Health-ISAC Hacking Healthcare 2-11-2020 Hacking Healthcare

TLP White: In this edition of Hacking Healthcare, we begin with an analysis of the coronavirus that tries to cut through the media sensationalism to explore a more nuanced perspective of its impacts. Next, we examine why the anonymization of data is often more marketing myth than security fact. Finally, we look at how a new suit against a university medical center fits into a larger conversation around privacy, research, and technological change in the healthcare sector.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. Coronavirus in Context:

As the coronavirus continues to dominate media coverage, it is worthwhile to put the scale and cost of its effects into context. This is not to minimize the very real threats and damage being done, nor to belittle the genuinely heroic efforts of countless caregivers and healthcare professionals who willingly risk their own safety, and sometimes give their lives, to combat the disease. Putting the coronavirus in context is important to ensure that uninformed and sensationalist depictions don’t inadvertently harm the effectiveness of responses. This overload of coverage can misrepresent and oversimplify the extent to which the coronavirus impacts individuals and the global economy. As anyone who works in risk and crisis management can attest, only by objectively assessing threats can resources be allocated, and strategies put in place, that effectively and efficiently mitigate human and economic costs.

If one were to judge the coronavirus outbreak by media attention alone, you could be forgiven for fearing the outbreak is an unstoppable viral scourge. Hourly updates on the fate of quarantined ships[1], emergency evacuations of foreign nationals[2], facemask shortages[3], and travel bans[4] are regularly pushed to televisions, smartphones, and computers. As of Tuesday, more than 43,000 people worldwide are believed to have been infected by the coronavirus, with roughly 1,000 deaths attributed to it.[5]^{, [6]} These numbers are not trivial, and they will certainly continue to rise over the coming weeks and months. But without a frame of reference, it is difficult to discern its impact relative to other healthcare and public health issues.

The human cost is the most immediate concern. While it is likely too early to accurately estimate the fatality rate, early estimates suggest that the coronavirus is at less than 3%.[7]^{, [8]} This would put the coronavirus well behind the fatality rate of the two other well-known members of its family, SARS (~10%) and MERS (~35%).[9] Furthermore, while the coronavirus has already been responsible for more deaths than the early 2000’s SARS outbreak, it pales in comparison to the number of deaths attributed to seasonal influenza. According to the CDC, the seasonal flu is responsible for anywhere from 12,000-61,000 deaths a year in the United States alone, and recent studies estimate global deaths attributed to the flu range between 290,000-650,000 annually.[10]^{, [11]} Furthermore, it is worth noting that these deaths disproportionately affect those with weakened immune systems, such as children and the elderly, and those who do not have access to quality medical care.

Where the coronavirus is also making a seriously significant impact is on the global economy. As policies are enacted to slow the spread of the virus, the second order effects include shuttered offices and manufacturing plants, as well as halted transportation networks. China’s importance to the global supply chain in any number of industries cannot be overstated, and Wuhan is a major logistics hub. According to a Bloomberg report, “China is the largest exporter of intermediate manufactured goods,” and global reliance on those goods reached 20% in 2015.[12]

With this in mind, the coronavirus will certainly cause havoc on the complex supply chains that underlie many of today’s products, especially in electronics. Due to the complex nature of many of these supply chains, it may not be readily apparent just how disruptive the coronavirus will end up becoming. However, if containment policies become more severe or continue for an extended period, the effects will become increasingly noticeable and will be felt globally.

Additionally, travel bans and restrictions create circumstances where personnel that rely on international travel for their business suddenly find themselves unable to do their jobs, or at least suffer from negative impacts to productivity and project delays. Major global events, such as the Mobile World Congress, are already suffering from multiple companies pulling out entirely.[13] Given the economic cost of implementing these measures, it is notable that the International Health Regulations Emergency Committee, convened by the World Health Organization, “does not recommend any travel or trade restriction based on the current information available.”^[14], [15]

2. How Anonymous is Anonymized Data?

A common defense thrown out by organizations to mitigate the backlash following the disclosure that they have been selling user data or in the wake of a breach, is the assertion that because they have anonymized the data, there is limited risk to the affected individuals. A soon to be released paper from a team of Harvard University students will allegedly demonstrate just how easy it can be to deanonymize data. In an age of near limitless interconnected information, data anonymization in many cases might be more of a marketing myth than security and privacy reality.

Data anonymization is defined by U.S. National Institute of Standards and Technology (“NIST”) as the “process that removes the association between the identifying dataset and the data subject.”[16] It is also sometimes used interchangeably with terms like de-identification and is standard practice in many organizations the hold sensitive information about individuals. In some cases, anonymization is even required by rules and regulations in certain industries. In a vacuum, data anonymization can work well. By removing any extra identifiers that go above and beyond a dataset’s purpose, it can be extremely difficult to reidentify who the data belongs to.

In practice however, the problem with anonymization lies with the vast quantities of data that is available all over the internet. Last summer, researchers from Imperial College London published results in Nature Communications demonstrating that by using machine learning, researchers were able to accurately reidentify 99.98% of individuals in their dataset.[17] Their method involved collating data from 210 data sets to cross-reference them with each other.[18] In another example, Massachusetts Institute of Technology (“MIT”) scientists and urban planners were able to reidentify individuals in Singapore with 95% accuracy using only datasets of mobile phone logs and transit trips.[19] The Harvard University students detailed that their method involves a “tool that combs through vast troves of consumer datasets exposed from breaches,” before ultimately reintegrating them like puzzle pieces.[20]

3. University Medical Center Accused of Sharing Patient Data:

The University of Pittsburgh Medical Center (“UPMC”) is defending itself from a civil lawsuit that claims that a web-based tool that they use may have been sending patient data to third party companies. The plaintiffs in the suit are seeking payment for what they believe is a misuse of their patient data. UPMC has denied the allegations stating that they “rigorously [protect] the medical information our patients have entrusted to us and complies fully with all laws, rules and regulations governing such information.”[21]

The tool in question is intended to help patients find a doctor that suits their particular search criteria. The plaintiffs allege that the tool is embedded with tracing codes that can “redirect the user’s personal information and the contents of communications to third parties including Microsoft, Google, and Facebook.”[22] Furthermore, the suit alleges that this exchange of data is part of an advertisement agreement between UPMC and the third parties.[23] UPMC would provide the data and in return could expect that those third parties would advertise UPMC services to targeted demographics.[24] UPMC denies it has fallen afoul of any regulations and laws and has promised that what information it does share has been sufficiently anonymized. As we have just explored, claiming to have anonymized any shared data should not be a relief to those potentially impacted by UPMC’s policies.

Congress –

Tuesday, February 11th:

– Senate – Committee on Homeland Security and Governmental Affairs: Hearings to examine a roadmap for effective cybersecurity, focusing on what states, locals, and the business community should know and do.

Wednesday, February 12th:

– House – Committee on Financial Services: Hearing: Task Force on Artificial Intelligence: Equitable Algorithms: Examining Ways to Reduce AI Bias in Financial Services

Thursday, February 13th:

– No relevant hearings