H-ISAC Hacking Healthcare 2-25-2020

TLP White: In this edition of Hacking Healthcare, we begin by breaking down a new bill that will expand digitization of health records in the Netherlands. Next, we brief you on how the United States (US) National Institute of Standards and Technology’s (NIST) commitment to supporting their new Privacy Framework is good news for small and medium sized healthcare organizations that handle sensitive patient data. Lastly, we explore the Trump administration’s recent criticism of the European Union’s (EU) newly unveiled artificial intelligence (AI) principles, and why concerns over differences might be a little premature.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. The Netherlands Forges Ahead with Online Medical Data.

A new bill to be introduced this year in the Netherlands will have profound effects for how Dutch citizens can share and access their medical data. The bill will allow hospital patients to view and share their data electronically, which the Dutch Minister for Medical Care, Bruno Bruins, believes will save time, improve the patient experience, and even cut down on medical errors. The changes instilled in the bill further cement the Netherlands as one of Europe’s leaders in integrating digital technologies into the healthcare space.

The new data sharing requirements will necessitate significant changes to existing Dutch hospital IT systems, which will be partially offset by a 75 million euro grant from the government.[i] Furthermore, all medical entities covered by the bill will be required to meet data safety requirements outlined in MedMiJ, which is the “Dutch technical framework for personal health environments.”[ii] An additional oversight role will be given to information and communication technology (ICT) specialists from the Ministry of Health and Welfare who will monitor digital health data exchanged between health institutions.[iii]

The Netherlands has already noted early success in driving for comprehensive digitization of the healthcare field. The Ministry of Health, Welfare, and Sport has metrics to support how their ambulatory heart failure telemonitoring initiative has “led to a considerable reduction in acute care visits, ambulance calls, and hospital stays.”[iv] Bruno Bruins also reiterated that digitization helped ease the administrative burden on already taxed healthcare professionals, allowing them more time to deal with patient concerns.[v]

2. NIST’s Privacy Framework Looks to Small Businesses:

Last month, NIST released the first version of the NIST Privacy Framework. The framework, which can be seen as a complement to the widely adopted NIST Cybersecurity Framework, is “a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.”^[vi] While designed to be high level guidance applicable to organizations of any size and structure, NIST has committed to releasing a privacy framework guide specifically for small and medium sized businesses.

At an event last week in Washington D.C., Walter Copan, Under Secretary of Commerce for Standards and Technology and NIST Director, reiterated NIST’s long-term commitment to the privacy framework.[vii] Part of this commitment includes “producing new supporting materials, including a new privacy guide with the explicit intent to help “small-and-medium-sized businesses building privacy.”’[viii] According to Nextgov, Copan relayed how “Over the next few months, we’ll be reaching out to these innovative smaller companies with their resource constraints understood to better have a sense of how the privacy framework can help enhance their work and their operations.”[ix]

NIST’s willingness to specifically engage with small and medium sized businesses reflects the awareness that while a general framework is certainly helpful, smaller organizations often lack the knowledge and expertise necessary to decipher where their limited resources would be best used. This news should be especially welcome within the healthcare community, where IT budgets are often spread thin and where privacy of patient data is heavily regulated. Organizations who anticipate benefitting from this upcoming guidance should monitor the NIST website for its release.

3. Trump Administration Criticizes EU AI Approach:

Last week, the EU released a white paper entitled On Artificial Intelligence – A European approach to excellence and trust, which contained principles for regulating AI.[x] While appearing to align in broad terms with the principles outlined by the US last month, the Trump administration took issue with the European approach to risk assessment. The US CTO, Michael Kratsios, went so far as to call their attempts “clumsy.”[xi]

In Kratsios’ opinion, the EU’s approach is too limited by “[attempting] to bucket AI-powered technologies as either ‘high-risk’ or ‘not high-risk.”[xii] He continued by explaining that AI technologies need to be thought of as being on a variable regulatory spectrum. In his opinion, the US will benefit from this type of approach by tailoring the regulatory burden more precisely. Meanwhile, the EU will have to settle for an emphasis on too little regulation leading to unchecked abuses or too much regulation stymieing innovation and growth.

However, not everyone is convinced of Kratsios’ argument. The white paper itself is not a legally binding regulatory document, but a rough outline of the general stance the EU is taking on a number of principles. The white paper will inform the regulations that are ultimately enacted, but there is always room for changes at this stage. A rebuke of the administration’s comments came from several individuals, including Agustin Huerta, vice president of technology, AI and process automation studios at Globant. In commenting to NextGov, Huerta explained “I think the EU guidelines released last year are far more developed than the most recent guidelines provided by the US and … the EU has far more developed data regulations than the US—which is a great baseline for achieving AI regulation. From the US side, there seems to be too much focus on leading the industry compared to actually protecting citizens from biases or unethical uses of AI.”[xiii]

Congress –

Tuesday, February 25th:

– Senate – Committee on Appropriations – Subcommittee on Departments of Labor, Health and Human Services, and Education, and Related Agencies: Hearings to examine proposed budget estimates and justification for fiscal year 2021 for the Department of Health and Human Services.

Wednesday, February 26th:

– House – Committee on Appropriations – Subcommittee on the Departments of Labor, Health and Human Services, Education, and Related Agencies: Department of Health and Human Services Budget Request for FY 2021

– House – Committee on Energy and Commerce – Subcommittee on Health: “The Fiscal Year 2021 HHS Budget and Oversight of the Coronavirus Outbreak”

Thursday, February 27th:

– House – Committee on Ways and Means: Proposed Fiscal Year 2021 Budget with Health and Human Services Secretary Azar

– House – Committee on Appropriations – Subcommittee on Agriculture, Rural Development, Food and Drug Administration, and Related Agencies: Health and Human Services Office of Inspector General

– House – Committee on Foreign Affairs – Subcommittee on Asia, the Pacific and Nonproliferation: Coronavirus Disease 2019: The US and International Response