Tag Archives: Health

Contact tracing apps seem effective, but have privacy concerns

When the state of Rhode Island launched a contact tracing app for COVID-19 in May, public health officials said the program could help curtail the pandemic, but privacy advocates worry that the app, and ones like it, take too much data while potentially sharing it with too many people.

As stores, restaurants, parks and offices in the U.S. begin to open back up months after the first COVID-19 related stay-at-home orders, enterprises and governments face the difficult challenge of providing goods and services while keeping people safe.

To tackle that challenge, enterprises and governments are turning to technology to create contact tracing apps.

Balance of safety and privacy

A decades-old strategy to help slow the spread of contagious diseases, contact tracing is the process of identifying infected people and tracking down who they have been in contact with and notifying them of a potential infection.

While this was largely done manually in the past, enterprises, as well as local and state governments, are beginning to use apps to do it, including mobile applications that use location data to track a person’s whereabouts, to more quickly and effectively track where COVID-19 may have spread. Using AI-powered big data analytics, governments and enterprises can then process the data more anonymously.

Contact tracing apps, however, have raised concerns from privacy advocates, who say that some platforms either take too much identifying information, such as GPS data, give too much data to government authorities, or both.

The Electronic Frontier Foundation (EFF), for one, explicitly opposes automated COVID-19 contact tracing apps that track location through GPS or cell phone location, as well as apps that send information about possibly infected people directly to the government.

 “This data is highly intrusive of location privacy, yet not sufficiently granular to show whether two people were within transmittal distance (six feet),” said Adam Schwartz, senior staff attorney at the EFF.

Rhode Island, with its recently unveiled CRUSH COVID RI app, is an example.

Released May 19, the app uses GPS location data to track the people and places users visited for at least 10 minutes over the past 20 days. If a user tests positive for COVID-19, they can agree to share their location data with the state health department so it can identify people the user was in contact with and alert them.

CRUSH COVID RI application

Signing up for the app is voluntary, and location data, unless shared with the health department, is stored entirely on users’ phones. It’s deleted after 20 days.

Despite the fact that these apps are voluntary, privacy advocates worry that apps that use GPS data to track people, and that send data to the government, are invasive.

 “We are disappointed that some nations and states are using location apps and hybrid location/proximity apps. The voluntariness of such apps does not cure the lack of data minimization,” Schwartz said.

The American Civil Liberties Union was similarly critical of such contract tracing technologies, saying they carry some inherent risk of exposing an infected person’s medical condition to people with whom they come in contact.

However, some contact tracing platforms aim to be privacy-friendly.

These include a Google-Apple initiative, which has drawn wide interest, as well as a tracing app from the Pan-European Privacy-Preserving Proximity Tracing consortium.

These mobile apps use a phone’s Bluetooth Low Energy beacons to interact with other phones, enabling the phone of an enrolled user to announce itself with a different random large number to nearby phones every few minutes. Phones keep a log of the numbers they send out, as well as the numbers sent out by nearby phones.

If a user is diagnosed as infected with COVID-19, they can then voluntarily upload the that list of numbers to a central server. Those users who are not infected have their numbers automatically compared to the numbers on the server. If enough numbers match, then users are notified that they may have been in contact with someone who is infected.

That’s different from Rhode Island’s new app, which uses GPS data and which uploads information to government officials.

A Bluetooth system is more accurate and less revealing than an app that uses geolocation data, an ACLU white paper on tracing apps noted. While Bluetooth tracking could potentially reveal associations, it’s less likely to do so.

The EFF, likewise, is wary about contact tracing apps that track proximity using Bluetooth, Schwartz said.

“This system might not help; if it does, it will be a small part of a larger public health response that must focus on manual interview-based contact tracing and widespread testing,” he said.

“This system carries privacy risks that must be mitigated through voluntariness, data minimization and open source code. We oppose hybrid tracking apps that use both proximity and location,” Schwartz continued.


Meanwhile, national governments around the world, including the governments of South Korea, Singapore, China and Australia, have developed and released contact tracing apps. Some enterprises are also beginning to consider the implications of having their employees use contact tracing apps.

Enterprises with global operations have particularly shown a greater willingness to use technology-based contact tracing within countries with less legal or cultural opposition to contact tracing, said Deborah Golden, U.S. cyber risk services leader at Deloitte Risk and Financial Advisory.

“In the U.S., we expect that organizations will likely lean on a variety of approaches to reach the next normal. Some organizations may even bypass this challenge altogether and realize they are able to maintain fully remote operations in perpetuity,” Golden said. “Others that are more dependent on physical presence may consider a combination of physical protocols.”

Before using or developing contact tracing apps, however, governments and enterprises need to deeply consider the privacy implications the platform may have, as well as methods to help ensure users’ personal data stays safe and anonymous, she noted.

The creators

Regardless of the method used for contact tracing, or who is deploying the apps, companies that create such apps need to ensure they are anonymizing data and keeping people’s information private, according to some vendors.

Maven Wave, an Atos-owned technology consulting firm that specializes in digital delivery skills and cloud-powered applications, is working with vendors to develop technology-assisted contact tracing (TACT) apps.

“There’s a whole bunch of things that need to happen” to keep information private, said Brian Ray, managing director of AI and machine learning at Maven Wave.

“Redaction, making data points anonymous, having a control system in place, having a way to audit that process” are just some of the things tech companies need to do, he said.

Meanwhile, enterprises considering using TACT apps should take into account many privacy and data protection concerns, regardless of whether contact tracing apps require users to opt in, said Golden.

Organizations should carefully consider how this data will be protected, accessed, stored, transmitted and reported.
Deborah GoldenU.S. cyber risk services leader, Deloitte Risk and Financial Advisory

“In adopting these technologies, organizations are creating large datasets of sensitive personal health information and personally identifiable information,” she said. “Organizations should carefully consider how this data will be protected, accessed, stored, transmitted and reported.”

“Leaders need to think through where organizational lines of responsibility exist for communication with regulatory officials, employees, customers and other stakeholder groups, as well as how communication should occur to foster trust and transparency — particularly when disparate regulatory guidance may exist across geographies or industries,” Golden continued.

Yet, governments and the public may have different, even opposing, views about what data should be shared, added Asif Dhar, chief health informatics officer and a principal in Deloitte Consulting’s Monitor Deloitte practice, which is working with states and companies to build and deploy contact tracing apps.

“Active engagement with consumers and employees is critical to gain an appreciation of their preferences to establish clear expectations,” he said. “For example, organizations should establish clear consenting platforms so that stakeholders understand when and under what circumstances data is used.”

Without a focus on trust and transparency, organizations may risk low acceptance of apps, Dhar continued. Organization should also consider ways to adequately protect data, including where data is stored, who can access it, and how and when it can be accessed.

Still, even if enterprises or governments set up fairly secure, anonymized contact tracing apps, it’s no guarantee they will provide the information needed to keep people safe.

Effectiveness of apps

How many people use available contact tracing apps can play a part in their effectiveness.

If only a few people download and use an app, the app may convey inaccurate results, such as indicating to officials that fewer people are getting infected. That may create a false sense of security. People simply not getting tested, or not changing their infection status in the app, would also skew the results.

But according to Prince Kohli, CTO at RPA vendor Automation Anywhere, people are generally willing to download the apps and provide data.

Automation Anywhere helped develop contact tracing apps in conjunction with other companies in several countries, including Australia and China. Some apps ask users to answer surveys about where they have been and their medical status. Most people have been willing to answer questions like these, said Kohli.

“This is not data that people are trying to hide,” he said.

A usage rate as low as a 10% to 20% in a group could provide relevant results, Kohli said, as long as the percentage indicates a truly random sampling of people.

Even so, app usage and COVID-19 testing rates aren’t the only determining factors of an app’s effectiveness.

While use thresholds are an important factor, other considerations, such as whether a person has their phone on them when going out or not, or if a person travels across disparate geographical areas, can help determine efficacy, according to Golden.

The Rhode Island app, for example, can’t be downloaded by users outside of Rhode Island, making it useless for tracking visitors to the state.

“Although contact tracing applications may be an important tool in a country’s ability to return to work, there is no silver bullet in getting back to normal,” Golden said. “Organizations cannot negate the opportunity that human contact tracers and other physical and digital health safety tools and protocols offer.”

Go to Original Article

Pandemic could alter healthcare CIO terrain

Healthcare CIOs started 2020 with a roadmap for health IT projects that then took a sharp turn because of the COVID-19 pandemic.

David Chou, CIO at Harris Health System in Houston, Texas, and former principal analyst at Constellation Research Inc., said healthcare CIOs have adjusted their focus away from longer-term projects and toward day-to-day technologies and priorities that enable operations to continue. The pandemic could also be a catalyst for transforming the role of the CIO, making a strong case for healthcare IT leaders to push out of the back office and become executive partners, Chou said.

In this Q&A, Chou, who started as CIO at Harris Health System in May, discusses what tools CIOs are looking at right now as well as how the pandemic will have a lasting effect on health IT and the role of CIO.

What trends or technologies are healthcare CIOs paying attention to right now?

David ChouDavid Chou

David Chou: Virtual care, I think that is definitely here to stay. The industry has been waiting for it. Adoption has been slow with maybe some resistance, but I would say now people are going to go full speed ahead and there is a lot of emphasis there. Remote patient monitoring, anything that’s going to improve the wellness of patients without having to see a doctor, those types of initiatives will definitely be there.

I think a lot of CIOs may also recognize [areas] where they don’t have the proper foundation in place to support these virtual initiatives. … So there are a lot of investments in the necessary foundation to really scale, for example, a remote workforce from 3,000 to 18,000. You’ve got to have the right foundation to be able to scale that properly in an expeditious manner. Foundational technology is top-of-mind right now versus any new shiny object.

What are some of those foundational technologies CIOs are looking at?

Chou: The infrastructure networks — you have to be thinking about utilizing software. You hear about software-defined networks where you can roll out a new site and manage the flow of traffic utilizing software. Really scale up or scale down your site easily. That’s going to be huge, and what people should be thinking about in terms of next-generation infrastructure.

Foundational technology is top-of-mind right now versus any new shiny object.
David ChouCIO, Harris Health System

Are CIOs doubling down on tools they have versus bringing in new technologies?

Chou: Definitely [doubling down] for the later part of this year and maybe Q1, Q2 of next year. I think there’s enough work in terms of deploying and optimizing what you already have in-house rather than going out and buying the new shiny thing people may be thinking about.

What will CIOs be looking at to help healthcare systems reopen for routine, in-person care?

Chou: Some organizations are going to have to mature their data platforms, whether it’s business intelligence or just enterprise analytics because that is going to help drive decision-making. … There will be a lot of emphasis on making data available so users can take action. That’s going to be critical as things are starting to open up.

Organizations have to reevaluate their business models too. Coming into the start of this year pre-COVID, there was a lot of emphasis on modernizing their back office. [For example,] moving toward ERP is probably on everyone’s agenda in the healthcare provider world within the next two to three years. That may be on pause, but this may also be a good time to reflect on that. That’s not just updating a system, it’s about reevaluating your supply chain that has probably not changed in the last 15 years. You have to redesign the process to be more efficient in today’s new world. You can only do that with the right data in place to make those decisions, but also to transform the organization’s process. That’s the hard part.

How do you think this pandemic will impact the role of the CIO?

Chou: I would say there’s probably going to be a change in expectation for IT and CIO leaders. The traditional philosophy and traditional management of just keeping the lights on is probably not going to fare well in the new era where [organizations] are looking at technology to be a competitive advantage and a differentiator. The CIO that can really do that can help organizations maximize their investment and are going to be key drivers and partners for the CEO and the executive team. The ones who are not able to do that and are focused on managing technology without understanding the true impact, I would say they may not be around their seats much longer.

Go to Original Article

Surge in digital health tools to continue post-pandemic

Health systems have rapidly rolled out digital health tools to meet the needs of both patients and providers during the COVID-19 crisis.

Interest in digital health tools, a broad term that refers to the use of technology to deliver healthcare services to patients digitally and can include technologies such as wearable devices, mobile apps and telehealth programs, will likely continue long after the pandemic ends, according to healthcare experts.

Already, healthcare systems are increasing the number of telehealth services they provide. They are embracing symptom checker tools and tools that enable practitioners to keep tabs on patients remotely. It’s also resulted in healthcare CIOs looking to contact tracing tools for managing the spread of the virus.

During a recent HIMSS webinar, four healthcare leaders discussed how the pandemic has accelerated the adoption of digital health tools and why that interest will continue after the pandemic ends.

Digital health tools help with response

Digital health tools such as telehealth programs have become a crucial element of the pandemic, especially as governments and health systems began mandating work-from-home and shelter-in-place orders, according to Bernardo Mariano Jr., CIO and director of digital health innovation at the World Health Organization in Switzerland.

Bernardo MarianoBernardo Mariano

But, Mariano said, more work needs to be done, including the development of an international health data exchange standard so countries can do a better job of supporting each other during a crisis such as COVID-19. For example, Mariano said, while Italy was suffering from an overload of patients at hospitals, neighboring countries may have been able to help treat patients remotely through telemedicine. The lack of an international “principle or regulation” hindered that capability, he said.

As the pandemic stretches on, Mariano said the proliferation of contact tracing technologies is also growing, with countries seeking to use the technology as part of their reopening strategies. Mariano said the COVID-19 crisis could accelerate the adoption of a global healthcare surveillance system like contact tracing that will enable countries to quickly analyze, assess and respond to outbreaks.

“The power of digital solutions to minimize the impact of COVID has never been so clear,” he said.

‘Digital front door technologies’ are key

Pravene Nath, global head of digital health strategy at Roche, a biotech company with an office in San Francisco, also cited the explosive growth of telehealth as an indicator of the impact COVID-19 has had on healthcare. While they are instrumental now, Nath also believes digital health tools will last beyond the pandemic.

Pravene NathPravene Nath

Nath said the crisis is enabling healthcare systems to readily make a case for “digital front door technologies,” or tools that guide patients to the right place before stepping into a healthcare facility. A digital front door can include tools such as acute care telehealth, chatbot assessments, virtual visits, home monitoring and self-monitoring tools.

“I think the disruption here is in the access and utilization of traditional care models that’s heightened the value of digitally-driven chronic disease care management, such as platforms like MySugr for diabetes management,” he said. MySugr is an app-based digital diabetes management platform that integrates with glucose-monitoring devices.

“We think the adoption of these kinds of technologies will accelerate now as a result of the total disruption to physical access to traditional healthcare environments,” he said.

Nath said after the pandemic has passed, healthcare systems that quickly rolled out digital health technologies will need time to assess how to be “good stewards” of that technology and patient data moving forward.

Mobile app use grows

“Digital technologies play an important role in managing the crisis,” said Päivi Sillanaukee, director general of the Finland Ministry of Social Affairs and Health.

Päivi Sillanaukee Päivi Sillanaukee

Digital health has played a role in keeping patients informed via mobile apps and other online methods. Sillanaukee said by having tools that provide reliable, up-to-date information to patients has resulted in a decrease in time-consuming calls to healthcare workers.

Finland has also begun looking into contact tracing tools, although Sillanaukee said she has seen an acceleration in discussions about patient data safety along with the contact tracing discussion.

Pandemic bypasses change management

While the benefits of digital health were evident before the crisis, such as remotely connecting patients to doctors, Benedict Tan, group chief digital strategy officer at Singapore Health Services, said the challenge has long been change management and getting buy-in from providers for digital health tools.

Benedict TanBenedict Tan

But COVID-19 and social distancing have changed that, suddenly presenting a need for tools such as telehealth, analytics and remote monitoring to help manage patients during the crisis, and they are showing the value of such tools, he said.

“What COVID-19 has done is accelerate, or give motivation, for all of us to work together to leverage and see the benefits of what digital health can bring to society,” he said.

Go to Original Article

Fallout from HIMSS20 cancellation continues

It’s been two months since the annual HIMSS Global Health Conference & Exhibition was canceled, but attendees and exhibitors are still expressing frustration over how the cancellation was handled.

HIMSS called off the event for the first time in 58 years due to the COVID-19 pandemic. That decision created a quick-fire controversy, as the nonprofit announced the news four days before the conference was to kick off and three days after President Donald Trump was announced as an event speaker.

But how HIMSS, an organization with 80,000 members that is closely linked with the health IT community, managed and communicated the cancellation cleanup has had more staying power. Attendees and exhibitors said they received few details from the organization and had to press HIMSS to provide clarity into how refunds would be handled. Along with poor communication, HIMSS did not provide exhibitors or attendees with the option for refunds.

“You have to pursue them and when you do, it’s an iron wall of legal policies,” said Ryan Plasch, vice president of growth and strategy at AI voice assistant company Saykara in Seattle. “For health tech companies like ours and other innovators, there was no reprieve. We asked for a refund, they cited their legal policy in the contract.” Saykara was scheduled to attend the event as an exhibitor.

When asked about the lack of communication and the lack of refund options, a HIMSS spokesperson said the organization had no comment at this time.

Lack of communication

Initially, HIMSS planned to offer no financial recourse, providing exhibitors with no contingency plan and providing attendees with an option of rolling over the cost of the HIMSS20 ticket to next year’s event. Eventually on April 8, HIMSS said it would give a partial credit to exhibitors dividing between HIMSS21 and HIMSS22.

Plasch said he was “extremely disappointed” in the poor communication from HIMSS on refund opportunities. He’s not alone: On Tuesday, 21 health IT companies that planned to exhibit at HIMSS20, including Saykara, sent HIMSS CEO Harold Wolf a letter expressing anger at how it handled the situation and requested a 100% refund of exhibitor fees.

“The decision to cancel due to COVID-19 was the right one to keep attendees and in particular our healthcare professionals safe in these unprecedented times,” the letter stated. “However, we take issue with the conduct of the HIMSS organization in the subsequent management of the finances related to this situation. Because of this, we decided to reach out to other similarly affected organizations, many of who have complained directly to you, but who have not felt listened to and we have joined together with them to send you this letter.”

You have to pursue them and when you do, it’s an iron wall of legal policies.
Ryan PlaschVice president of growth and strategy, Saykara

In its FAQ, HIMSS said that, when it comes to exhibitor booth and sponsorship refunds, it “must follow and honor the terms of exhibitor contracts, which include a force majeure clause. As a not-for-profit, and because of its obligations to other parties, HIMSS will honor its partners’ rights but, unfortunately, is not in a position to issue cash refunds beyond those provided in our contracts.”

HIMSS outlined the force majeure clause for exhibitors in the event’s terms and conditions stating, “In the event that the performance by HIMSS or the venue or any part of the exhibit area thereof is unavailable … HIMSS shall not be liable to refund, indemnify, or reimburse the Exhibitor in respect of any fees paid, damage or loss, direct or indirect, arising as a result thereof.”

In its letter, the 21 exhibitors rejected the explanation, stating, “All of us were shocked and angry that HIMSS took the decision to retain 100% of the money paid for exhibition space rental citing Force Majeure and the fact you are a Not for Profit; however, we fail to see why being a Not for Profit should exempt HIMSS from acting fairly, honourably and professionally.”

A media contact for HIMSS said she had not seen the letter and could not comment.

John Moore, founder and managing partner of Chilmark Research, a health IT consultancy in Boston, said he received minimal communication from HIMSS regarding refund opportunities. Moore has attended several HIMSS conferences.

“I had to hunt them down and, even then, they were very difficult to reach,” Moore said. “You couldn’t get ahold of anyone for a couple of months.”

Maree Beare, founder of symptom checker startup Wanngi in Australia, found communication from HIMSS regarding refunds to be lacking. Beare, who was attending HIMSS for the first time, said she expected a full refund for the cost of her ticket and had to reach out to HIMSS organizers directly to learn that wasn’t the case.

“I think people were not communicated to correctly at all,” she said.

Lack of refund options

It wasn’t until one month after the event was canceled that exhibitors received a consolation. HIMSS offered to split 25% of exhibitors’ “total spend from HIMSS20” between the next two years, with 15% applied to HIMSS21 and 10% applied to HIMSS22. Startups and “university row” exhibitors were given the opportunity to split 100% of their total spend evenly between HIMSS21 and HIMSS22.

Saykara’s Plasch said he felt “empty handed and almost brushed aside” by HIMSS. Plasch said HIMSS’ response was a stark contrast to another event the vendor was scheduled to attend just a couple of weeks later, the American Academy of Orthopaedic Surgeons (AAOS) annual meeting, which draws roughly 30,000 attendees or 15,000 fewer than HIMSS.

Within a week of canceling, Plasch said AAOS conference organizers provided Saykara with three refund options.

“You could get a 100% refund, you could apply credits to next year with some incentives, or you could elect to do some online virtual things with free advertisement,” Plasch said. “Without even asking, we got that.”

From HIMSS, Plasch said he’s received “curt” responses to inquiries and said his company is feeling “disenfranchised as a result of the experience.”

As an attendee, Chilmark’s Moore said the consultancy’s tickets to HIMSS20 weren’t eligible for a refund but were automatically made applicable to next year’s event. However, tickets aren’t transferable to other employees right now, meaning Moore could lose the value of that ticket if an employee that planned to attend HIMSS20 leaves the company before the HIMSS21 event.

Roughly 10 Chilmark employees were planning to attend HIMSS20, and at about $1,500 each, Moore hoped HIMSS would’ve offered more options to those affected by the cancellation.

“HIMSS was pretty amateurish to say the least,” Moore said. “The HIMSS conference brings in, I don’t know how many millions into HIMSS … and this is the best they can do? It’s a bit of a joke.”

Go to Original Article

ONC, CMS information blocking, interoperability rules finalized

The 2020 HIMSS Global Health Conference & Exhibition may have been canceled Thursday due to coronavirus concerns, but federal regulators wasted no time in announcing that two long-awaited health IT rules finally have been released.

The finalized interoperability and information blocking rules from the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) will require healthcare organizations give patients access to data through standardized APIs within the next two years, said Don Rucker, national coordinator for ONC, during a media briefing Monday. The rules also focus on data sharing between health insurers, as well as exceptions to information blocking, or situations that do not constitute healthcare organizations keeping data from patients.

Both ONC’s information blocking and interoperability rule, and CMS’ patient data access rule, were finalized amid concerns about patient privacy. Organizations, including EHR vendor Epic, voiced concerns that there weren’t enough privacy protections in place to keep patient data safe.

Proposals for the two rules were unveiled at last year’s event and it was rumored they would drop in conjunction with President Trump’s last-minute addition to this year’s HIMSS speaker lineup, which was slated to start today.

ONC’s interoperability rule

ONC’s interoperability rule mandates that healthcare organizations use FHIR-based APIs to connect patient-facing and consumer-grade apps to patient EHRs. It’s part of the Trump administration’s push to consumerize healthcare.

At the start of the year, one of the biggest EHR vendors, Epic, publicly expressed concerns on sharing patient data with third-party apps because of the lack of outlined privacy protections. During the media briefing, Rucker addressed those concerns head on, saying that the apps will use the same, secure API technology used in banking apps. Additionally, Rucker said providers will be able to let patients know in a “deliberate, straight-forward way” what information they’re consenting to sharing through a patient authentication process.  

“That is not snuck in on the side,” Rucker said. “It’s central to the way that patients allow an app to get access to their information. We’ve empowered providers to communicate the privacy issues in that process.” 

Rucker said a second part of the finalized ONC rule identifies activities that do not constitute information blocking, which is the interference of a healthcare organization with the sharing of health data, and establishes new rules to prevent information blocking practices by healthcare providers, developers of certified health IT and health information exchange networks, as required by the 21st Century Cures Act.

The rule also requires health IT developers to meet certification requirements to ensure interoperability.  Health IT developers must comply with requirements such as assuring that they are not restricting communication about a product’s usability or security so that nurses and doctors are able to discuss safety and usability issues without being bound by what Rucker said has historically been called a “gag clause.”

The finalized ONC rule also replaces the Common Clinical Data Set (CCDS) data elements standard with the U.S. Core Data for Interoperability (USCDI) data set for the exchange of data within APIs. The USCDI is a defined set of data that includes clinical notes such as allergies and medications. The data set will support data exchange, Rucker said.

“These are standardized sets of data classes and data elements … to help improve this flow of information,” he said.

CMS patient access rule

The ONC rule goes hand in hand with the CMS rule, which aims to open data sharing between the health insurance system and patients.

Starting in 2021, the CMS patient data access rule will require all health plans that do business with the federal government to share data with patients through a standards-based API. The push to make it easier for patients to access health data follows a model CMS implemented with Blue Button 2.0, an API which gives Medicare beneficiaries the ability to connect their claims data to apps of their choosing, such as research apps.

The rule also requires health plans to make their provider directory available through an API, so patients know if their physician is in their insurance network.

“This will allow innovative third parties to design apps that will help patients evaluate which plan networks are right for them and potentially avoid surprise billing by having a clear picture of which clinicians are in network,” CMS administrator Seema Verma said during Monday’s media briefing.

Starting in 2022, Verma said insurance plans will also be required to share patient information with each other, which will enable patients to take data with them as they move between plans.

Additionally, effective six months from today, CMS is changing the participation conditions for Medicare- and Medicaid-participating hospitals as part of the rule. To ensure they are supporting care coordination for patients, Verma said the rule requires the hospitals to send admission, discharge and transfer notifications so patients receive a “timelier follow-up supporting better care and better health outcomes.”

“The Trump administration is pushing the healthcare system forward,” Verma said. “We are breaking down barriers to a seamless, data-driven healthcare system. The result of these two rules will be a more intuitive and convenient experience for American patients.”  

Go to Original Article

CMS takes Blue Button 2.0 API offline due to coding error

A bug in the Blue Button 2.0 API codebase has potentially exposed the protected health information of 10,000 beneficiaries and caused the Centers for Medicare & Medicaid Services to pull the service offline.

Blue Button 2.0 is a standards-based API that gives Medicare beneficiaries the ability to connect their claims data to apps and services they trust.

In a blog post, CMS said a third-party application partner reported a data anomaly with the Blue Button 2.0 API on Dec. 4. CMS verified the anomaly and immediately suspended API access. The bug could cause beneficiary PHI to be shared with another beneficiary, or the wrong Blue Button 2.0 application, according to the post.

CMS said access to the API will remain closed while the agency conducts a full review, and restoration of the service is pending. The agency has not detected intrusion by unauthorized users or an outside source.

The incident is playing out against a backdrop of federal regulators like CMS pushing for healthcare organizations to use APIs that would give patients greater access to their health data. Yet a concern among healthcare CIOs is that the drive toward interoperability is ahead of app developers’ technical ability to safely facilitate that sharing of health data, said Clyde Hewitt, executive advisor for healthcare cybersecurity firm CynergisTek Inc., in Austin, Texas.

CynergisTek executive advisor Clyde HewittClyde Hewitt

“There is a massive push for data interoperability, and organizations that spend a lot of time looking at the security and privacy issues around this realize that the need to share data is probably outrunning the technical savvy of the developers to get solid interface specification,” Hewitt said.

The issue

Medicare beneficiaries authorize third-party apps to use their Medicare claims data through Blue Button 2.0, and the Blue Button 2.0 system verifies users through a CMS identity management system. The identity management system uses a code to provide randomly generated, unique user IDs, which Blue Button 2.0 uses to identify each beneficiary.

The data anomaly was “truncating” user IDs from a 128-bit user ID to a 96-bit user ID, which was too short to be sufficiently random to “uniquely identify a single user,” according to the blog post. As a result, Blue Button 2.0 began assigning the same user IDs to different beneficiaries.

The root cause of the problem is unclear. CMS said the code causing the bug was implemented Jan. 11, 2018 and that a comprehensive review of the code was not completed at the time, which may have identified the coding error.

CMS also said the identity management system code was not tested, stating that “assumptions were made” by the Blue Button 2.0 team that the identity management system code worked but was not validated.

The coding error should be a warning to healthcare organizations as they march toward interoperability and the use of APIs, according to Hewitt. They should, for example, put greater emphasis on regression testing, which is used to make sure a recent code change hasn’t negatively impacted existing software. CMS failed to do just that.

“You can’t make changes to your system without looking at how it’s going to impact other systems,” Hewitt said. “As this spider web continues to grow, doing an end-to-end test becomes more and more complicated.”

What CMS is doing now

The Blue Button 2.0 team has implemented a new review and validation process to make sure coding errors are caught before being implemented within Blue Button 2.0 or other CMS APIs, according to the blog post.

The team is also adding additional monitoring and alerting for Blue Button 2.0, and CMS is updating Blue Button 2.0 code to store full user IDs instead of shortened versions, meaning all users will be asked to re-authenticate with Blue Button 2.0 so the system can generate new user IDs.

Fewer than 10,000 beneficiaries and 30 apps were affected by the issue, CMS said, and it was contained to Blue Button 2.0 users and developers. The issue didn’t affect Medicare beneficiaries who do not use the API.

Before bringing the API back online, CMS said the Blue Button 2.0 team will be adding additional auditing layers at the API database level, as well as the API level to give more details into user activity and provide greater traceability to actions the API takes. Monitoring and alerting capabilities are also being enhanced to notify CMS of unexpected changes in data.

Constellation Research vice president and principal analyst David ChouDavid Chou

David Chou, vice president and principal analyst at Constellation Research in Cupertino, Calif., said while the PHI exposure from this incident may not be as damaging as in other incidents, if CMS discovers more security issues after it conducts its review, it will cause alarm in the industry.

“This is a learning experience and I am optimistic that CMS will get past this with a new and improved Blue Button,” he said.

Yet Chou believes the Blue Button 2.0 initiative has been a good thing overall, and said CMS should be recognized for their effort to improve interoperability in healthcare.

Go to Original Article

For Sale – Mid-2011 iMac 21″, i5, 8Gb RAM, 500Gb HDD

Hi all, I’m selling my mid-2011 iMac which runs with 8Gb of RAM and a 500Gb hard drive (health check approved). It’s the 21″ screen version.

The device is in great condition aside from a scratch on the front of the bottom bezel (down in photo).

It’s currently running Mac OS X High Sierra.

The official wireless keyboard and mouse are included in the sale.

Feel free to ask any questions, collection preferred due to the size (TS18 – Stockton)

Many thanks

Go to Original Article

Google-Ascension deal reveals murky side of sharing health data

One of the largest nonprofit health systems in the U.S. created headlines when it was revealed that it was sharing patient data with Google — under codename Project Nightingale.

Ascension, a Catholic health system based in St. Louis, partnered with Google to transition the health system’s infrastructure to the Google Cloud Platform, to use the Google G Suite productivity and collaboration tools, and to explore the tech giant’s artificial intelligence and machine learning applications. By doing so, it is giving Google access to patient data, which the search giant can use to inform its own products.

The partnership appears to be technically and legally sound, according to experts. After news broke, Ascension released a statement saying the partnership is HIPAA-compliant and a business associate agreement, a contract required by the federal government that spells out each party’s responsibility for protected health information, is in place. Yet reports from The Wall Street Journal and The Guardian about the possible improper transfer of 50 million patients’ data has resulted in an Office for Civil Rights inquiry into the Google-Ascension partnership.

Legality aside, the resounding reaction to the partnership speaks to a lack of transparency in healthcare. Organizations should see the response as both an example of what not to do, as well as a call to make patients more aware of how they’re using health data, especially as consumer companies known for collecting and using data for profit become their partners.

Partnership breeds legal, ethical concerns

Forrester Research senior analyst Jeff Becker said Google entered into a similar strategic partnership with Mayo Clinic in September, and the coverage was largely positive.

Forrester Research senior analyst Jeff Becker Jeff Becker

According to a Mayo Clinic news release, the nonprofit academic medical center based in Rochester, Minn., selected Google Cloud to be “the cornerstone of its digital transformation,” and the clinic would use “advanced cloud computing, data analytics, machine learning and artificial intelligence” to improve healthcare delivery.

But Ascension wasn’t as forthcoming with its Google partnership. It was Google that announced its work with Ascension during a quarterly earnings call in July, and Ascension didn’t issue a news release about the partnership until after the news broke.

“There should have been a public-facing announcement of the partnership,” Becker said. “This was a PR failure. Secrecy creates distrust.”

Matthew Fisher, partner at Mirick O’Connell Attorneys at Law and chairman of its health law group, said the outcry over the Google-Ascension partnership was surprising. For years, tech companies have been trying to get access to patient data to help healthcare organizations and, at the same time, develop or refine their existing products, he said.

“I get the sense that just because it was Google that was announced to have been a partner, that’s what drove a lot of the attention,” he said. “Everyone knows Google mostly for purposes outside of healthcare, which leads to the concern of does Google understand the regulatory obligations and restrictions that come to bear by entering the healthcare space?”

Ascension’s statement in response to the situation said the partnership with Google is covered by a business associate agreement — a distinction Fisher said is “absolutely required” before any protected health information can be shared with Google. Parties in a business associate agreement are obligated by federal regulation to comply with the applicable portions of HIPAA, such as its security and privacy rules.

A business associate relationship allows identifiable patient information to be shared and used by Google only under specified circumstances. It is the legal basis for keeping patient data segregated and restricting Google from freely using that data. According to Ascension, the health system’s clinical data is housed within an Ascension-owned virtual private space in Google Cloud, and Google isn’t allowed to use the data for marketing or research.

“Our data will always be separate from Google’s consumer data, and it will never be used by Google for purposes such as targeting consumers for advertising,” the statement said.

Health IT and information security expert Kate Borten Kate Borten

But health IT and information security expert Kate Borten believes business associate agreements and the HIPAA privacy rule they adhere to don’t go far enough to ensure patient privacy rights, especially when companies like Google get involved. The HIPAA privacy rule doesn’t require healthcare organizations to disclose to patients who they’re sharing patient data with.

“The privacy rule says as long as you have this business associate contract — and business associates are defined by HIPAA very broadly — then the healthcare provider organization or insurer doesn’t have to tell the plan members or the patients about all these business associates who now have access to your data,” she said.

Chilmark Research senior analyst Jody Ranck said much of the alarm over the Google-Ascension partnership may be misplaced, but it speaks to a growing concern about companies like Google entering healthcare.

Since the Office for Civil Rights is looking into the partnership, Ranck said there is still a question of whether the partnership fully complies with the law. But the bigger question has to do with privacy and security concerns around collecting and using patient data, as well as companies like Google using patient data to train AI algorithms and the potential biases it could create.

All of this starts to feel like a bit of an algorithmic iron cage.
Jody RanckSenior analyst, Chilmark Research

Ranck believes consumer trust in tech companies is declining, especially as data privacy concerns get more play.

“Now that they know everything you purchase and they can listen in to that Alexa sitting beside your bed at night, and now they’re going to get access to health data … what’s a consumer to do? Where’s their power to control their destiny when algorithms are being used to assign you as a high-, medium-, or low-risk individual, as creditworthy?” Ranck said. “All of this starts to feel like a bit of an algorithmic iron cage.”

A call for more transparency

Healthcare organizations and big tech partnerships with the likes of Google, Amazon, Apple and Microsoft are growing. Like other industries, healthcare organizations are looking to modernize their infrastructure and take advantage of state of the art storage, security, data analytics tools and emerging tech like artificial intelligence.

But for healthcare organizations, partnerships like these have an added complexity — truly sensitive data. Forrester’s Becker said the mistake in the Google-Ascension partnership was the lack of transparency. There was no press release early on announcing the partnership, laying out what information is being shared, how the information will be used, and what outcome improvements the healthcare organization hopes to achieve.

“There should also be assurance that the partnership falls within HIPAA and that data will not be used for advertising or other commercial activities unrelated to the healthcare ambitions stated,” he said.

Fisher believes the Google-Ascension partnership raises questions about what the legal, moral and ethical aspects of these relationships are. While Ascension and Google may have been legally in the right, Fisher believes it’s important to recognize that privacy expectations are shifting, which calls for better consumer education, as well as more transparency around where and how data is being used.

Although he believes it would be “unduly burdensome” to require a healthcare organization to name every organization it shares data with, Fisher said better education on how HIPAA operates and what it allows when it comes to data sharing, as well as explaining how patient data will be protected when shared with a company like Google, could go a long way in helping patients understand what’s happening with their data.

“If you’re going to be contracting with one of these big-name companies that everyone has generalized concerns about with how they utilize data, you need to be ahead of the game,” Fisher said. “Even if you’re doing everything right from a legal standpoint, there’s still going to be a PR side to it. That’s really the practical reality of doing business. You want to be taking as many measures as you can to avoid the public backlash and having to be on the defensive by having the relationship found out and reported upon or discussed without trying to drive that discussion.”

Go to Original Article

For Sale – Mid-2011 iMac 21″, i5, 8Gb RAM, 500Gb HDD

Hi all, I’m selling my mid-2011 iMac which runs with 8Gb of RAM and a 500Gb hard drive (health check approved). It’s the 21″ screen version.

The device is in great condition aside from a scratch on the front of the bottom bezel (down in photo).

It’s currently running Mac OS X High Sierra.

The official wireless keyboard and mouse are included in the sale.

Feel free to ask any questions, collection preferred due to the size (TS18 – Stockton)

Many thanks

Go to Original Article

Forus Health uses AI to help eradicate preventable blindness – AI for Business

Big problems, shared solutions

Tackling global challenges has been the focus of many health data consortiums that Microsoft is enabling. The Microsoft Intelligent Network for Eyecare (MINE) – the initiative that Chandrasekhar read about – is now part of the Microsoft AI Network for Healthcare, which also includes consortiums focused on cardiology and pathology.

For all three, Microsoft’s aim is to play a supporting role to help doctors and researchers find ways to improve health care using AI and machine learning.

“The health care providers are the experts,” said Prashant Gupta, Program Director in Azure Global Engineering. “We are the enabler. We are empowering these health care consortiums to build new things that will help with the last mile.”

In the Forus Health project, that “last mile” started by ensuring image quality. When members of the consortium began doing research on what was needed in the eyecare space, Forus Health was already taking the 3nethra classic to villages to scan hundreds of villagers in a day. But because the images were being captured by minimally trained technicians in areas open to sunlight, close to 20% of the images were not high quality enough to be used for diagnostic purposes.

“If you have bad images, the whole process is crude and wasteful,” Gupta said. “So we realized that before we start to understand disease markers, we have to solve the image quality problem.”

Now, an image quality algorithm immediately alerts the technician when an image needs to be retaken.

The same thought process applies to the cardiology and pathology consortiums. The goal is to see what problems exist, then find ways to use technology to help solve them.

“Once you have that larger shared goal, when you have partners coming together, it’s not just about your own efficiency and goals; it’s more about social impact,” Gupta said.

And the highest level of social impact comes through collaboration, both within the consortiums themselves and when working with organizations such as Forus Health who take that technology out into the world.

Chandrasekhar said he is eager to see what comes next.

“Even though it’s early, the impact in the next five to 10 years can be phenomenal,” he said. “I appreciated that we were seen as an equal partner by Microsoft, not just a small company. It gave us a lot of satisfaction that we are respected for what we are doing.”

Top image: Forus Health’s 3nethra classic is an eye-scanning device that can be attached to the back of a moped and transported to remote locations. Photo by Microsoft. 

Leah Culler edits Microsoft’s AI for Business and Technology blog.

Go to Original Article
Author: Microsoft News Center