HIPAA Critical: Episode 001 | Google’s Project Nightingale, Cybersecurity Winners & Losers, Heads Up for the Holidays

by Rick Kuwahara CMO of Paubox

In this episode, we get into the controversy from Google’s Project Nightingale, recent HIPAA violations, who’s winner and who is failing this week…along with some highlights and warnings as we head into the holiday season. 

Rather read?

Here’s the full transcript of this episode.


Olena Heu:  Welcome to the HIPAA Critical podcast featuring myself, Olena Heu and founder and CEO of Paubox, Hoala Greevy.

[THEME MUSIC]

Olena: We’ve got a great show for you today. And a lot to talk about, right Hoala?

Hoala: That’s right. There’s always something going on in HIPAA. That’s why it’s called HIPAA Critical.

Olena: That’s correct. So first and foremost, we’re going to talk about what’s coming up or what’s happening currently in the news and a lot of people talking about Google’s project Nightingale. And this is something that’s made news headlines internationally.

Hoala: Yes, that’s right. Earlier this week it was revealed from an exclusive article by the Wall Street Journal that Google has partnered with the nation’s second largest healthcare system Ascension and they’re secretly mining protected health information of millions of Americans across 21 States without their consent or ability to opt out.

It’s a move on Ascension’s part to get their data into Google’s cloud.

And while they’re doing this migration into Google’s cloud, Google is also mining the data. So that at some point they are trying to, at the moment anyway, make it so that you can type your name into a search bar, with a similar look and feel to a Google search bar, and your protected health information would appear on an internal facing portal, I suppose, that Ascension would have.

So, lots of flack coming from that immediately and a federal investigation was announced this same week by the Health and Human services department. And so, you know, they’ll be looking more deeply into that.

Several US senators have announced, you know, alarm about this and it’s basically covering 50 million. It affects 50 million American patients. So that, that’s the big news.

Olena: Yeah. And you know, if the feds are looking into it, then it’s definitely something to be concerned about.

Hoala: Oh, yeah, definitely. Ah, you know, I think in this environment we’ve got Google and Facebook, particularly, people are…have low to zero trust in these American internet brands.

And you know, too, a lot of Americans, there’s just one more piece of news that your privacy is being acquired and sold without your consent or approval. And you know, is it really freemium? When the data is the new gold or oil, like data is more expensive than oil now.

So that freemium argument is, I think, in my opinion, quickly not having much relevance.

Olena: Mmm hmm. And you know, sharing healthcare information versus social security numbers. What do you think is the difference between the two and what would have a greater risk?

Hoala: Well, so what’s interesting about this project, and this is where it dives into some HIPAA stuff…so Google has signed a business associate agreement with Ascension, which is required by law when you’re working with protected health information.

And the general guidance of this is, access to patient protected health information, PHI is permissible, once you have this BAA in place. And then there’s some general guidelines as long as it’s to help the covered entity in this case would be Ascension carry out its healthcare functions.

So the general guidance appears to be from all the data we have today that this is not a HIPAA violation.

However, it’s clearly an ethical lapse for Google, and pretty embarrassing. I mean, you know, these 50 million Americans are getting their data mined without consent or the ability to opt out of this and without their knowledge until you know, this article broke.

So, you know it’s just another example of, especially Facebook and Google, you know, getting caught with their hand in the data cookie jar.

Olena: And, you know, obviously this article from the Wall Street Journal, which kind of broke the news and then prompted the federal inquiry, they reported that at least 150 Google employees had access to patient data.

So obviously that’s a risk that people wouldn’t ever think, you know, there’s close to 200 people that have all this data about you.

What do you think about that? There seems to be some employees that have been unhappy with Google overall in recent weeks as well.

Hoala: Yeah, so that’s another interesting point. Again, if you follow the letter of, of you know, HIPAA and the business associate agreement that is permissible.

However, you know, companies like Google are well known that there’s a, a quiet army of contractors, that are not full time employees and not under benefits or stock options for Google. Okay. And they quietly do, you know, a lot of services, Google has an army of contractors and so we remains to be seen if Google has wrapped in contractors for Project Nightingale and if they have the business associate agreement has a waterfall effect that if, if you’re a Google, in this case you’d be considered a business associate and you have contractors that are not your employees that are accessing the protected health information of your customer.

In this case, Ascension health, the covered entity. Then those contractors need to sign a business associate agreement with Google.

So it’s like a waterfall BAA.

Now, again, we don’t know if any contractors are or were involved in Nightingale. So I think this investigation or this inquiry, over time, it will probably cover that.

So that, that’d be my prediction. That might be a case where there may be a HIPAA violation there, but again, we don’t know anything.

We just know that this is a covert operation from a company with a history of privacy lapses and fines payable both in Europe and the United States. And it’s also a company that employees an army of contractors. So, we’ll see where that goes.

Olena: Do you think that they would make their contractors sign NDAs?

Hoala: Well, a NDA probably would be standard fare, I’d imagine.

But the NDA and the BAA, business associate agreement, um, are two different animals and the BAA is required by law, whereas the NDA is more like a business best practice.

Olena: Mmm, it makes me think of also, you know, federal workers where a lot of them, you know, if they are contractors, they’ll allude to something, but then they’ll say, “Oh, but that’s classified.”

Hoala: Oh yeah, that might be a, you know, Google might play that card as well. We’ll, we’ll see that…I’m uh, I’ll be watching this one. And this will probably take, I don’t know, 8-12 months to, you know, get more information before we’re done with this one.

Olena: Okay. It said that Google paid a record of $170 million in penalty to the FTC to settle accusations that YouTube broke the law when it knowingly tracked and sold ads targeted to children in the past. So do you think that they will easily pay up if they are fined?

Hoala: Well, see, I mean that $170 million fine. I mean, what is that like four minutes of operations? I mean three minutes?

These fines are not keeping up with the size and scale of the businesses that they’re being levied against.

You know, even the $4 or $5 billion fine that Facebook recently got levied with, I mean, what is that? 12 hours of operation? Two weeks?

Olena: It’s like a slap on the wrist.

Hoala: I mean the numbers are huge to the average American, but the size and scope of these internet companies, I mean clearly they are monopolies, who have not been broken up yet.

And that’s another thing to be seen. Which one’s going to be first, right?

Is it going to be Google with Google and YouTube or is it going to be Facebook with Facebook, Instagram, and WhatsApp? Or is it going to be Amazon and Amazon and AWS?

Olena: Well, I feel like what’s WhatsApp, the perception is that it’s secure. So a lot of people try to use that more often if they’re trying to keep their imagery or whatever content secure. That’s the impression I think the laymen thinks.

Hoala: Yeah, sure. I mean definitely on that one.

But as far as monopolies go, you know, are these…are these companies employing methods where they restrict or overly prohibit competition in the market and so that, that would be the argument for their breakup.

But we’ll see if there’s a political will to do that.

Gosh, like there’s never been a company that’s bigger, that has more users than any other country on the planet or any other religion on the planet. Right?

I mean, there’s more people on Facebook than there are Catholics. That’s never happened ever. I mean, just the size and scale of these companies is, you know, American law has not kept up because it’s moving very fast.

Olena: And talking a little bit more about concerns and potential HIPAA violations also in the news, Texas Health and Human Services making headlines.

Hoala: Yeah. Right. These guys got caught with misconfigured…a series of servers that were meant for private use only, you know, requiring a login and they moved it to a system that got index by Google.

So people’s protected health information was publicly available, no login required. And it got index by Google’s crawlers and somebody found out about it and then we had a multiyear investigation and they recently got issued a fine.

Olena: Yeah. It looks as though they were issued a $1.6 million fine for failing to protect the privacy of thousands of people who rely on their state services.

Hoala: Yeah. And just…we’re almost getting numb to these breaches and fines.

Olena: I have a question.

Hoala: Yeah, sure.

Olena: Where does the money go after the fine is issued and paid up?

Hoala: Ah, it’s paid to the Health and Human Services Office of Civil Rights, OCR.

Olena: And then they use it to…ensure that civil rights are protected for the people.

Hoala: Oh, what they do with the money. Gosh, I got, I have no idea.

Olena: That’d be a good topic for the next one.

Hoala:  Yeah, certainly.

Olena: All right. So now it’s time to transition and a focus on our weekly winners and failures segment.

This time let’s focus on Amazon PillPack and their branding overhaul, something fairly recent. Hoala what are your thoughts about this?

Hoala: Yeah, so Amazon bought mail order pharmacy startup pill PillPack in 2018 and for a large company, they’re moving very fast.

They recently rebranded the PillPack, experience and delivery system to PillPack by Amazon pharmacy. So we’re seeing a rapid deployment of Amazon getting into the a mail order pharmacy business.

And PillPack already has licenses in all 50 States and, you know, they fill the prescriptions in presorted packs for necessary pills and delivers it to the home.

So now we’ve got Amazon pharmacy in all 50 States, PillPack by Amazon pharmacy. That was pretty quick execution on Amazon’s part. So I consider that a win. And that was announced this week.

Olena: Some might say that uh, Amazon is taking over [laughing].

Hoala: Oh yeah. I think every startup in Silicon Valley is afraid of being Amazoned. Right?

I mean, that’s a legitimate…you know, the T in the SWOT analysis. Threat. Getting Amazoned and here they are getting into Amazon pharmacy.

Olena: I know that works out really well for people, especially for perhaps, you know, elderly folks that it’s harder for them to get out of the house and go to a pharmacy this way, you know, whatever it is that they need is delivered straight to their door. So, that’s all obviously, a nice option for them to have.

Hoala: Yeah, I think they’re onto something and you know, they paid $753 million for PillPack last year and they’re, they getting the show on the road.

And let’s not forget the joint venture they announced last year as well, called the Haven when Amazon teamed up with Berkshire Hathaway and JP Morgan Chase and, focusing on lowering healthcare and they’re starting with their internal employees first. So we’ll see where that goes as well.

Olena: Cool. Interesting. Alright, another win Northern Arizona University won a $6.3 million grant for its work on cyber engineering and cybersecurity from the Air Force.

Hoala: Yeah. That’s cool. That’s a, that’s a big grant. Good on them. I’ve never been to Northern Arizona University, but they’re doing something right. That’s really cool. Three year grant.

Olena: And how often are you seeing people coming out, you know, straight out of university with cyber experience?

Hoala: Oh man. Gosh, I have no idea. I wish I knew more about that, that sector. I know it’s hot. I know there’s a lot of people offering training on it and I think it’s ah…clearly more employees are needed in that, in that sector.

Olena: Definitely. Definitely. And are you still looking for people in the Utah area perhaps?

Hoala: Oh yeah, that’s right. We just made our second hire for our fledgling Utah office, so we are encouraged on that.

Utah’s got a business friendly environment, a lot of nice folks, and they’re just hungry and ready to get to work. So yeah, maybe somewhere early in 2020 we will be revisiting that one for sure. But for now we’re good.

Olena: Excellent. All right. And so, you know, we talked about people that are winning this week and now we’re going to shoot on over to maybe those that might be failing. Hoala?

Hoala: Yeah, definitely. This is Google. They gotta own this one, right?

I mean, a reporter at the Wall Street Journal broke the news and within an hour they had to, you know, quickly jumped to their defense about the surreptitious data collection and mining of PHI, and by all intents and purposes from what we know now, it does not seem to be a HIPAA violation.

But, hey, you know, three US senators jumped in and announced an investigation the next day, or at the latest, two days after the story broke. And it’s certainly a lapse in ethics, right?

I mean, how can you just have this happen to your data? 50 million Americans with no ability to opt out. I mean, heck, even an email newsletter, I can click opt out and I don’t have to get that junk from some email sender and an innocuous Amazon book they’re trying to sell me or whatever. Right?

This is a protected, I mean, this is like the deepest, darkest, not darkest, but the most delicate information a person can have potentially, right.

And there’s just no ability for them to say, “Hey, I don’t want you indexing and crawling my stuff.” Right? I mean, what a lapse in…another tarnish in trust for, for Google.

You know, their mission is we want to organize the world’s information. Oh, well, you know, like parentheses but we’ll let you opt out too. Right?

And right now they don’t.

I mean, look at Europe. Europe passed regulations a few years ago where if you don’t want to have your name indexed or certain pages affiliated with your name index, you can rightfully tell Google to erase that from your search result history.

Olena: That’s refreshing.

Hoala: Yeah. Well, Europe passed that. Uh, I dunno, three years ago? And look at the, look at 50 million Americans.

They don’t even…they can’t even do that right there. They have no ability to tell Google, “Hey, I don’t want you indexing all this stuff.”

So clearly a “lose” for Google, especially front page Wall Street Journal article. I mean, you know, gold standard of business reporting, right?

Olena: And another failure, what we mentioned earlier in the news, Texas Health and Human Services, obviously with everything that’s happening there are going to be unfortunately more failures than possibly winners on a regular basis. But that’s what Paubox is doing is aiming to prevent that from happening.

Hoala: Yeah. So kind of related a Texas organization here in the, unfortunately in the “losers” section.

So every month we compile a HIPAA Breach Report and we use the data publicly available from the Health and Human Services wall of shame.

If you have a breach of PHI of 500 records or more, you’re required by law to report that within 30 days of you discovering the breach. And this latest month report, Texas Health Resources lead the way unfortunately, with 15 independent HIPAA breaches, due to an error with their billing vendor.

And so people were getting invoices and notices delivered in the mail to their house for things that did not happen to them, but happened to someone else.

Olena: Was this the one where they were getting like the first and last names mixed up.

Hoala: Uh, I’m not quite sure from what I read, if it was that or it was a total mix up. But yeah, we’re talking 82,000 patients, almost all of their centers cause they’ve got multiple centers.

So a fail and you know, that unfortunately is a pretty common even now, um, just simple billing errors leading to HIPAA breaches.

Olena: Yeah. And you guys post the breach report on your website. Is there a certain day that it’s always available when you gather all the content?

Hoala: We try and publish that the second week of each month and we look backwards into the breaches that were reported the month prior. So we try and give it a few weeks to get fully reported and then we, and then we, we run the report.

Olena: Valuable. Very good to know. All right. Well we touched on this a little bit earlier about how Google employees have a lot of contractors and, um, you know, whether or not they had signed BAAs.

But in terms of predictions, where do you see, uh, you know, maybe HR handling Google employees and, and information that they’re seeing moving forward?

Hoala: Ah, yes, the prediction section of HIPAA Critical.

Alright, here’s where you go on the line and see if we get anything accurate looking forward.

So I do believe when this federal inquiry takes place and, and these are slow and often 12 to 24 months, so we’ll see how this one plays out.

But you know if I was involved with this, I’d say “Hey, look, I know you folks have a lot of contractors who are not on Google payroll and did they have access to project Nightingale?” And if they did, um, do they sign business associate agreements with Google or Alphabet?

And if not, well, hey that’s a problem that that’s a certified HIPAA violation, um, that other organizations have have paid for. And that there’s a precedent of HIPAA violation, fines being issued on that.

So we’ll see where that goes. I do think that should be touched on. So that could be a potential area of concern.

And then also, there is an obscure, not really obscure, but there’s a marketing section or piece of HIPAA regulations, of the HIPAA Privacy Act.

And long story short, an organization like Ascension Health, is allowed to market to their customers, patients, but they’re not allowed to sell that information to a third party for marketing purposes. Okay.

Now Google may have covered their tracks well on this cause they did mention that they’re doing this data mining for free. So we’ll see where that one goes out. But I do…

Olena: Thereby not purchasing or selling cause it’s free.

Hoala: Yeah. So we’ll, we’ll see where that plays out. But I’d see out of this Project Nightingale, those 12 months, 18 months from now will be two areas of concern from a HIPAA standpoint and things might get “HIPAA Critical” for Project Nightingale in that regard.

Olena: Definitely. Ah, don’t you think though that they knew the subject matter and the content of the information would be medical, that they would already set something up with the employees and contractors.

Hoala: Unknown…

Olena: Or we’d like to believe that. Right?

Hoala: Yeah. It’s…this is why a lot of companies don’t touch HIPAA.

Because it’s, it’s comp…it’s hard. It’s opaque. It’s expensive. And it has a lot of tentacles, especially when you’re dealing with subcontractors.

So you know, there’s a reason why companies stay away from healthcare. Ah, it’s big money, but it’s also a lot of overhead and a lot of risks for the company that services the organizations.

Olena: Mmm hmm, and a good amount of money in fines if you don’t do it right.

Hoala: Oh, and then, you know, reputational damage and you know, your insurance policies, your cyber liability, your tech E&O, yes. All additional overhead to service this market.

Olena: Well, moving on in our predictions section of our podcast, the holidays are upon us. Yay. It’s my favorite time of year.

And you know, obviously a lot of people are out shopping and making lots of purchases and you know, I recall hearing advisories from police and on the news about when you go shopping, don’t put all the bags in your back seat where it’s visible. You get, you know, broken into.

What kind of precautions would you offer to people online because you know, so many people are doing a lot of their shopping via cyber and on their mobile device. I feel like there’d be some risk as well.

Hoala: Yeah, so great segue there, Olena.

Ah, so I got two predictions here. One, we see it every year at Paubox, we’ve been in the email security space for 20 years and that’s what we bring to the market and the online phishing scams via email and spam all shoot up on the same cadence as holiday shopping.

We’re going to see a spike starting black Friday or maybe even as early as next week as we approach Thanksgiving.

And that’ll go all the way through to Christmas season and then slightly taper off mid to early January.

And then prediction number two, as you alluded to, you’re gonna leave some bags in the car, in the parking lot of a shopping center.

Bam, broken window. Bam, stolen backpack, stolen purse. Bam, laptop, healthcare, unencrypted hard drive, HIPAA violation.

And we’ll see that start to percolate through probably February or March of 2020 HIPAA Breach Report. I expect us to see some uptick in the stolen laptop, HIPAA violation of the HIPAA Breach Report.

So that’s normally a low incident, attack vector. But, you know, there’s unfortunately still a lot of organizations out there in healthcare that don’t take the simple step organization wide, of encrypting the hard drives of any computer that leaves the office.

Heck, there’s even been HIPAA violations when thieves break into an office and they just steal anything in sight that’s not bolted down.

Even the desktop computers in some cases, they had to report that as a HIPAA breach, even though the darn thing was never supposed to leave the office. Well, somebody broke in and just took anything that wasn’t bolted down, which then was not encrypted at rest, which then is, you know, most likely a HIPAA violation.

So I expect to see, ah, an uptake and laptop HIPAA breaches March of next year, 2020 and we’ll be reporting it.

Olena: Yes, we will. Uh, you know, is there a difference between when someone has their laptop stolen compared to an iPad? Have you seen that more information or is it the same information that can be taken?

Hoala: You know, we haven’t seen a lot of cases of iPads being reported as stolen and un-encrypted at rest or even having PHI on them.

We have, however seen a good amount of thumb drives and USB drives, being stolen. Interesting. And those were not encrypted at rest and there have been some pretty big fines in the past about that one. $2 million for one lost USB drive.

So it’s more likely than not a laptop or USB drive, especially during the holiday season when you’re shopping and you know, whatever drug these guys are on, right. They don’t care. Day, night, whatever, bam, broken window, boom, let’s go take anything in sight. It happens over and over again.

Olena: And then as far as your inboxes concerned, what kind of warnings do you have for people that are checking their email and might get phished into making a purchase that they didn’t realize was a scam?

Hoala: Oh yeah, sure. So you know, having multilayer filtering protection for your corporate email system, that’s, that’s basically a must these days.

The incumbent email hosting providers in the cloud, namely G Suite and Office 365 have varying degrees of effectiveness.

I’d say especially with Microsoft’s Office 365 on that particular service, it’s default configuration lets a lot of stuff through, right?

So more than likely it’s a great idea to have an additional layer of filtering sitting in front of your Office 365 install for your corporate system.

And then also it’s great, it’s always a best practice to have two factor authentication enabled by default for all your email accounts, for all your users within your organization.

So that just in case something happens and somebody is trying to access your inbox remotely, uh, you know, they got to get past the two factor which are then support that attack.

So I’d say those are two best practices right there.

Olena: Excellent. And two factor authentication comes in handy with social media as well when someone’s trying to hack into your Instagram or you know, so it’s always good to have that backup.

Hoala: Yeah. Yeah. It’s good. Yeah. The reputational damage and all that carnage they can inflict.

And you know, people are very motivated to do it. I mean, Jack Dorsey’s Twitter got hacked, what a month ago? And he had two factor on, so they even hacked his cell phone just to get past it.

Olena: Alright. Well, for more information you can log on to Paubox.com. That’s P-A-U-B-O-X dot-com.

We’ve got an array of blogs and lots of great content. And of course you know those HIPAA Breach Reports. If you want to take a look at those.

Thank you so much for joining us. We will see you next week.

Hoala: Alright, everyone. Aloha.

Olena: Bye.

[THEME MUSIC]