Ultimate Incident Response Readiness Exercise: Are you remotely ready? – Webinar (6/25/2020)

H-ISAC Monthly Member Threat Briefing – Webinar (6/30/2020)

–Healthcare Cybersecurity Forum – Mid-Atlantic – Philadelphia, PA (7/17/2020)

–Healthcare Cybersecurity Forum – Rocky Mountain – Denver, CO (7/20/2020)

–Healthcare Cybersecurity Forum – Southeast – Nashville, TN (9/9/2020)

–H-ISAC Security Workshop – Greenwood Village, CO (9/16/2020)

–Healthcare Cybersecurity Forum – Northeast – Boston, MA (9/22/2020)

–H-ISAC Cyber Threat Intel Training – Titusville, FL (9/22/2020)

–H-ISAC Security Workshop – Forchheim, Germany

–Summit on Security & Third Party Risk – National Harbor, MD (9/28/2020-9/30/2020)

–Healthcare Cybersecurity Forum – Texas – Houston, TX (10/8/2020)

–CYSEC 2020 – Dubrovnik, Croatia (10/27/2020 – 10/28/2020)

–H-ISAC Security Workshop – Mounds View, MN (10/27/2020)

–Healthcare Cybersecurity Forum – Pacific Northwest – Seattle, WA (10/28/2020)

–H-ISAC Security Workshop – Seattle, WA – (10/29/2020)

–Healthcare Cybersecurity Forum – California – Los Angeles, CA (11/12/2020)

–H-ISAC Security Workshop – Paris, France (11/18/2020)



Sundries –


–Ransomware crooks attack Conduent, another large IT provider

–Hackers target senior executives at German company procuring PPE

–Health Departments, State Govts. At Increased Risk of COVID-19 Spoofing, Fraud


Contact us: follow @HealthISAC, and email at
























Translate »