> If an organisation is non-compliant with their agreement, we work with them to address any problems and conduct follow up audits to ensure they are fully resolved.
This feels like the right response to me. In most of these cases, we're talking about a data provider with reasonable governance controls in place, who grants access to a requester who says they'll use the data responsibly, then just does not.
If the requester is part of a large research university, it doesn't make sense to say "researchers in Study A violated the data use agreement, therefore hundreds of other researchers in studies B-Z must now erase the data they've already downloaded, and never apply for access to more data from the largest research data provider in the country ever again." Those other studies had nothing to do with the violation, so shouldn't be punished.
The institution should punish the offending individuals, and the data provider should blacklist those individuals, as well as carefully audit both the institution (for its education and oversight of its research teams) and the principal investigators of the offending study for some length of time.
The government has put in all kinds of laws, but really others find ways around. IT should be written into law that the spirit is such, that if you fuck up, you pay. Orgs need to keep data safe like life or death depended on it. In the end, it does. Data encrypted in flight, at rest and only kept around as long as needed.
At the same time, I wouldn't want anyone to be able to enforce certain parts of that. For example, to make sure that data was only kept around as long as needed, you'd need to be able to monitor the contents of all the computers that contained that data. This creates problems of its own, much larger than the original one. To a certain extent, we just have to trust researchers with sensitive data, and severely punish gross violations of that trust.
To be honest, I've heard of many more examples of organizations who put too strict of controls on their data. This is due to researchers trying to walk a line between a requirement that they share their data, and their (understandable) desire to keep their work to themselves as long as possible, so other competing researchers can't publish on it first. A bad data governance committee fails much more often in allowing data contributors to be too strict with their data, even though I agree that a data breach is a worse outcome, and avoiding it should be the highest priority.
Reusability of data is an important part of research. It helps collaboration between researchers, and enables secondary research to take place. Using the same data is important for reproducibility in many cases, because the research isn't about creating the dataset, it's about doing analysis on the data. A lot of original research relies on existing datasets.
Having "good" data is obviously crucial, but it's a separate matter.
It’s not a question of “good” data. Slice and dice perfectly random data and sometimes you get spurious correlations. The only way to separate them from real results is to have completely new data.
It’s not even a question of p hacking or bad design. Preform enough experiments and you always get false positives.
> Orgs need to keep data safe like life or death depended on it. In the end, it does.
Then the parties injured can bring claims with the actual damages in hand. If the courts get clogged with such cases, we’ll have the evidence with which to legislate.
Jumping the shark by assuming hypothetical harms are real is how we supercharge needless bureaucracy.
'Then the parties injured can bring claims with the actual damages in hand.'
This is basically impossible.
First you must prove the leak came from the party you are suing, most Westerners had their data leaked by over 10 organisations at this point - equifax, high profile hacks, etc.
Secondly you need to prove damages. That is extremely difficult because no-one will ever admit in court to using leaked data against you.
So the solution you are proposimg is unworcable. We know, becauae we tested it - equifax leaked data for hundred million people, and so far noone was able to prove the damage.
> equifax leaked data for hundred million people, and so far noone was able to prove the damage
Which leads me to believe there hasn’t been any damage worth pursuing. It’s a simpler hypothesis than there being rampant, apparently undetectable fraud.
Roughly $40B/yr is stolen from retirement accounts in the USA. Some of that is due to data leaks, and it's not unreasonable to assume other thefts are due to data leaks. The issue is tying any specific instance back to the Equifax clusterfuck.
This is evil shit you’re saying (I’m being a bit dramatic, sure). Healthcare is made more expensive by all these rules about IT. Life or death depends on keeping costs down and making it seamless for doctors to share information with one another. It isn’t some catastrophe if a breach happens. They’ve happened before, yet people have not been getting their private health information published in the local newspaper.
Healthcare is made more expensive by all these rules about IT.
Healthcare is made more expensive by a lot of things. Sometimes the cost of treating one specific condition affecting one specific individual right now isn't the only thing that matters.
It isn’t some catastrophe if a breach happens.
Given that we're potentially talking about sensitive personal data, that is a wildly unsafe assumption. Sadly our society has and probably always will have both widespread cultural prejudices and individual personal prejudices against people who have or have had certain conditions, who are receiving or have received certain treatments or procedures, and so on.
If a computer wasn't fully encrypted but no identifiable data ever actually leaked then sure, that's a technicality but no real harm was done on that occasion. If a computer with a list of everyone who say had an abortion or received treatment for their mental health in the last decade was held insecurely and that data was leaked to the wrong people after a breach then that could profoundly affect or in the worst case even endanger the lives of the people involved.
Shouldn't be seamless, on the contrary. Full of seams. Go back to pencil and paper, better. That was a better system on all counts.
Like actually getting my private health information published in the local newspaper--in particular regarding my psychiatrization and torture--is much, much better than creepy standardized test cheaters knowing all my secrets and nobody else knowing anything. That's what I'm doing these days.
In fact I would say the system works far too well, it's very easy for doctors to gossip in their seamless channels and far too hard to stop my psych record--like it was a prison record or a warrant or some actual judgment by a worthy authority--getting around behind my back. I still can't see it myself. I'm expected to believe I have a doctor who advises people paying for my treatment and I've never met this asshole. Hundreds, even thousands of pages and I can't see any of it, it's like a Kick Me on my back, but a biography, a Kick Me epic. Jorge Barros Beck has a few hundred pages, Ximena Rojas Núnez has some, Stanford CAPS has some, that asshole I told you about, then "Clínica" Rayencura produced a couple hundred (they have a former trained journalist called Gonzalo, former junkie too, working to fill out accusative, slanderous dossiers on people, he doesn't say shit he just writes shit, only shit, lots of shit).
I worked in three different healthcare technology companies (for doctors, pharma, and insurance).
1. In not a single case was compliance with HIPAA rules ever a cost center beyond the initial project to implement controls, and that itself wasn’t a huge project. For most organizations, compliance with the guidelines is simply good data security. It’s like calling any internet security expensive and unnecessary.
2. Doctors can share data. They have tools to share it in their EMRs, and there are no restrictions to sharing it with other healthcare providers during the course of care.
3. The security and privacy rules are almost entirely about the preventive of public, accidental, or unauthorized disclosure, and also about giving patients access whatever data you hold on them.
4. Why would newspapers want to publish random people’s healthcare information? Unless it was part of a piece targeting a famous/influential person or medical practice, in which case yes, if they access and publish individuals’ healthcare information without consent, that’s a breach of privacy that can be challenged in court. The law isn’t about the damages per se, it’s about the breach of privacy and confidentially.
That’s a comment from 2013, now 9 years ago. Since then, healthcare technology has really changed. Compliance and auditing are pretty standard with easy to follow playbooks, and there are plenty of off the shelf tools HIPAA-compliant as soon as you sign a BAA with them. If you’re in health tech, this is the floor, not a high bar.
That said, there can be a few times when your comment accurately describes what’s going on:
- a non health tech vendor needs to comply with a healthcare client’s needs and they are navigating HIPAA and HITECH for the first time.
- this is often paired with a situation where the company never refactored their SaaS software past mvp prototype phase and so they have no logging or controls and effectively need to rebuild their entire system to be security first, and healthcare regulations are just one of the factors they need to consider as they expand markets they service.
- a company is concurrently trying to get SOC and/or other certifications. Those get pretty intense.
For situations 1 and 2, that’s when a lot of vendors will explicitly say they aren’t HIPAA compliant and choose not to serve healthcare partners (vendor evaluation in healthtech is a pain in the butt because of that). For situation 3, yes, that’s a pain. My own team went through that and it was a year-long process.
That said, there is an initial upfront cost with regards to documentation. However what most people complain about are the requirements to retrain all employees semi-annually on data privacy and protection best practices, which kills a full day or two of company productivity.
The tricky bit is the interplay between security and criticality of need.
If I'm dying of an unknown condition in the ER, I really want minimal fences between my doctor and my data. So a careful balance has to be struck because sometimes patient need is served by breaking privacy. Bulletproof technical solutions could impede patient care.
What's disappointing about issues like this is I worked on a specific transfer of health information from a govenrment health system to a university, and the attitude of the school researchers to privacy was practically obnoxious. They absolutely exploited the pandemic to squeeze the toothpaste out of the tube and get their hands on data sets that we actually have privacy protecting technologies to facilitate access to, but they were using the emergency powers to do a wholesale seizure of the data sets themselves.
Among the risks I specifically identified were that access to the patient data was the decision of a research ethics board whose decisions were not covered under privacy and access to information laws, and that the research organizations outright refused to allow their researchers to be identified individually - as per privacy laws that require all access to PHI to be by named individuals. The greater concern was once the data was in the hands of the university, they had no way of formally separating clinical research and broader access by social scientists, or worse, administrators with similar agendas, and questioning the integrity of some of the truly demented individuals who inhabit those institutions is apparently just not done.
Govenrment health information systems have rigorous privacy logs that admins check on a weekly and monthly basis to see if their staff are trolling through records for people they know, but the universities have no such controls, and their IT organizations are not enterprise quality. Modern tools like differential privacy, tokenization, data synthesis, and other techniques are absolutely sufficient to test hypothesis before working on production data, but their skillsets appeared more in navigating bureaucracy and political leverage, so they used the tools they had. I say obnoxious because there is a certain archetype of person who spits and sneers when they hear words like "privacy," and their skillset often reduces to creating crisis' that always seem to have themselves in the middle, and it was well represented in the groups I dealt with. The NHS should take heed, as they are clearly being hustled.
Did you blow the whistle on this abuse? If this was also in the UK then it looks like exactly the sort of serious breach of protocol that the ICO should investigate. If it involved sensitive personal data about lots of people then it might realistically have enough weight for that to actually happen too.
If you are really serious about privacy, become a CIPP and do contracting work in the field. Be the change, etc. (https://iapp.org/train/)
There isn't a whistle to blow because when you look at the issue closely, it is really about exploitation of the circumstances within the law and processes, and not illegal activity. The methods of bureaucracy are to diffuse accountability so that no individual can be held responsible for a failure or misrepresentation, and that's really just the art of bureaucracy. Just because people are ideological or untrustworthy doesn't mean they are doing something illegal.
Instead, I can participate in public discourse about privacy with other technologists and share insights and tools here, while affecting constructive change where I can.
The misrepresentations that occurred in the process were structured to be deniable and transfer the risk to people who could not reason about them, or deny understanding it. This is just how bureaucracy works, and when you look at what people actually blow whistles on, it is much more black/white cut/dried than an abuse of process you need some depth on to understand. Sucesss for me was getting an executive board to sign a risk statement accepting the risks that our security project identified so that there was a paper trail of this huge decision available via access to information laws.
Further, technocratic people tend to hate privacy because it is a limit on their power, and so the channels for someone "blowing a whistle" are really limited to Snowden level events, and even then stories that tarnish institutions themselves tend to get spiked by editors. It's rarely valuable, when instead you can articulate the dynamics that cause this stuff and make criticism of shitty practices part of the discourse.
The whistleblower use case on this issue would be in the hypotheticals that result from the incentives downstream, where researchers start using the data sets to look up colleagues, health data ends up in a hacked data dump by some APT group, queries like when did a married colleague or politically exposed person get their last STD test, was an applicant for a role vaccine hesitant based on dates, was someone exposed during a public health incident, data attributes being re-used to support a national biometric internal passport system, an insurer or 'alternative data provider' acquires family based cancer predictors, passing community health information to NGO's and activist groups as leverage for their policy agendas, activists produce an online map of unvaccinated and hesitant peoples houses they way they have for gun owners and political donors, normalizing the use of personal health information for policy and governance beyond public health services, billing data for mental health services ends up in a policing intelligence database or shared with border guards, etc. None of these are known to have happened (yet) but they would be the trigger for scrutiny.
In tech, we get issues pushed "down" to us to resolve in ways that may be unethical or illegal, but "good" developers don't ask questions. Compared to what's done at the platform and ad-tech companies, this issue is small potatoes.
Most crimes are left unpunished, even more so corporate crimes, because it's usually very hard to prove there is one, to demonstrate who is guilty, and costly to sue for little gain.
In fact for corporate crimes, it's even worse, because there is little skin in the game: rare jail time and fines that are only a subset of the money earned by committing the crime, when there is any.
Make it 2 months of jail + 1 one day for each patient data which has been breached for eveyrbody in the chain of command responsible, and you'll wager it will happen a lot less.
I think breaches like this are the reason that there's been more of a focus on creating 'trusted research environments' lately, rather than actually transferring data out of the healthcare system.
There was a really interesting review recently by Prof. Ben Goldacre which touches on a lot of this stuff, I recommend skimming it: https://www.goldacrereview.org/
This feels like the right response to me. In most of these cases, we're talking about a data provider with reasonable governance controls in place, who grants access to a requester who says they'll use the data responsibly, then just does not.
If the requester is part of a large research university, it doesn't make sense to say "researchers in Study A violated the data use agreement, therefore hundreds of other researchers in studies B-Z must now erase the data they've already downloaded, and never apply for access to more data from the largest research data provider in the country ever again." Those other studies had nothing to do with the violation, so shouldn't be punished.
The institution should punish the offending individuals, and the data provider should blacklist those individuals, as well as carefully audit both the institution (for its education and oversight of its research teams) and the principal investigators of the offending study for some length of time.