Tag Archives: headlines

Google-Ascension deal reveals murky side of sharing health data

One of the largest nonprofit health systems in the U.S. created headlines when it was revealed that it was sharing patient data with Google — under codename Project Nightingale.

Ascension, a Catholic health system based in St. Louis, partnered with Google to transition the health system’s infrastructure to the Google Cloud Platform, to use the Google G Suite productivity and collaboration tools, and to explore the tech giant’s artificial intelligence and machine learning applications. By doing so, it is giving Google access to patient data, which the search giant can use to inform its own products.

The partnership appears to be technically and legally sound, according to experts. After news broke, Ascension released a statement saying the partnership is HIPAA-compliant and a business associate agreement, a contract required by the federal government that spells out each party’s responsibility for protected health information, is in place. Yet reports from The Wall Street Journal and The Guardian about the possible improper transfer of 50 million patients’ data has resulted in an Office for Civil Rights inquiry into the Google-Ascension partnership.

Legality aside, the resounding reaction to the partnership speaks to a lack of transparency in healthcare. Organizations should see the response as both an example of what not to do, as well as a call to make patients more aware of how they’re using health data, especially as consumer companies known for collecting and using data for profit become their partners.

Partnership breeds legal, ethical concerns

Forrester Research senior analyst Jeff Becker said Google entered into a similar strategic partnership with Mayo Clinic in September, and the coverage was largely positive.

Forrester Research senior analyst Jeff Becker Jeff Becker

According to a Mayo Clinic news release, the nonprofit academic medical center based in Rochester, Minn., selected Google Cloud to be “the cornerstone of its digital transformation,” and the clinic would use “advanced cloud computing, data analytics, machine learning and artificial intelligence” to improve healthcare delivery.

But Ascension wasn’t as forthcoming with its Google partnership. It was Google that announced its work with Ascension during a quarterly earnings call in July, and Ascension didn’t issue a news release about the partnership until after the news broke.

“There should have been a public-facing announcement of the partnership,” Becker said. “This was a PR failure. Secrecy creates distrust.”

Matthew Fisher, partner at Mirick O’Connell Attorneys at Law and chairman of its health law group, said the outcry over the Google-Ascension partnership was surprising. For years, tech companies have been trying to get access to patient data to help healthcare organizations and, at the same time, develop or refine their existing products, he said.

“I get the sense that just because it was Google that was announced to have been a partner, that’s what drove a lot of the attention,” he said. “Everyone knows Google mostly for purposes outside of healthcare, which leads to the concern of does Google understand the regulatory obligations and restrictions that come to bear by entering the healthcare space?”

Ascension’s statement in response to the situation said the partnership with Google is covered by a business associate agreement — a distinction Fisher said is “absolutely required” before any protected health information can be shared with Google. Parties in a business associate agreement are obligated by federal regulation to comply with the applicable portions of HIPAA, such as its security and privacy rules.

A business associate relationship allows identifiable patient information to be shared and used by Google only under specified circumstances. It is the legal basis for keeping patient data segregated and restricting Google from freely using that data. According to Ascension, the health system’s clinical data is housed within an Ascension-owned virtual private space in Google Cloud, and Google isn’t allowed to use the data for marketing or research.

“Our data will always be separate from Google’s consumer data, and it will never be used by Google for purposes such as targeting consumers for advertising,” the statement said.

Health IT and information security expert Kate Borten Kate Borten

But health IT and information security expert Kate Borten believes business associate agreements and the HIPAA privacy rule they adhere to don’t go far enough to ensure patient privacy rights, especially when companies like Google get involved. The HIPAA privacy rule doesn’t require healthcare organizations to disclose to patients who they’re sharing patient data with.

“The privacy rule says as long as you have this business associate contract — and business associates are defined by HIPAA very broadly — then the healthcare provider organization or insurer doesn’t have to tell the plan members or the patients about all these business associates who now have access to your data,” she said.

Chilmark Research senior analyst Jody Ranck said much of the alarm over the Google-Ascension partnership may be misplaced, but it speaks to a growing concern about companies like Google entering healthcare.

Since the Office for Civil Rights is looking into the partnership, Ranck said there is still a question of whether the partnership fully complies with the law. But the bigger question has to do with privacy and security concerns around collecting and using patient data, as well as companies like Google using patient data to train AI algorithms and the potential biases it could create.

All of this starts to feel like a bit of an algorithmic iron cage.
Jody RanckSenior analyst, Chilmark Research

Ranck believes consumer trust in tech companies is declining, especially as data privacy concerns get more play.

“Now that they know everything you purchase and they can listen in to that Alexa sitting beside your bed at night, and now they’re going to get access to health data … what’s a consumer to do? Where’s their power to control their destiny when algorithms are being used to assign you as a high-, medium-, or low-risk individual, as creditworthy?” Ranck said. “All of this starts to feel like a bit of an algorithmic iron cage.”

A call for more transparency

Healthcare organizations and big tech partnerships with the likes of Google, Amazon, Apple and Microsoft are growing. Like other industries, healthcare organizations are looking to modernize their infrastructure and take advantage of state of the art storage, security, data analytics tools and emerging tech like artificial intelligence.

But for healthcare organizations, partnerships like these have an added complexity — truly sensitive data. Forrester’s Becker said the mistake in the Google-Ascension partnership was the lack of transparency. There was no press release early on announcing the partnership, laying out what information is being shared, how the information will be used, and what outcome improvements the healthcare organization hopes to achieve.

“There should also be assurance that the partnership falls within HIPAA and that data will not be used for advertising or other commercial activities unrelated to the healthcare ambitions stated,” he said.

Fisher believes the Google-Ascension partnership raises questions about what the legal, moral and ethical aspects of these relationships are. While Ascension and Google may have been legally in the right, Fisher believes it’s important to recognize that privacy expectations are shifting, which calls for better consumer education, as well as more transparency around where and how data is being used.

Although he believes it would be “unduly burdensome” to require a healthcare organization to name every organization it shares data with, Fisher said better education on how HIPAA operates and what it allows when it comes to data sharing, as well as explaining how patient data will be protected when shared with a company like Google, could go a long way in helping patients understand what’s happening with their data.

“If you’re going to be contracting with one of these big-name companies that everyone has generalized concerns about with how they utilize data, you need to be ahead of the game,” Fisher said. “Even if you’re doing everything right from a legal standpoint, there’s still going to be a PR side to it. That’s really the practical reality of doing business. You want to be taking as many measures as you can to avoid the public backlash and having to be on the defensive by having the relationship found out and reported upon or discussed without trying to drive that discussion.”

Go to Original Article

GE rumors highlight digital culture hardship for CIOs

Headlines that GE is planning to sell off pieces of its digital division spread like wildfire across Wall Street and the tech community. The rumors are part of an ongoing narrative for GE, as it attempts to become part software company.

GE’s digital ambitions started in 2011 under Jeff Immelt’s direction, and the shift to software has seen its share of fits and starts since the launch of GE Digital in 2015. But rather than debate whether the latest rumors are true, CIOs should be taking notes on the digital transformation master class unfolding before their eyes.

GE’s turnaround CEO, John Flannery, is attempting to achieve a delicate balance that right-sizes the company, but does not give up on the company’s push to disrupt the industrial space with digital technologies.

Indeed, tech experts believe the rumors about GE Digital — true or not — illustrate how hard it is to create a digital strategy and build a digital culture.

“Not every company is going to be a software company for the majority of its revenue. But every company has to be a technology company at heart,” said Nigel Fenwick, an analyst at Forrester Research. “And that means figuring out what kind of changes, culturally, companies are going to need in order to adopt a digital mindset.”

‘Strategic clarity’

The recent rumors about GE Digital triggered a response from Flannery, who quickly published a piece that highlighted the company’s commitment to digital, to the industrial internet of things and to its technology platform Predix. And it would be surprising if GE planned to abandon its investment in the industrial internet of things, as the impact that IoT and digital devices will have on every industry will be profound, according to Alfonso Velosa, an analyst at Gartner.

“Everybody is starting to see this. The problem is, it’s still early days,” he said.

For CIOs charged with digital transformation, one takeaway from the GE rumor mill is unambiguous. To succeed, CIOs will need to think through difficult questions, such as how to integrate the technology into business processes and customer processes, as well as when to build technology internally and when to work with trusted partners.

Developing a blueprint that addresses questions like these requires a clear set of strategic objectives from senior leaders, or what Velosa called “strategic clarity.” Otherwise, companies risk taking their eye off what they see as the ultimate prize, Velosa said.

Case in point: GE’s original idea was to implement data centers for customers. “At a certain point, they realized that wasn’t their differentiation,” he said. “But investing in either a data center and/or a [colocation] strategy took resources and people’s attention away from what was really the core problem.”

Chip Childers, CTO at Cloud Foundry Foundation, an open source cloud computing project based in San Francisco, recommended that CIOs of more traditional companies — be they manufacturing or not — also look at talent when taking on a digital transformation project. He said they should take stock of the technical skills they have on hand and how those skills can support product development.

If talent gaps exist, Childers suggested CIOs seek out domain experts they can train “to go build the software, systems and applications that are going to be valuable to the enterprise customer.”

Getting a seat at the product development table may not be feasible for all CIOs, especially those who face the antiquated perspective that IT is a cost center, rather than a strategic partner. In those cases, a CIO’s best strategy is “to figure out how to be an amazing service provider to the product team,” Childers said.

A digital culture

Nigel Fenwick, analyst, ForresterNigel Fenwick

Technology and strategy aside, the bigger digital transformation barrier for GE — and for most companies — is culture, according to Forrester’s Fenwick.

“Culture comes down to how to prioritize what to do next, how do you determine where to invest your dollars, and how do you determine how to recognize innovation inside the company,” he said.

A company like GE, which builds products to 99.99% perfection, also has to figure out how to enable its employees to fail fast inside the company. And that’s no easy task, according to Fenwick. “They’ve learned how to build a successful foundation to develop products that work right the first time. Then, you try to change that culture,” he said. “That’s a very difficult, uphill battle.”

Every company has to be a technology company at heart. And that means figuring out what kind of changes, culturally, companies are going to need in order to adopt a digital mindset.
Nigel Fenwickanalyst at Forrester

A good way for CIOs to start chipping at the entrenched culture is metrics — what Fenwick said is the low-hanging fruit for establishing a digital culture.

“Metrics drive behavior,” he said. “And the behavior of employees is a key part of culture.”

Rather than align IT metrics to business metrics, IT metrics should be the same as business metrics. CIOs should look to business units or marketing and create metrics that hold IT professionals accountable to business goals, such as revenue, profitability and customer impact.

Companies that are successfully driving digital transformation see customer metrics such as net promoter score or customer satisfaction as critical to their longevity.

“They believe that the revenue of the future will follow these customer metrics,” he said.

While common metrics may seem small, Fenwick said it’s an important step for IT and for the enterprise as a whole. A shared set of goals can, for example, help create a common language for the company, which can reduce friction between departments and get everyone focused on the same goals, according to Fenwick.

“Getting that focus and making sure everyone in IT understands the reason they’re paid to come into work every day is not to write software. They’re paid to come into work every day to create value for customers, and they do that by writing software,” Fenwick said.

Meltdown and Spectre fixes eyed for SQL Server performance issues

The headlines about Meltdown and Spectre microprocessor vulnerabilities have somewhat subsided, but the patching goes on in IT shops both big and small — creating possible SQL Server performance issues for Microsoft users.

Databases, including SQL Server, could be affected by the architectural flaws in chips widely reported at the start of the year. At risk are processors from Intel and others that use creative design to boost system performance.

As described by Google Project Zero, both Meltdown and Spectre access on-chip cache memory to create vulnerable side-channels of communication. Spectre can inject commands that divulge data. Meltdown, using simpler operations, can monitor data in memory.

In both cases, malicious code would exploit chip-level speculative code execution techniques — ones used in many types of systems, including relational databases.

Early indications are software patches that counter Meltdown can incur SQL Server performance issues. There are no signs of actual hacks yet, but database administrators (DBAs) have been advised to update server-side software. The patches may lead to processing overhead, however.

Problems are by no means limited to on-premises databases. Reports indicated some users of SQL Server cloud versions were first to feel the impact of Meltdown protection, when Microsoft Azure cloud patching activity caused brief blips in operations.

Patches and overhead

Spectre logo

When DBAs apply updates to guard against Meltdown and Spectre vulnerabilities, they will have to judge for themselves how performance overhead of patches may affect their workloads. Performance degradation covering a variety of database, virtual machine, operating system and hardware combinations has been cited in some user web blog entries.

But early estimates should be considered critically, according to Thomas LaRock, who serves as “head geek” at technology infrastructure management software provider SolarWinds, based in Austin, Texas. It is still early in terms of finding clarity when it comes to judging SQL Server performance issues that may be incurred by recent Microsoft patches to counter Meltdown.

“When you factor in the number of patches involved with Meltdown [and] Spectre, it is easy to understand why some people may be reporting a 30% performance hit. You could find hundreds of such claims on Reddit right now, many of them without any understanding of why such a performance hit might have been possible,” LaRock said.

Calling ‘Captain Edgecase’

Meltdown logo

Workloads, hardware, applications and code are among the variables that contribute to different performance measures. This is not to mention the human element.

“There is always one ‘Captain Edgecase’ in the crowd that wants everyone to know they found something different than anyone else,” LaRock mused.

While waiting for chipmakers to create their own patches for Meltdown and Spectre, IT pros will have to look to patch applications not just at the database level, but at the operating system and browser level, too.

La Rock said the basic message boils down to this: “Update all things.”

Meltdown and Spectre lesson: Assess patch risk

Still, it is important for everyone to be able to assess their risk properly before applying patches, according to LaRock, who is a Microsoft MVP.

“To me, any risk is too much risk, and I would want to patch. But I wouldn’t do so without knowing the impact, especially for mission-critical servers,” he said.

The advice here is to, in LaRock’s words, “test, test, test.” Ned Bellavance, who is director of cloud solutions at Anexinet in Blue Bell, Pa., and is also a Microsoft MVP, agreed.

If you didn’t follow best practices for high availability, you may have had a performance hit.
Ned Bellavancedirector of cloud solutions at Anexinet

“There are always going to be vulnerabilities and news about vulnerabilities. So, you have to have an environment for testing patches before rolling out changes into production,” he said.

Bellavance said moving databases to the cloud does not relieve an admin’s responsibility for faults in system settings. That is especially true in the face of vulnerabilities like Meltdown, which can exploit cloud environments that share resources like databases across virtual machines. The cloud provider can be expected to roll out fixes, but databases have to be configured to anticipate such disruptions in the status quo.

Microsoft was quick to roll out patches for SQL Server databases on its cloud, but some users experienced downtime, Bellavance said.

“People were impacted because Microsoft had to do cloud maintenance. If you didn’t follow best practices for high availability, you may have had a performance hit,” he said.

Now is as good a time as any to review such practices, Bellavance advised.

New RingCentral app integrations include Google, Slack, Alexa

While Cisco and BroadSoft grabbed the headlines last week with their acquisition news, another unified communications provider showcased its market momentum. RingCentral Inc., a UC-as-a-service vendor based in Belmont, Calif., unveiled several application integrations that fortify its platform and highlight the pervasiveness of open, cloud-based communications.

RingCentral has expanded its API platform that lets developers integrate voice, messaging and fax into business workflows. In today’s multicloud applications environment, RingCentral said its open platform is an ecosystem-friendly approach that can enable business communications with new artificial intelligence, chatbot and app integrations.

For instance, the newly announced RingCentral for Google is a native integration with G Suite. With the add-on service, users can promote an email conversation to a RingCentral call and send SMS from Gmail. Users can also view recent call history, voicemail, SMS and see presence for online or offline status of RingCentral contacts.

Additionally, the new RingCentral for Alexa Skills is an integration with Amazon Alexa-powered devices that lets users interface through voice to request playback and respond to voicemails. Users could also send and check text messages and start a RingCentral outbound call and SMS through the RingCentral app. This integration is expected to be available by the end of this year.

App integrations enable chatbots

Another integration, RingCentral for Slack, is designed to introduce meetings and calling capabilities into the Slack messaging platform. The integration lets Slack users use slash commands to access RingCentral and launch video meetings and audio conferences. The service is available in the RingCentral App Gallery, and it requires a Slack account and subscription to RingCentral Office, the vendor’s cloud phone system.

RingCentral also announced last week updated integrations for its Glip team collaboration tool with AI and chatbot capabilities to automate business processes. For instance, the Salesforce Alert Bot in Glip can capture Salesforce events and send notifications to Glip teams. This feature enables sales managers to have immediate updates on opportunities without having to open Salesforce in a separate application. The bot is expected to be available in early 2018.

Kore.ai, a chatbot platform partner of RingCentral, has enabled four bots within the Glip platform, including Salesforce, Twitter, Asana and Trello. Gong.io, a conversation intelligence platform for sales teams, provides call transcription and analytics within the Glip platform, so teams can replicate best sales practices.

RingCentral’s platform enhances business communications through an integrated and pervasive approach, said David Lee, RingCentral’s vice president of platform products, in a statement. The RingCentral App Gallery has more than 7,000 developers and over 100 cloud app integrations.

Open APIs benefit communications

While the RingCentral integrations are important, many other UC-as-a-service (UCaaS) platforms are also fairly open, as they move to an API model, said Zeus Kerravala, principal analyst at ZK Research in Westminster, Mass. App integrations are almost becoming a mandatory feature in the market, he added.

Many vendors, for instance, integrate with Salesforce, the popular cloud-based customer relationship management platform. But Kerravala suggested customers consider additional app integrations beyond the most common ones, especially integrations that could benefit certain vertical markets or business units.   

“Now that every vendor has exposed APIs, it makes it much easier to integrate with them,” he said. “I think that’s been one of the big benefits of the industry.”

RingCentral, in particular, has the most mature UCaaS platform, plus a team messaging service with Glip, industry analyst Dave Michels wrote in a recent report. But several providers are nipping at RingCentral’s heels.

“RingCentral is firing on all cylinders — UCaaS, messaging, video, contact center and integrations,” Michels said. “They are in the enviable position of delivering today what most of the industry is attempting to create.”

A supply and demand problem

We’ve got too many UCaaS providers today. There’s too much supply and not enough demand. Some consolidation is necessary.
Zeus Kerravalaanalyst at ZK Research

The UCaaS market is particularly packed with providers, including 8×8, West, Fuze, Mitel and Masergy, among others. Traditional telecom vendors, like AT&T, are also in the UCaaS market. System integrators, like Dimension Data, sell UCaaS tools. And traditional UC vendors, like Cisco and Microsoft, offer their respective UCaaS products.    

“We’ve got too many UCaaS providers today,” Kerravala said. “I think there’s too much supply and not enough demand. Some consolidation is necessary.” 

Some consolidation occurred last week when Cisco said it will acquire BroadSoft, a deal that validates the market’s strength, Michels said. Industry consolidation will continue, he added, as UCaaS alone is increasingly viewed as a commoditized service.

For now, Kerravala added, the acquisition will have a neutral effect on RingCentral and other providers, because small and midsize businesses primarily buy UCaaS products. But that effect could turn negative for RingCentral and benefit Cisco as more large organizations start to buy UCaaS.  

Go beyond calling capabilities

Users navigating this market need to understand what exactly they are buying, Kerravala said. Cisco’s Hosted Collaboration Solution, for instance, is a private cloud offering sold to service providers that then offer it to their customers.

RingCentral, meanwhile, is more of a multi-tenant public cloud, where one change to the service can affect many customers.

The first thing customers need to do is not jump on board cloud just to do cloud, but to understand what they want and why.
Zeus Kerravalaanalyst at ZK Research

A private cloud offers more customization, but might require more upfront work, Kerravala said. Highly distributed and regulated companies with data sovereignty issues might prefer a private cloud. Big retailers, however, might favor a public cloud if they need to get telephony out to thousands of stores.

“The first thing customers need to do is not jump on board cloud just to do cloud, but to understand what they want and why,” Kerravala said.

After that initial step, organizations should compare UCaaS vendors more closely. While the calling capabilities and audio quality are quite comparable among the vendors, customers should dig deeper and examine other services, such as team messaging and mobility.

“Looking at the services outside the core calling is probably the most important criteria for determining which of these many vendors you want to go with,” Kerravala said.

Cybersecurity talent shortage: Is recruiting from IT the golden ticket?

Cyberattacks continue to make headlines, and a cybersecurity talent shortage could add fuel to the fire: The Information Systems Audit and Control Association, or ISACA, a nonprofit information security advocacy group, forecasts a global shortage of 2 million cybersecurity professionals by 2019.

The cybersecurity industry is growing exponentially, but cyber is relatively new from a higher-education perspective, said Kathie Miley, COO at Cybrary, based in Greenbelt, Md., during a panel discussion on the global cybersecurity talent shortage at the 2017 ISSA International Conference in San Diego. Formal cybersecurity schools and certifications have been around only for a short time and are still very expensive, Miley said.

“People who aren’t having their training paid for by their employer simply can’t afford it,” she said. “It was inevitable that we were going to face this shortage without a really clear-cut way to providing them with those skills and practical work experiences that employers are expecting today.”

To address the cybersecurity talent shortage, one of the best places to recruit is from the current IT staff, Miley suggested. Organizations should be transitioning IT professionals, like system administrators, network administrators and software developers, into cybersecurity roles, she said. The techniques required to be a cybersecurity expert call for practical experience in IT, she explained.

“A lot of it is administrative, a lot of it is operational, and a lot of it is network and application development. If we have [those] people who fundamentally have that foundation already built, then it’s not too far to get them up to the next level to become cyber experts,” Miley said.

A strong foundation in IT is critical to understanding the core technologies and underlying security principles, said Travis Rosiek, chief technology and strategy officer at BluVector, based in Arlington, Va.

Rosiek said he sees value in transitioning existing technical personnel to security roles, mostly because they have the organizational knowledge of how systems work, where there is likely going to be a problem and how things can be remotely accessed. This gives them an insight into how an adversary might exploit or use existing tool sets for an attack, he added.

It was inevitable that we were going to face this shortage without a really clear-cut way to providing them with those skills and practical work experiences that employers are expecting today.
Kathie MileyCOO at Cybrary

“Adversaries are becoming more stealthy and leveraging underlying IT systems like PowerShell, which system administrators typically use, making it much harder to identify [any deviations]. Having that understanding from a good IT background is therefore helpful,” Rosiek said.

But IT staff often still harbor a negative perception about security professionals, which might pose as a hurdle when encouraging a transition into security roles, panelists warned.

“People think we are the people that say no; we only say no when it needs to be that way,” said David Goldsmith, CTO at U.K.-based NCC Group. “Security is about enabling; the reason why organizations have a security team is so that you can get business done.”

To convey the value that cybersecurity professionals bring to an organization, senior security leaders should be vocal about their efforts and better articulate the benefits of risk management strategy, Goldsmith suggested. Organizations need to garner support from the executive leadership to establish a sound cybersecurity program and a top-down culture of security, panelists added.

Another effective way to address the cybersecurity talent shortage is instilling an interest in cybersecurity among the younger generation, panelists said. For example, there should be more emphasis on making STEM programs attractive to students, panelists stressed.

“We have to make sure the up-and-comings know that the job exists,” Miley said. “I think we all do a terrible job in communicating what cybersecurity is, and we overcomplicate it … we drive them away from cyber instead of letting them know of the value that we are adding to the world.”