TLP White: In this edition of Hacking Healthcare, we explore how the fallout of Facebook’s privacy issues may impact healthcare organizations. We then brief you on NIST’s new initiative to secure telehealth. Finally, we examine how Pinterest took a different route from Facebook and YouTube when faced the dilemma of medical misinformation.
As a reminder, the public version of the Hacking Healthcare blog is posted on our website each week. Additional in-depth analysis and opinion is available to H-ISAC members in the TLP Amber version of Hacking Healthcare; however, we decided to make the member version of this week’s information available to all.
Welcome back to Hacking Healthcare.
Hot Links –
1. Facebook’s Poor Privacy Practices put Healthcare in Peril.
Among the various privacy issues that have dogged Facebook this year, the fiasco over the privacy of Facebook’s group settings has been among the most concerning for members of the healthcare sector. The issue was recently brought back to the forefront of the privacy conversation as it emerged that only recently did they finally close a loophole that had allowed third parties to access the names of Facebook members who had joined closed groups.[1]
To recap, last December, a complaint was filed to the Federal Trade Commission (FTC) that Facebook was misleading its members about how private its “closed” groups were and that this dishonesty put vulnerable groups at risk. The complaint accused Facebook of a number of violations, including allegations that Facebook targeted users with health conditions to join these groups, implied their association within certain healthcare groups was anonymous, instituted inconsistent privacy and access control settings that allowed for Personal Health Information (PHI) to be scraped, and responded inadequately to these issues.[2]
This has caused a headache for healthcare providers, who may now be caught in the fallout from Facebook’s poor privacy practices. There is some concern that any healthcare provider who created and maintained a Facebook group for patients may have inadvertently encouraged them to expose sensitive PHI. Furthermore, the poor security and access control on Facebook groups means that PHI data may have been taken without notice by unknown third parties. It is unclear what PHI may have been taken, who it might have been shared with, and what the administrators of these accounts might be liable for.
While Facebook has since made changes, like the creation of a “Health Support Group” designation that adds additional layers of privacy, the underlying issue of an administrator account being able to identify users in a group remains.[3] It is also important to note that Facebook is not covered by HIPAA rules, and therefore does not have to comply with the privacy and security many people associate with PHI.[4] Not being bound by HIPAA compliance also means that Facebook can in fact share data with advertisers.
As most of our readers are in the healthcare sector, we are interested to know if you have privacy concerns about any Facebook groups your healthcare institution runs and if you would be interested in participating in a working group to address the possible privacy issues. If interested, please send an email to contact@h-isac.org.
2. NIST Looks to Secure Telehealth.
The National Institute for Standards and Technology (NIST) has published a notice in the Federal Register looking for vendor feedback on “products and technical expertise to support and demonstrate security platforms for the Securing Telehealth Remote Patient Monitoring Ecosystem for the healthcare sector.”[5] The notice, which is open to all interested organizations, marks the start of NIST’s effort to shore up cybersecurity issues within the healthcare space.
The National Cybersecurity Center of Excellence (NCCoE) within NIST will head up this particular initiative with the goal of “[providing] a reference architecture that will address the security and privacy risks for healthcare delivery organizations (HDOs) leveraging telehealth capabilities such as remote patient monitoring (RPM).”[6] NIST’s interest in this area comes as part of a recognition that technological advancements are creating new use cases that extend beyond the confines of a healthcare provider’s immediate environment. While the theoretical applications for these products in healthcare are numerous, the underlying technology itself is far from being fully developed, and NIST is looking to head off concerns over the confidentiality, integrity, and availability of sensitive healthcare data before it becomes a larger issue.
The Federal Register Notice lists numerous sections on which private sector organizations may provide feedback. These include many components for remote patient monitoring, remote/patient home environments, and components for healthcare delivery organizations. More specifics can be found both on the NIST NCCoE landing page and within the Federal Register Notice.
3. Pinterest’s Medical Misinformation Dilemma.
Disinformation has been a buzzword within political circles for years, but the prevalence of online disinformation in healthcare has been a rising concern for at least as long. Nothing illustrates this better than the reemergence of once ‘eradicated’ afflictions like measles, which has seen a 30% increase in cases globally, alongside the burgeoning anti-vaccination movement.[7] Social media has exacerbated the issue due to both its popularity and it’s seemingly unpreparedness to deal with the complex issue of free speech and social media’s informational power. While Facebook has been heavily criticized on all sides of the political spectrum for its perceived inaction or half measures, depending on your perspective, Pinterest has shown themselves to be far more decisive.
When it comes to the anti-vaccination movement, Pinterest was quick to institute a policy of filtering out all vaccination results.[8] In their view, it was better to censor everything in an attempt to minimize the spread of medical misinformation rather than to engage in battles over selective filtering. However, Pinterest has recently revised their strategy so that searches on vaccinations now return information only from credible public health organizations.[9] Furthermore, the search results Pinterest returns to a user will filter out or block advertisements and comments from non-authoritative sources that could contradict accepted medical science.[10]
Admittedly, Pinterest is significantly smaller than the two primary targets of Congressional ire (i.e. Facebook and YouTube) which contributes to a lesser share of scrutiny, but their decision to proactively take a stance against medical misinformation should be applauded. While concerns over sources of misinformation extend beyond just social media, Pinterest’s effort combined with Amazon’s decision to source responses to healthcare queries from the National Health Service (NHS) may represent a hopeful trend in successfully combating medical misinformation.[11]
Congress –
Tuesday, September 3rd:
-No relevant hearings
Wednesday, September 4th:
-No relevant hearings
Thursday, September 5th:
-No relevant hearings
International Hearings/Meetings –
EU –
Wednesday, September 4th
-European Parliament – Committee on the Environment, Public Health and Food Safety
Thursday, September 5th
-European Parliament – Committee on the Environment, Public Health and Food Safety
Conferences, Webinars, and Summits –
— H-ISAC Perch Members Only Webinar – Consume, Detect, and Respond to Threat Intel – Online (9/12/2019)
–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)
https://h-isac.org/hisacevents/h-isac-medical-device-security-workshop/
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/2019-9/20/2019)
https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit
–Healthcare Cybersecurity Forum – Los Angeles, CA (9/20/2019)
https://endeavor.swoogo.com/2019-California-Cybersecurity-Forum
–2019 Alabama Healthcare Fraud Summit – Birmingham, AL (9/20/2019)
https://h-isac.org/hisacevents/2019-alabama-healthcare-fraud-summit/
Peer Sharing ICS Security Workshop (New Jersey) – Bridgewater, NJ (9/24/2019-9/26/2019)
–Summit on Security and Third-Party Risk – Leesburg, VA (9/30/2019-10/2/2019)
https://grfederation.org/summit/2019/overview
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/2019-10/4/2019)
https://h-isac.org/hisacevents/health-it-summit-northeast/
–Northeast Healthcare Cybersecurity Forum – Boston, MA (10/4/2019)
https://endeavor.swoogo.com/2019-Northeast-Cybersecurity-Forum
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
https://h-isac.org/summits/european_summit/
–Health IT Summit (Midwest) – Minneapolis, MN (10/17/2019-10/18/2019)
https://endeavor.swoogo.com/2019-Minneapolis-Health-IT-Summit
–Healthcare Cybersecurity Forum (Midwest) – Minneapolis, MN (10/18/2019)
https://endeavor.swoogo.com/2019_Midwest_Cybersecurity_Forum
–CHIME Healthcare CIO Boot Camp – Phoenix, AZ (11/6/2019-11/9/2019)
https://h-isac.org/hisacevents/chime-healthcare-cio-boot-camp/
–Health IT Summit (Southwest) – Houston, TX (11/14/2019-11/15/2019)
https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit
–Southwest Healthcare Cybersecurity Forum – Dallas, TX(11/15/2019)
https://endeavor.swoogo.com/2019_Southwest_Cybersecurity_Forum
–Health IT Summit (Northwest) – Seattle, WA (11/19/2019-11/20/2019)
https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit
–Pacific Northwest Healthcare Cybersecurity Forum – Seattle, WA (11/20/2019)
https://endeavor.swoogo.com/2019_Pacific_Northwest_Cybersecurity_Forum
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/2019)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
—Rash of ransomware continues with 13 new victims—most of them schools
–Phishers are Angling for Your Cloud Providers
https://krebsonsecurity.com/2019/08/phishers-are-angling-for-your-cloud-providers/
–AdventHealth opens new AI-powered clinical command center
https://www.healthcareitnews.com/news/adventhealth-opens-new-ai-powered-clinical-command-center
—Avast and French police take over malware botnet and disinfect 850,000 computers
–Indictment of Capital One suspect alleges breaches of 30 companies, cryptojacking
https://www.cyberscoop.com/capital-one-hack-charges-cryptojacking/
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.cnbc.com/2018/07/11/facebook-private-groups-breast-cancer-privacy-loophole.html
[2] https://missingconsent.org/downloads/SicGRL_FTC_Compliant.pdf
[3] https://www.hipaajournal.com/facebook-makes-changes-to-health-support-groups-to-better-protect-users-privacy/
[4] https://www.hipaajournal.com/facebook-accused-privacy-violations-phi-private-groups/
[5] https://www.federalregister.gov/documents/2019/08/29/2019-18666/national-cybersecurity-center-of-excellence-nccoe-securing-telehealth-remote-patient-monitoring
[6] https://www.nccoe.nist.gov/projects/use-cases/health-it/telehealth
[7] https://www.who.int/emergencies/ten-threats-to-global-health-in-2019
[8] https://www.theguardian.com/society/2019/aug/28/pinterest-anti-vaccine-combat-health-misinformation
[9] https://www.theguardian.com/society/2019/aug/28/pinterest-anti-vaccine-combat-health-misinformation
[10] https://www.theguardian.com/society/2019/aug/28/pinterest-anti-vaccine-combat-health-misinformation
[11] https://www.nytimes.com/2019/07/10/world/europe/alexa-nhs-amazon-privacy.html