Are Patient Records Really Private? An Interview with Stephanie Crabb, Founder of Immersive
Interview with First Last, Position of Association:
Cyber Security Dispatch: Season 2, Episode 12
Welcome back to the Cyber Security Dispatch, in this episode we welcome Stephanie Crabb, the founder of Immersive. Stephanie is here discuss the role of her company in cyber security and data protection in the healthcare sector. Healthcare provides an unique and striking example of the cyber security concerns of the contemporary world with the intersection of the government, business interests and individual rights creating a very particular dynamic. We chat about Stephanie’s career arc up until now and then move on to situating the cyber security debate within the medical profession. We also discuss GDPR and HIPAA as well as the NIST Cybersecurity Framework. Stephanie’s knowledge and expertise in these areas is extensive and she generously shares much of her wisdom and perspective on these pertinent issues. For all this and much more be sure to tune in!
Key Points From This Episode:
How Stephanie ended up in the cyber security profession.
An introduction to the challenges that face cyber security in the healthcare sector.
The intersection of the individual, the governmental and the business sectors.
Major differences between GDPR and HIPAA.
The competitive element to the monetization of data across industries.
Interstate influence with regards to healthcare regulation.
Building uniform national and international standards for healthcare data.
Implementation of the NIST Cybersecurity Framework.
And much more!
Links Mentioned in Today’s Episode:
Stephanie Crabb — https://www.linkedin.com/in/stephaniecrabb
Immersive — https://immersive.healthcare/
Web MD — https://www.webmd.com/
HIPAA — https://www.hhs.gov/hipaa/index.html
GDPR — https://www.eugdpr.org/
FDA — https://www.fda.gov/
Seema Verma — https://www.politico.com/interactives/2017/politico50/seema-verma/
CMS — https://www.cms.gov/
EHR — https://www.himss.org/library/ehr
NIST — https://www.nist.gov/
Welcome to another edition of Cyber Security Dispatch, this is your host Andy Anderson. In this episode, ‘Are Patient Records Really Private?’ We talk with Stephanie Crabb, cofounder at Immersive. Stephanie has spent a career in the healthcare, data and security space and shares her perspective on the current state of healthcare data and security.
Healthcare is a micro chasm of the intersection of government, business and individuals that you see in the cyber security world. How these three play together is a challenge and in the healthcare space, the stakes are literally life and death.
[0:00:44.7] SC: My name is Stephanie Crabb, I’m the cofounder and Principal of Immersive. We are a healthcare and data life cycle management company with four practices in data governance, data management, data analytics and of course, what we’re here to talk about today, data protection.
[0:01:00.7] AA: Awesome. Walk me through a little bit of kind of how you got into this business. , cyber security is not like something that’s on anybody’s “when I grow up list”.
[0:01:11.1] SC: Well, I sure hope it is now, it’s certainly wasn’t back in the day when I was in college, that’s for sure. My healthcare career started really more in the educational services and consulting space in terms of general healthcare consulting and in the late 90s, I had a bit of an epiphany, I was working for the advisory board at the time and the advisory board was really tracking the early advent of the electronic health record in the beginning of digitization in healthcare.
That’s when my ears pricked up to say I better be a bit more mindful of IT. From there, I actually went to work for Web MD and that was my first entrée really into healthcare IT space and I just, sort of continued to grow my career in the IT sector. And have spent about the last 15 years working with companies and for companies that have had a strong data protection footprint.
[0:02:08.4] AA: Yeah, , you’ve hit all the big – a bunch of the big names in that space and I’m sure seeing a lot. I think through those people who haven’t spent their life working in healthcare, I think as we think about it is one of the areas that’s most concerning from a cyber security perspective just because the ability for something going wrong there to affect sort of literally the lives and health of individuals.
Walk us through kind of how the world has changed in terms of understanding the potential threats in the medical space. Even over the last couple of years and months.
[0:02:45.3] SC: Well, Jiminy Christmas, that’s a –
[0:02:46.7] AA: It’s an easy question, right?
[0:02:48.5] SC: Again, I sort of always start with my mantra which is follow the data and so, let’s start there. When healthcare began to adopt electronic health record, that was really our first movement right into our digital footprint. Think about what that paper chart was like before? It was literally a binder.
On a Lazy Susan, in a hospital unit or in a folder, in a humongous file system in a doctor’s office and the only data we had about a patient was in those paper files. Really, all you had to worry about at that point was physical security, right? Locked cabinets, locked doors, , supervision of that Lazy Susan.
Fast forward 20 years to today and not only have we blown that electronic health record, that paper chart up to include so much more data element - so many more data elements than we ever had? Discernible in the paper chart, now we have Mobile Health, Tele Health, IOT and a digital transformation, all of these things, that are creating a digital footprint unlike anything that – anybody could have anticipated 20 years ago.
That data footprint, all of those different sources of truth, whether that’s a device, a system, an application, database, all of those sources of truth in and of themselves introduce new risk. Then, when you start to think about the interconnectivity, the inter-operability challenge that we have in the opportunity we have around inter-operability and every place that data is going in order to try to move the needle on healthcare quality, cost, patient experience, provider experience, that introduces a whole other layer of risk.
We have the data itself, we have what we’re doing with the data, the movement of that data and in those challenges are humongous in and of themselves, but with the way that the government is pushing patient’s rights, inter-operability and those things, we’re coming into a new pressure point with healthcare data, where our security controls, our risk management processes are going to be even more challenge still as that push for transparency and information sharing is those pressures even more significant.
That’s a little bit for my mind sort of what’s important in this healthcare data journey specifically and when you really think about it, there’s no other record for a person that is more robust than the healthcare record.
The healthcare record has information about not only your personally identifiable information. It contains information about your finances, oftentimes, if your bank accounts, your credit cards, those kinds of things. So many things that are already in the financial services data footprint, many of these elements, we drew a Venn diagram are also in the health record. To include then all of your other patient data too. It is a unique challenge for us in healthcare to protect that data set.
[0:06:13.2] AA: , I think that’s one of the other sort of facets - reasons that I’ve been so interested in this space is it’s this microcosm of all of the sort of challenges that are happening in other parts of the sort of information and sort of privacy and security world as well. , you’ve got those – it’s so understandable why your health records would be so private to an individual, right?
It’s just, whether that’s around, almost doesn’t, the explanation that we don’t necessarily want to have those things in a public, sort of, place but you do have that incredible intersection of the individual, sort of private, businesses as well as the government involved, right? Because so much of the payments, as well as sort of the regulation around healthcare is, sort of, arbitrated by sort of government regulation.
Walk us through, from your experience, sort of, how those three are playing, particularly around records, around data. Because I think I’d be interested to sort of see what that playing field looks like in terms of how people are, how data is controlled, who owns it, kind of who can share it, all the sorts of things.
[0:07:28.8] SC: Sure, well, it’s a great topic of conversation. As healthcare privacy and security for the last 15 years or so has largely been driven by the HIPAA and high tech regulation. There’s current chatter as you and your listeners have probably been tracking, there may be some forthcoming changes to the HIPAA privacy rule.
What’s happened with GDPR, the global data protection regulation from the EU has inspired some discussion here or amplified discussion that’s been going on in the healthcare space for a long time. That HIPAA is a dated regulation and needs to be updated and refreshed for our current circumstances.
There’s certainly activity in the federal regulatory space around healthcare data protection and I think we might actually see some movement from federal legislation going forward if federal regulators have their way. What we have seen though is a huge uptick in state consumer privacy regulation. The dates have actually picked up the slack of what sort of been the slow process of the federal level and now we’re seeing some much more aggressive consumer privacy laws and acted at the state level.
California, Colorado, most recently have introduced very much GDPR like, types of state consumer privacy regulation. Where HIPAA has sort of fallen off a bit, the states have sort of picked up and that presents a unique challenge for healthcare provider organizations because now they’ve always had to pay attention to state regulation but now we’re really seeing state regulation leapfrog over and demand higher performance from organizations than HIPAA ever has.
We’re seeing movement in that space as well, then we have the participating entities themselves. Providers, payers, service providers, the ecosystem of service companies and software companies that serve the healthcare industry and all of those entities have also really stepped up their game. When you see a lot more of a kind of a common under-thinning of what is this duty of care that we have at the front line, , at the very front starting line of healthcare and if a patient experience, what is that duty of care that we have and how can we coalesce around a common sense of what that duty of care is.
I think we’re seeing good movement on many levels both sense of duty of care and personal responsibility for entities that create, share, transmit, retain and maintain healthcare data, we see the states doing their part and we’re seeing, , activity now at the federal level both from HIPAA regulation but in the medical device space, what we’ve seen from the FDA, what we’ve seen from NIST and in the introduction of the Cybersecurity Framework. and continuing to provide guidance tools and resources to the industry to elevate practice.
[0:10:45.8] AA: Let’s just take one step back in terms of like comparing – , we’ve had lots of conversations on this podcast, if people have been listening about GDPR and things that are happening. , the impact there and some of our predictions were that essentially GDPR would almost become like a global standard because it’s very difficult for a company to essentially comply with a regulation.
Borders are much less, are basically meaningless in the cyber world, so you just don’t know where your customers are from and who you’re interacting with so it’s in some ways easier to comply with like the strictest of regulations.
[0:11:24.2] SC: Absolutely.
[0:11:26.9] AA: HIPAA has been the other sort of like, guiding principle, I think in my conversations that - prior to GDPR, that was sort of the strictest regulation around, , maybe some of the guidelines around credit card data, from at least a technical perspective, sort of the strictest regulations but certainly not the sort of rights of an individual whereas, sort of involved in that regulation. Walk us through sort of the differences with the largest ones between HIPAA and GDPR.
Is that like right to be forgotten and right to portability or are there other ones that you wanted to see.
[0:12:05.4] SC: Sure, when you’ve certainly touched on two of the most significant that we have a very difficult time operationalizing and healthcare today. The right to be forgotten in and of itself presents some very interesting patients, safety challenges, operational challenges for healthcare. In other words, while I think we understand fundamentally, the fact that our processes and our systems should be able to perform to that level, one of the challenges what we have is that we’ve tended to hoard data in healthcare or duplicate data in healthcare over retain patient data and healthcare as a compensatory control for patient safety.
In other words, medication list for example re always a hot button topic and the correct medications list for a patient across that patient’s provider ecosystem is often riddled with errors, there is no single source of truth, there’s no way to sort of operationalize a change in a physician office and have that change then translate it to every other place where that patient has a record.
This idea of , the right to be forgotten, to be deleted if you will, out of a system, sort of rubs against what our philosophies and practices have been to sort of again keep hold off data particularly at the risk of creating some sort of patient safety risk or event. But, that being said, the drivers for the right to be forgotten from the privacy point of view and from privacy advocates point of view, makes a lot of sense and our systems should be able to perform to that.
The portability, again, I think the example that I just gave also expresses and illustrates some of the challenges on the portability side. We should not have the issues and challenges that we do in porting information, form one system to another and , it shouldn’t be a patient’s responsibility solely to make that happen. We need to have electronic systems and interoperability that make it easier for data to flow from one source to another in order to provide the proper care for patients and mindful of patient safety.
I think the biggest thing and one of the more interesting pieces of GDPR really is about this question of data ownership. People will say, right? That patients have always owned their data but , in my experience over the last 15 years, health systems, payers also feel an incredible sense of right and ownership over patient data and the data that’s in their possession and under their stewardship. This is something that Seema Verma, the CMS administrator has spoken extensively about, since she has assumed her ten year and has been increasingly vocal about this topic of patient’s rights to their data and transparency of all data, healthcare data to patients.
I think that’s another movement that we’re seeing that is inspired in some respects with GDPR as well. Those three things to me are the top of the heap of where GDPR has set a new bar for us in the states as it relates to data generally and with respect to healthcare data each one of those drivers is not something that we are built for, that our systems are necessarily engineered for and are easy to achieve in the way that healthcare – the healthcare data ecosystem has come about.
[0:16:01.5] AA: Yeah, , I think the idea of where the data, who owns it and how movable it is, I think cuts right to sort of heart of different motivations of the various parties who are involved in the healthcare space. , because while the companies would love to say that their first priority is patience, sort of wellbeing and safety. I think often, it’s at least equally aligned with the profit motive, right?
The value of data, , that really is the most valuable things that we’re creating in our economy these days, right? The largest companies are all, , it’s not stuff that they’re building, it’s piles of data that they’re building. I think you can see – , having talked with lots of healthcare providers and having switched coast and what not, you see it, , literally it’s still like, yeah, just have them fax your records across the country. I’m like, what is this? Like 1990? Who uses faxes anymore.
As I understand it, like the different healthcare systems are sort of walled gardens based on whatever sort of provider they chose somewhere in their history and the providers have a very strong financial interest to prevent them from being interoperable with different systems, is that correct or am I as a lay person who I’m confusing things?
[0:17:32.8] SC: No, you’re spot on, the initial healthcare digital economy has absolutely been built on and around proprietary systems. And it’s a bit in the way that vendors, not only the EHR vendors but any vendor that has a tool or technology in this space, their economics have been absolutely built around the proprietary nature of those systems, even though we’ve always had an awareness of, and a cognizance to interoperability, nobody was really held to the sort of the higher standard or the higher purpose of engineering interoperability. Into let’s call them, the first generation of any of these systems or applications.
There were very purposeful economics around that I’m sure. It’s interesting now though, in just , two decades, that economic model is changing completely and it’s no longer sort of this proprietary system economy, , it’s very new data economy.
, monetization of data, whether that’s internal or external is the competitive advantage, pretty much in every industry today and healthcare is only beginning. , to appreciate what that means and so just this week we saw the announcement from Amazon, Microsoft and others that their commitments to interoperability, what that means for those players, those folks that have so much of our data in the cloud and where we have so readily, sort of signed our rights away to data in the cloud. What kind of impact is that going to have? I am not sure we can even begin to understand or appreciate what that means.
But they will disrupt what has long been sort of the proprietary economic model around healthcare data simply because now they have not only an economic driver to do so but they’ve have a strategic and political motivation to do so as well. Those transformations, those disruptions I would argue are probably a really good thing for our industry and there us a tremendous social responsibility in going back to that duty of care again in the way that they participate.
In the way that they motivate change and maybe we will see those traditional players take notice of this activity and it will accelerate the work that organizations like common wealth that have brought a lot of the key EHR vendors together to achieve greater inter-operability and transparency. Maybe we’ll see the progress accelerated even more because of the entrance of this new disruptors into our space but the idea too is that consumers have to continue to push for that as well.
And the consumer voice is one that has been largely silent, we’re largely very trusting of our healthcare providers. Most patients think that when I see a provider anywhere whether that is in an emergency room or in my physician’s office that all of that information sharing is happening already and that just doesn’t happen like that and so increasing consumer awareness as well is going to – it also is going to make a difference. It is a bit of a squeeze play, right?
We need things to happen from the consumer grassroots level and we need those things happening at the top of the industry by our largest most influential players as well and to the point of faxing, I know again you probably saw Seema Verma from CMS talk very, very forcefully about this. she has introduced this campaign of no faxing by 2020 and so there’s that movement again to take out sort of this inefficiency and with that a bit of patient privacy risk out of the equation by eliminating the faxing process all together.
[0:22:03.0] AA: Yeah, I think it is interesting particularly in that healthcare space is so politicized but would you actually see regulation that reduces the cost of patient care, right? Like so often I think the healthcare industry stands up and says, “Oh more regulation is just going to increase the cost of patient care,” but in fact is there a potential for regulation to really reduce it in the sort of inherent fee stones that have been built by different providers to prevent, really to prevent competition.
And also transparency, I think I have an MBA, numbers aren’t the scariest thing for me but every time I get a healthcare bill I’m like, “I don’t understand this,” it’s incredible kind of the obscurity and lack of clarity of what’s getting charged and who is paying and what is a fair price and I am sure that is just on the financial side like the whole rest of where things are. It’s stunning.
Just specifically to point to the Colorado or the California law, are those having a big impact on how healthcare systems and vendors are operating already or where the healthcare space carved out of those regulations?
[0:23:19.5] SC: Yeah, I think really the state law in my experience over the last decade or so really evolved from breached activity across industries that was happening and is within that state and the way that legislators in those states, activist legislators and the way that the privacy movement was worked in those states was compelling action and I think that has been a really, really good thing. Again for me HIPAA has been a very low floor. Let us call it the sub-basement of privacy and security protection, regulation for far too long. And states sort of recognizing not just healthcare data but recognizing generally that they had a roll in consumer privacy protection. It was the first wave or first generation of that legislation in states like New York and California, we’ve seen regs on top of regs getting more specific, with higher expectations of performance.
That of course was driven by the breach activity and the rise of cyber. again, in the late 1990s and the early 2000s, we were just really talking about information security risks. Risks that was largely - risk that was introduced from within our own friendly confines, in our own environments and to a very, very small extent some of our key information sharing partners. Cyber and healthcare really wasn’t even that much of a reality in the early 2000s.
With the rise of cyber then also motivated that next generation of legislation at the state level. It was what initiates, it’s what compelled the work at NIST on the Cybersecurity Framework but the feds have been a little slower to take action and respond and states have worked a little bit more quickly. So I think that the states keep eyes on each other and as one moves the pieces on the chess board a little bit more aggressively, others follow.
And that is I think what we are seeing in this most recent wave of new legislation from states like New York, California and Colorado.
[0:25:43.4] AA: Yeah, I think we all can appreciate sort of the federal, that congress is pretty deadlocked a lot of issues and healthcare has been a weapon of that that each side has swung at each other in that debate and so the ability to really move things forward meaningfully is challenging and you see some of these leading places. California in particular is an economy that is so large that almost no healthcare provider can avoid it.
We certainly on the device side and probably on the system side, obviously like insurance those are more like local markets and so maybe you have different providers leaving because of it. What is your sense of creating sort of legislation that doesn’t necessarily play well with each other? , I think if California does something and Washington does another and Oregon does a third, right? You start to have this huge regulatory compliance cost, inherent in providing care. What is your sense in the regulation that is being written now on that?
[0:26:53.0] SC: Sure, well I think everyone would agree across the entire healthcare spectrum that healthcare desperately needs standards. In the same way that there are standards of care for clinical conditions, we need standards of care around data, data handling, privacy and security in healthcare. The healthcare cyber security task force went to great pains to speak to this and their report I think we’ve seen some of that taken up in the conversations around the NIST Cybersecurity Framework.
And some of the industry specific tool kits that are being created around the NIST Cybersecurity Framework., sort of that elusive, it has been an elusive chase toward those standards and nobody wants to be told the how they have to do it and we don’t want to take away the latitude for organizations to creatively getting a financially appropriate manner introduce and maintain the controls environment that is risk appropriate to them.
But similar to your comment about GDPR, Andy, and sort of how it has set the bar in a place where organizations now have to perform to the highest public standard not the lowest public reg or framework or standard. I think that we are seeing that introduced in state laws as well. So your example of California and Washington where you have health systems and providers that overlap as healthcare becomes more regionalized in many ways.
We want to maintain locality but at the same time competition, consolidation, all of those things are what we’re creating networks of networks that absolutely cross state boundaries. What we see and certainly what we do with the organizations that we work with is we look toward what the highest requirements are and we then help them move the needle toward program structure, control structure and risk management to whatever that highest standard is.
And I think that is the only logical as well as responsible thing to do as we work with – as any of the work gets done across healthcare is resetting that performance target and looking at what’s happening in different parts of the country and also reading the tea leaves is what is happening with federal legislation and trying to anticipate where it’s going to go so that people are building toward that incrementally and don’t have the expense and operational burden.
Of having to flip a huge switch in an unrealistic period of time. Our resources are far too constrained in healthcare to accomplish that in any meaningful way. So anticipating where regulation is going, more importantly where practice demands are and note that really comes from within. We again take a data centric view, what are organizations trying to do with their own data and within rich data sources if you just start there and you really stay true to that data centric approach.
Again, you almost satisfy what is required in regulation and in a compliance posture if you hand all of that data that you care about with the care and attention it deserves because it is your competitive advantage at the end of the day.
[0:30:32.7] AA: my hope is that healthcare becomes an example for how we can do it well, right? That because it’s got all of those sort of complexity that perhaps even more complexity than other parts of the economy that if we, people like yourself, people at the federal level, regulators and other industry folks sort of do think long and hard and have the debates about how do we do this in a way that’s both practical as well as thoughtful about all of the different overlapping interests.
From individuals from business and I am not a socialist, I am not a communist, I very much believe in the profit motive. But doing it in a way that is thoughtful and respectful and equally places patient safety and rights on par at least with the rights of the companies that are operating there.
One thing, , I was reading through the framework and I think this may unfortunately have to be our last question, the framework is terrific but it is very theoretical and it leaves a lot of leeway for self-monitoring, for self-grading, for self-assessment.
Particularly in the healthcare space, how are people making this walk from the framework to something that is much more tangible and can point to a specific controls and specific actions to that they are both monitoring against as well as trying to comply with?
Because in reading it you literary can’t comply with the framework, right? It’s not a standard that you can do that. So walk me through how people make that walk to really practical operationalized security postures.
[0:32:24.8] SC: Sure, I want to start by saying sort of reacting to one thing that you said in your comment and that is every industry would like to think that it is different and unique, right? What I will say though about healthcare, when you break it down and you look at the medical record, I would challenge any industry you knew that would say that their individual “consumer record” or data footprints is as significant as that we maintain in healthcare.
This proves itself out in the way that the black market rewards folks financially that have medical records to sell, right? It is exponentially the healthcare, right?
[0:33:11.6] AA: Yeah, 200 bucks for 10 I think is what I saw.
[0:33:14.1] SC: Exactly, so therein lies part of the economic justification for what we are doing. To your point on NIST Cybersecurity Framework, what the NIST Cybersecurity Framework has done for healthcare is give a further packaging or a better packaging if you will of not only critical domains and categories of performance but really went to great pains in its information references section to more explicitly enumerate for controls from different standards and frameworks like ISO, like HIPAA et cetera.
To hone in for any organization across any industry, where the context for that performance for that control could be derived and I think that was an important piece. What that means is that all of the practitioners have to be expert in all of those things unless you are working with another company that provides you with that expertise and that interpretation. I think that has been a very valuable contribution from the framework.
Essentially establishing these categories in a more conversational way to be perfectly honest. If you read it, it is very conversational.
[0:34:37.4] AA: Yeah, you don’t have to be an expert to read it, it’s great.
[0:34:39.5] SC: And that was by design, right? That was by design to link the technical practitioners or security to the strategic overseers for cyber security. What has happened thankfully and there is lots of organizations that have been working to translate the NIST Cybersecurity Framework into something tangible for healthcare organizations to use. So there is a whole host of governance risk and compliance software, platform, providers, consultants that have done a lot of work to bring some practicality and accessibility and interpretation of the NIST Cybersecurity Framework to the industry and I will tell you I don’t meet with an organization now, don’t encounter an organization now that is not NIST Cybersecurity Framework aware in terms of the things that they’re trying to do with their security programs. I think that is really powerful.
I wasn’t sure that we would see such rapid adoption. And I have been pleasantly surprised that we had it and I think it’s because organizations knew that they had run their course with HIPAA even though we have still lots of HIPPA compliance issues out there. They were looking for something new and because we now have a much larger ecosystem with trading partners and third party relationships with folks from so many other industries, then this CSF provides a different kind of playing field for us in terms of collaborating around cyber security performance and risk management.
[0:36:22.4] AA: Yeah, well Stephanie, I hate to do this but unfortunately I’ve got to run and so this has been great. I feel like we could do this - run this again and talk for another 40 minutes and learn so much more and maybe we’ll set that up for a couple of months from now.
Thank you so much for coming on. I think the listeners will enjoy this as much as I did.
[0:36:42.6] SC: It was a pleasure Andy. Thanks so much for inviting me and I would love to chat anytime.