News Day – Azar, Apple, Microsoft respond to Epic, Google’s Defense, Azure’s Security Hole

With

Bill Russell

About this guest...

Share Now...

Share on linkedin
Share on twitter
Share on facebook
Share on email

Show Sponsor(s)

February 4, 2020: Azar, Apple, Microsoft and others respond to Epic. Google defends Ascension deal and Azure’s security hole exposed. We have 5 stories that are follow-on to the Epic conversation. You remember that Judy Faulkner wrote the letter which kicked off some things. We have Secretary Azar’s response. We have Apple and Cerner’s response. We have Epic’s response to the response. We are also going to take a look at Dr. Feinberg from Google talking about the patient data practices with Ascension. 

Key Points:

  • Severe Perfect 10.0 Microsoft Flaw Confirmed: ‘This is a Cloud Security Nightmare’
  •  Are Epic’s patient privacy concerns covered with a smoke screen? 
  • Third-party apps are currently not required to follow data blocking policies under ONC’s proposed rule
  • This is the year of interoperability
  • Ascension’s work with Google 

Azar, Apple, Microsoft, and others respond to Epic, Google’s Defense, Azure’s Security Hole

Episode 180: Transcript – February 4, 2020

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:05] BR: Welcome to This Week in Health IT News where we’re looking to as many stories as we can in 23 minutes or less that will impact health IT. My name is Bill Russell, healthcare CIO coach and creator of this This Week in Health IT, a set of podcast videos and collaboration events dedicated to developing the next generation of health leaders. 

It’s Tuesday news day and here are some of the stories we’re going to take a look at. We have about 5 stories that are follow-on to the epic conversation. We have Secretary Azar’s response. We have Apple and Cerner’s response. We have Epic’s response to the response. I’ll have to look at there. Dr. Feinberg at Google talks about the patient data practices with Ascension. We’re going to take a look at that. 

One other thing I want to make sure we get to is the Severe Perfect 10.0 Microsoft Flaw Confirmed: ‘This is a Cloud Security Nightmare’, is the headline for the story. We’re going to get into all of those stories right now. 

This episode is sponsored by Health Lyrics. I coach healthcare leaders and all things health IT. Coaching was instrumental in my success and it is a focus of my work at Health Lyrics. I’ve coached CEOs, CIOs, CTOs, startups, health systems. If you want to elevate your game in 2020, visit healthlyrics.com to schedule a free conversation. 

All right. Let’s get to it. Epic. As you know, Judy Faulkner wrote the letter. The letter kicked off some things. If you are not familiar with it, go back and listen to last week’s episode. I went into it in a great detail. I’m not going to do that again. 

Here’s Secretary Azar’s come back. It was FierceHealthcare Stories, the one I’m going to be quoting, “HHS’s, Secretary Alex Azar, on Monday voiced frustration over stakeholders fiercely opposing a proposed regulation that would make it easier for patients to access their health data. Speaking at the Office of National Coordinator for Health IT’s annual meeting in DC, Azar said, “Current medical record systems were segmented and balkanized, which hinders patients’ access to health information and impacts care.” 

“Appearing to blast electronic health records company, Epic, and their effort to drum up opposition against the rule, Azar said, ‘Scare tactics are not going to stop the reforms we need.’ He added, ‘Defending the current balkanized state of status quo is highly unpopular position to take,’ which I agree with. “The goal of ONC’s interoperability rule released last year is to enable patients to access their electronic health records at no cost. Providers should be able to use health IT tools to provide the best care for patients without excessive cost or technical barriers.” 

That’s Secretary Azar. As I said last week, whoever wins the argument in the town square, in the public opinion, is going to win this argument, and there was an awful lot coming back at Epic as a result of this. That’s Secretary Azar’s response.

You have Apple Cerner call for interoperability rule release without further delay. Highlighting industry rift. Big tech giants, Apple and Microsoft are joining health IT vendors and health plans to meet with federal officials. This was last Monday, I believe, to voice strong support for efforts to give patients access to health data. 

CARIN Alliance, a private sector collaboration made up of major health insurers, providers, health IT companies and tech giants announced last week that it is meeting with the OMB to request agency to finalize and release the proposed interoperability to rules without further delay. Here are some of the people that are in the CARIN Alliance; Apple, Microsoft, Humana, Walgreens, Blue Shield of California, Salesforce, Omada Health, Major Health Information Exchange, Manifest, MedEx and Mount Sinai Health System. Also were a – Representatives were Cerner and EHR vendor’s Epic. Oh no! Just Cerner and EHR vendor in competitor to Epic. I don’t know if Epic was at that meeting or not to be honest with you. It doesn’t look like they were. 

Again, you’re having Apple, Cerner and a lot of them saying release it now. Release without delay.  

So, let’s go into this. Are Epic’s patient privacy concerns with smoke screen? One industry consultant waves in. Healthcare Innovation group, one of my favorite publications to go to. Let’s see, stakeholders. Beyond just Epic and other EHR companies have taken issue with the patient privacy elements of the rule. One group CHIME, our group, a leading association representing healthcare CIOs noted the proposed ONC interoperability rule does not sufficiently address 21st century cures acts directive to protect patient data privacy and ensure health IT security. 

Third-part apps are currency not required to follow data blocking policies under ONC’s proposed rule according to CHIME. What’s more smartphone apps created by third-party developers and not by providers or business associates covered the health insurance, HIPAA, are not subject to HIPAA rules even if a breach occurs. 

I’m going to get to my take on this. While I agree with all those things, I disagree with Chime’s conclusions, and their conclusion is – I agree that the fact that the rule itself does not have those protections, but I believe that those protections will be created. I’ll come back to that at the end of all these Epic stories. I’ll come back to why I think that will be created. Really quickly, because it’s a gaping hole. I don’t think it needs to be regulated. I think it just needs to be addressed so somebody can fill that gap. It could be the HR providers, but my guess is it’s going to be someone else. 

Other industry groups such as the AMA and AHA told New York Times last year that they’ve met with federal regulators to push four changes in this area without federal restrictions in place. The group argued consumer apps would be free to share and sell sensitive details, like patient prescription, drug history. I agree. Again, I agree that the gap exists. I disagree that is going to exist for long. Even if they pass the rule exactly how it exists today. 

Epic agrees per its recently posted statement. They have two problems. Failing memory data may inadvertently be shared. Apps may take much more of the patient’s data than patient intended. Company officials compared these two risks to what happened with Facebook and Cambridge Analytica. 

Michael Abrams, managing partner of healthcare consulting firm, Numerof and Associates says that a patient privacy is a hot button. Healthcare topic of the day, and by coming out as a presumptive advocate of patient privacy, Epic is trying to look like the good guys. 

I’m not sure there’s anything else they can point to that puts them in that same light, he says. Adding that Epic’s comparison to patient privacy risk in ONC’s proposed rule to Facebook. Cambridge Analytica situation is completely specious. 

Some of the players in the industry are attempting to leverage patient privacy in an effort to once again stonewall change in the industry and maintain status quo, which keeps them in control. He goes on to say a couple of more things just like that, like Epic’s looking out for Epic and the industry is looking out for the industry. Essentially, there’s not really much to see here. 

So, let’s take a look at what Epic said. This was on Epic’s website, “Epic supports patients access to their data proposes. ONC rule solutions to protect privacy. Epic’s strongly agrees with the goal the ONC to support patient’s ability to access their data. For decades, Epic has been doing this.” From there, it gives a bunch of care everywhere, share everywhere type of things. 

“We appreciate that HHS is trying to make their proposal rule for data sharing better for patients and has been listening to many voices. We recommend necessarily solutions before the ONC rule is finalized to prevent serious risk to patient privacy.”

Great! Let’s hear what the recommendations are. Recommendations to help the ONC avoid privacy risk for family members and for patients. I want you to listen to this because there’s one thing that’s missing. 

“By requiring health systems to send patient data to any app requested by the patient, the ONC rule inadvertently creates a new privacy risk. According to the recent statement, 79% of healthcare apps resell their shared data and there’s no regulation requiring patient approval of this downstream use. They’re two highly likely patient privacy risks. Family member data may inadvertently be shared.” Goes on to talk about that. After surgery, Jim’s doctor wants to prescribe an opioid. He looks at it and when Jim’s health data is sent to an app and that is used, shared, or sold, Ken’s addiction status may become public without Ken’s knowledge or permission. 

Jimmy, Ken’s story is similar to what happened in Facebook friends who did not give their approval for the information be harvested by Cambridge Analytica. Apps may take a much more of the patient’s data than intended and it goes on to talk about this and it gives an example.

“We’ve always and will always support patient’s right to use their data as they see fit. However, it is the role of government to ensure that patients had the information they need to make those decisions knowledgeably like they have for nutrition and food labels, so forth. For patients to benefit from the ONC rule without these serious risks to their privacy, we recommend that transparency requirements and privacy protections are established for apps gathering patient data before the ONC rule is finalized.” 

That’s their recommendation. Redo it, essentially. Establish those rules before it goes and is finalized. It goes on to say, “Epic does not typically comment on national policy issues.”

The thing is if you’re going to say you’re going to make a recommendation, make a recommendation. That’s my only comment on this. All these things are accurate. I like the fact that Epic brought these things up. But your recommendation is essentially put something in place to protect their privacy and make the requirements more solid. I don’t know. I really wish there was more meat to this. I wish there was a blank to another page that would say, “Here’s what we recommend as Epic, as the leading EHR provider in this industry, as a patient advocate. We recommend these changes to the rules and these things we put in place.” That’s what I would like to see. 

My take. The argument is interesting. To be honest with you, it’s an unpopular argument. I think it’s unpopular argument because it appears to be protecting monopolistic practices of the EHR providers, and it’s just the appearance of it. The other side seems to be being the patient advocate saying, “Hey, shouldn’t the patient have their own data? Shouldn’t there be transparency?” That’s just from sheer optics, it’s always going to look better. 

Let me tell you how this is going to play out: If it gets approved the way it is, the biggest winner is going to be Apple and Google. Let me tell you why. They will become the security mechanism for health records. The API will open up the data from the EHR providers and they will bring it in to their phone apps. They will bring it into Apple Health and Google Health record. I don’t know what the Google one is called, but essentially, Google’s health record, Apple’s health record. Because that’s going to be the mechanism. That’s going to be the platform we all bring it into. They’re going to be the big winners. 

Health systems are then going to really be forced to put things into place that allow people to come in with their phone that has their complete medical record stored by Apple, stored by Google and give them the ability to give them the record and give the record back to them when they checkout. It is going to become much more transportable as HIPAA was really designed to be a long time ago. 

The other thing is app developers are going to be held accountable by those aggregators, by the Apples and the Googles. Epic will no longer be the aggregator. Cerner will no longer be the aggregator. There will be a new group of aggregators of health data that provide those APIs and then they will create the security mechanism and they will do that because they are consumer-centric organizations. They know that if they allow that to get out there, that there’s going to be problems. 

This is one of the reasons that Apple’s privacy and security play that they’re marketing is so effective, because they see the future and the future is going to be about who can protect my privacy? I believe Apple’s playing the right game here. I think there’s going to be other players that popup here, but they will not be as strong and powerful as Apple and Google. 

If I were Health Catalyst, I would probably get into this game as well. But that’s just my take. This is a done deal. This is going to happen. We are going to have to allow access. I think Apple and Google can come to the rescue of the health systems instead of them trying to put a team in place to manage the APIs, manage the security, manage the access to the record. I think there’s a potential partnership with Apple and Google here where they can actually do that.

We’ll see how this plays out, but continues to be a – This is just the year of interoperability. I’ve talked to a bunch of people this week. This is the year that it truly happens. The vision of the patient having their record, being able to on my Apple iPhone. Being able to download another app, have them access the data. Me knowing what access they’re getting, because Apple is providing me records. Then them doing something and then giving me value back on that medical record. I believe that is going to really come to the fore this year. 

We’ll get back to our show in just a minute. 

Galen Healthcare is an award-winning, best in class healthcare IT consulting services and technology solutions firm. One of the areas my company used Galen when I was a CIO was for data archiving, migration and legacy application support services. They had a comprehensive framework designed from years of frontline healthcare experience. Built on a run, migrate and archive design. Run was to keep the legacy application running effectively. Migrate convert the relevant data from legacy systems to the new, and archive was the file it away while maintaining access to critical clinical and operational data. 

If you find yourself looking at retiring legacy healthcare applications, checkout Galen at galenhealthcare.com, and we want to thank them for becoming a general sponsor and supporting the work of developing the next generation of health IT leaders. 

Now, back to our show. 

All right. David Feinberg. Dr. Feinberg defends Google’s patient data practices with Ascension health data management. The article was in HealthData Management. Feinberg’s defends practices. Here it is. “Ascension shows Google as a cloud provider for the records said Feinberg. In our cloud services, the information is encrypted in transit. It’s encrypted at REST. We have no access to the information. I can’t tell you. I can’t tell you how many medical records they have because actually charge them for store space. Not for specific records.” 

“Think of it as a warehouse. The only that has a key to the record is Ascension,” which is interesting. Feinberg insists that Google’s dealings with Ascension are fully compliant with HIPAA and includes strong security and privacy measures for protecting patient rerecords. He goes on to say, “There’re maybe many times – There are may be times where Google employees are exposed to personal health information.” This was Feinberg speaking at the StartUp Health Festival, “Those Google folks are trained in HIPAA. It’s through a business associate agreement.” Ascension has 600 business associated agreements, by the way.  Our privacy and data security practices are consistent with the established HIPAA requirements and they will follow strict guidelines. That’s what Feinberg says. 

It goes on. The article goes to say, “Eduardo Conrado, who is the Chief Strategy Digital Officer for Ascension. ‘Our privacy and data security practices are consistent with the established HIPAA requirements and we will continue to ensure that these are followed. In short, our work with Google Health has adhered to the same standards of data privacy and security oversight we have used in our work over the many years with numerous healthcare partners, including EHR registry, pair and analytics vendors as well as state and federal agencies.’” 

‘Conrado noted that Ascension’s work with Google in piloting of a searchable cloud-based longitudinal clinical record falls under a business associate agreement between the two organizations. The clinical data shared with Google health to pilot this application is protected by a series of layered security measures including encryption, audit trails, limited permissions who can access this data. All of which is controlled by Ascension. He added, ’Clinical information remains in Ascension’s private cloud environment, which is controlled, logged, and monitored by Ascension.’ When it comes to protected health information, Conrado concluded that PHI available to the Ascension and Google Health EHR search pilot teams is limited to a subset of Ascension patients, and that the number of team members who access PHI and the amount of that data that any team members accesses is limited to what is necessary to complete their work.’

Okay. Here’s my take on this. I spoke with both of these gentlemen at the JPM Conference. I was ble to see the Ascension video of this – The internal Ascension video. The Google presentation of the Google health record, that’s actually out on YouTube. You can search that. But I saw the internal Ascension presentation of the medical record and I also reported on this when the Wall Street Journal article came out. There’s really nothing to see here. 

I mean, they followed HIPAA. We knew they followed HIPAA. There’re a lot of lawyers in really smart people at Ascension. There’s no way they’re just handing the data over to Google. Google is smart enough to not start sharing their information with Google search. I mean, it was almost outrageous the claims that were being made after that article. It just went kind of crazy. 

There’s really nothing to see here except, really, what I said back then was the future of HIE’s in the industry is right here. If I were running an HIE, I would be talking to Google right now. I would want to know what it would take to have their interface on top of the HIE data for the community that I serve. It is extremely powerful. It’s not only search. It’s voice navigation. Its graphing and trend analysis. There’s powerful technologies in the background. Identifying important information and great design making it easy to see and find. 

The thing about this to remember, to always remember here, is that the number one problem that Ascension had to solve was they did not go to a single EHR across their entire system. 110 different health entities, probably 50 to 100 EHR’s, and you’re looking at this data and you’re going, “This is awesome.” 

This awesome how they brought that data together. It’s awesome the presentation of that data, the ability to do analytics trending and analysis audit. This is the future. It’s exciting. I’m looking forward to more. I’m going to reach out. I have reached out to actually both of these gentlemen to be on the show and they both agreed. We will get that scheduled and get that out to you guys as soon as we can get it on the calendar. 

All right. Running down on time here. So, I am going to go to this Microsoft log because I think it’s a big one. Severe Perfect 10 Microsoft Flaw Confirm: ‘This is a cloud security nightmare.’ This is a Forbes article. 

Check point’s Yaniv Balmas tells me, “It undermines the concepts of cloud security. You can’t prevent it. You can’t protect yourself. The only one who can is a cloud provider. So, Microsoft did quickly fix this vulnerability when Checkpoint approached them in the fall and customers who have patched their systems are now safe. The vulnerability is as punchy as it against. A perfect 10.” So, it’s huge. I can’t even start to describe how big it is. The reason for the hyperbole is that Balmas his team found the first remote code execution exploit RCE on a major cloud platform. 

‘One user could break the cloud isolation separating themselves and others intersecting code, manipulating programs. The isolation is the basis of cloud security enabling safe sharing of common hardware. There is no detail when Microsoft patched the flaw. Just a short explainer; an attacker who successfully exploited this vulnerability could allow an unprivileged function to run by the user to execute code, company said at the time. Thereby, escaping the sandbox, this week, Microsoft and confirmed the report. They addressed these issues in 2019 and there’s CVE 2019-1372 and 1234 addresses those vulnerabilities.” 

Just a little more detail. “There’re two vulnerabilities here. The first is a modest a software bug that can be pushed hard to crash a system and escalate that crash to security user privileges, and the second is in in a lack of security on relatively arbitrary shared services that can be manipulated to break out of the user’s own part of the cloud infrastructure and on to a common shared hardware. That great advantage of the cloud using only what you need just when you need it means that you are a tenant at a server version of an apartment block. Check Point’s exploit built a master key for all the other apartment blocks in the building.” 

All right. You get the picture here. They figured out a way to – You’d go under the cloud and break off of that cloud and then any anything else that is in your shared environment, you can start essentially sniffing packets, looking at the code that’s being exploited or code that’s being executed and you can gather information and do things. They fill that vulnerability. 

Here’s my take on it. My take is there are flaws and vulnerabilities in the cloud. Absolutely. You bet. There are systems. These are systems submitted by people and there will be mistakes and there will be exploits. There’s no doubt. The question isn’t is the cloud foolproof? The question is, is it more secure than what you are running in your data center today? 

As health IT, our responsibility is to run the most secure environment we can for the people that we serve. Just because we have more control does not mean it is more secure. One of the things here is I think IT departments are going to continue to use these stories as arguments to protect jobs, really, for the most part, but also archaic practices, old models. My encouragement is don’t do it. If you evaluate cloud security versus what we have on site objectively today, I would say only about 10% of health systems are going to – Are you even going to be at parity? I might even be kind there. The remainder really should just figure out how to get on a cloud provider as soon as it makes sense. That’s really – From a security standpoint, that’s what’s in the best interests of the people that you serve. 

Now, there are other considerations. Absolutely. You have to consider the operational costs and a bunch of other things, but I’m saying from a security standpoint alone, the cloud is going to be more secure. The other thing is if you’re going to be moving to the cloud, look at technologies that allow you an abstraction layer, right? 

VMware is a sponsor of this show, and I’m not just saying this because it’s VMware. It’s the one I’m just most familiar with. But VMware gives you an abstraction layer that gives you the ability to move from cloud rather to cloud provider. If there’s a major security breach at AWS, you can then move to Azure. If there’s a major breach there, you can move to another cloud provider. 

That what layers of abstraction enable you to do. It enables you to stay away from cloud lock-in. That’s one of things, whenever I talk about cloud with my clients, I talk to them about this whole idea of lock-in where you get so tied into the cloud provider that you cannot get out. There are a lot of mechanisms to make sure you get your data in and it’s really hard to get it out. Keep that in mind. Look for layers of abstraction. Look for ways to get this stuff out. 

Wow! That is 23 minutes. This year, I’m going to try to be more disciplined. That’s all for this week. Special thanks to our sponsors; VMware, StarBridge Advisors, Galen Healthcare, Health Lyrics, and Pro Talent Advisors for choosing to invest and developing the next generation of health leaders. 

This shows production of This Week in Health IT. For more great content, check out the website, thisweekhealth.com, or the YouTube channel. Go on and support the fastest growing podcast in the health IT space, share with it with a peer. Best way to do it. Send them an email. Tell them to listen. 

Will be back again this Friday for another interview with an industry influencer and we’ll be back next Tuesday for more news that is going to impact health IT. 

Thanks for listening. That’s all for now. 

[END]