Teaser Image
Episode 20: Who has their hands on your healthcare data? Decoding PHI security with David Ting from Tausight

Display Date

January 19, 2023

Header Title

Episode 20: Who has their hands on your healthcare data? Decoding PHI security with David Ting from Tausight

Wistia Audio
Description

An average of two major healthcare data breaches happen every day—double the rate the industry faced just three years ago. David Ting, CEO and founder of Tausight, talks with Justin about what makes your protected health information (PHI) more valuable to thieves than your social security number, why the industry is better at securing technical infrastructure than data itself, and how neural networking and natural language processing can help providers track and handle patient records more securely.

Justin asks David the hard questions about maintaining data security in an increasingly porous digital landscape: How can the industry leverage digitization without risking compliance or locking clinicians down? Why should patients and providers make situational PHI awareness part of their digital hygiene routines? And what steps can we all take to better secure our data?

We want to hear from you...

Have an idea for an episode? Got the inside scoop on a trending topic? Let our team know!

Episode transcript

Justin Steinman:
Definitively Speaking is a Definitive Healthcare Podcast series recorded and produced in Framingham, Massachusetts. To learn more about healthcare commercial intelligence, please visit us at definitivehc.com.
Hello and welcome to season two of Definitively Speaking, the podcast where we have data-driven conversations on the current state of healthcare. I'm Justin Steinman, chief marketing officer at Definitive Healthcare and your host for this podcast. It's a new year and our first guest of 2023 is David Ting, the founder and CTO of Tausight. David founded Tausight in 2018 with the vision of reducing healthcare-specific cybersecurity incidents by simplifying the way hospitals and healthcare systems detect and manage PHI risk in today's decentralized healthcare ecosystem. PHI, for those listeners unfamiliar with the acronym, is personal health information, a term that I'll ask David to define in just a moment. David's a longtime healthcare IT veteran. He was the co-founder and CTO of Imprivata, the digital identity company for healthcare. He's also a former appointee to the US Department of Health and Human Services healthcare industry cybersecurity task force. So you might say that David is more than just a bit qualified to offer his opinion on the challenges of cybersecurity in healthcare and I'm excited to have him on the show today. So, David, happy new year and welcome to Definitively Speaking.

David Ting:
Thank you, Justin. Happy to be here.

Justin Steinman:
Excellent. So let's get us started here and hope you can answer the question I mentioned in the introduction. What is PHI data, and why does it matter?

David Ting:
PHI data technically is protected health information.

Justin Steinman:
So I got that wrong, good, protected health information. Good.

David Ting:
And it is something that we all use in our medical care, whether it is patient history, patient consult, referral, prescription, anything that has your identifying information. PII combined with medical content creates protected health information and that is covered by the HIPAA security rule that was signed in '96 as the basis for insurance, payers, providers, anyone that does anything with healthcare.

Justin Steinman:
And so why is that important? If someone stole my PHI data, what could they do with it?

David Ting:
So PHI is relevant in your healthcare and it ties your identity, your credit information, if you are paying, for example, or what we call PCI personal credit information together with your medical condition. And it's used everywhere. So people who want to get your health information often will steal the records for their credit information or the personal information, or your insurance information so they can file fraudulent claims. So you'll notice if you get healthcare benefits, you get these EOBs, explanation of benefits. You go, why do I need to get all these things from my insurance company? I just went to the doctor and now I have 12 inches of paper.
The reason is so you can actually correlate that you got these services, services were paid and that they were really services that were delivered to you. In a lot of cases, especially with seniors who receive care, if their identity and their insurance information gets stolen, they could be fraudulently used. And there are cases where patients were billed thousands and thousands of dollars in a fraudulent manner, but they never checked because they said, well, the insurance company paid. So I didn't personally have any responsibility for it. It could also be used in a manner to blackmail you, to embarrass you, to cause you harm in your job applications, all kinds of information, especially around mental health, personal disease management, things that you might have that might limit your opportunities for employment. These are all just some of the things that people worry about.

Justin Steinman:
Wow. So it's not so much that someone cares that I have high cholesterol. But if I was going to see a therapist, for example, they might say, Hey, I'm going to tell your boss that you're getting mental health treatment.

David Ting:
Exactly. So in a criminal sense, Department of Homeland Security used to say, your stolen social security number that's worth about a dollar on the block market. A stolen credit card, it's maybe $4, $5. A good medical record that's stolen is worth about $260. So that's the scale of relevance or importance on the black market. And there's something called the shelf life of PII. The younger you are, the more important, the longer it's good for until you get to your teenager years and then your value goes down and then it goes back up again when you're a senior citizen and your Medicare is paying for everything because you don't really care, nobody pays attention to it. So the shelf life and the age all determine the marketability and the value to a criminal.

Justin Steinman:
Wow. So $260, that seems highly specific. How did we calculate that it's worth $260 for a medical record?

David Ting:
This is determined by the Homeland Security people who check the value on the dark web where this stuff is stolen and sold. And so the important thing to note is in 2014, 120 million patient records were stolen. They were lost, and that was the record of the year of record breaches. And today, even today, we lose records at an incredible rate, especially as healthcare gets decentralized.

Justin Steinman:
So it's almost like there's an eBay on the dark web for PHI data and PII data?

David Ting:
Unfortunately, PHI data, and combined, often combined with PII. So if you lose your credit card or it gets stolen, the credit card company invalidates it right away. So it's basically useless. Credit card companies will reimburse you for any loss. You can't take back your medical history.

Justin Steinman:
There are days that I wish I could, but yes, I got you. So you mentioned this 120 million patient records stole in 2014. I actually found some data on my own as I was prepping for today. So, according to the hipaajournal.com in 2018, healthcare data breaches of 500 or more records were reported at a rate pf about one per day. Fast forward four years, and the rate has doubled, in 2021, an average of 1.95 healthcare breaches were reported each day. So in my world, one breach a year is too many. Forget an average of two a day. And 500 records, well, that's a substantial breach, right? So why is PHI data so difficult to secure? What's causing all these breaches?

David Ting:
So let's touch on that 500 number. 500 number was what is required of an organization to publicly disclose that they've lost that many records. The numbers that are below 500 are not on the so-called wall of shame. And so what happens when you have 500 is you have to basically prove to the OCR, Office of Civil Rights that you took care in protecting your information, but guess what? A cyber incident occurred and now you have to publicly disclose it. There are numerous more that are below 500 that were deemed not significant enough to be publicly revealed. And so the 500 number, you say, well, why do we have a 500 record count? And so you think about it, in '96 when the rules were written, 2000, most of the stuff was still on paper. So medical records, if you look at the average medical jackets about four ounces.
So it was four records per pound. 500 records is about 125 pounds. So you'd have to basically walk out, either be really carrying a really big box or walk out with a cart to get 500 records. But as we get to digital age, 500 is nothing when you could steal a 100 or 80 million records flowed out of one organization and nobody noticed. And so electronic records, as we digitize, much easier to transport, much harder to control the access and it gets created faster than it used to be. So in the old days you wrote your medical records, you wrote it on a piece of paper, you filed it, you had a medical records department, everything was localized, you sent a fax, maybe, maybe you took out a jacket for somebody. Now today, a doctor or somebody creates a electronic record, EPHI, the moment they put your name, your medical condition, and they send it out whether it's going internally or externally, that's all EPHI.
So you have incidental EPHI and you have true medical records that sit in your medical record system that presumably you have better tracking for. But as EPHI proliferates in this decentralized world, we move it everywhere. We create it on the fly, we create it contemporaneously. I have a conversation with you in the hallway and you say, gee, I need a consult note. You write it up, patient's records, identifiers and their certain condition, it gets sent out, and all of a sudden you have a piece of EPHI and that generates more and more data, more and more loose leads that you had to follow through. Medical research is also on the uptake. And so the importance of medical records for investigations, for research also causes the whole proliferation of EPHI that moves all over the place with researchers, with researchers getting data sets. Many of them should be de-identified, some of them are not if you sign the right agreement. So EPHI is everywhere.

Justin Steinman:
Yeah, that actually does fit. I went to the doctor recently and there's this new thing, a medical scribe. It was this 22-year-old kid and his whole job was sit there and type up as a doctor was, which I appreciated, a doctor was sitting and talking to me. So a good job on my doctor having personal patient interaction. But the medical scribe has typed all that up. And even me, the past five years, I now go on to my patient portal and I'm like, I read my doctor's notes and the follow-up and what they wrote. 10 years ago, I didn't know the doctor was writing a chart. I had no idea what they said about me. Now I read it and I second guess him, right? Like, oh, he's wrong on that or I don't disagree, but you're right. That's all that PHI data that is out there. And so how do we start to secure all this? What do we need to do to lock this down?

David Ting:
So the traditional way for securing healthcare systems is start with the technical infrastructure. So start with the technical infrastructure. You start with a network, you start with the endpoints, you start with the connected systems, and then you make sure that you know what's going on. At the same time, the new paradigm is, how to secure the data? And there's data everywhere. You might have millions of patients for a hospital. So every patient's record now has to be considered an entity for which you have to know where is it? Who does it belong to? How is it secured from a privacy perspective? How do you ensure that you know it's auditability? Where does it go? Where is it created? And what is its lineage? How does it create children, and where do those children end up? So having that auditability is really important. One of the things I realized when I was on the cybersecurity task force was even as we get better at securing the technical infrastructure, we have to have a better approach to securing the patient records.
And that means the sensors that are out there that are designed today to detect attacks, vulnerabilities, and threats, you have to now also be content aware. You have to be aware, this is EPHI data, this is billing data, this is claim data, this is prescription, this is a referral. You have to be PHI aware and you have to be able to do that right on the fly as opposed to in some data lake or data center, that you have all the data. Because, frankly, as work at home becomes more relevant in this new day and age of post-COVID, doctors are working more from their office, far away from the hospital. They're working from home, they're working on the road, they are taking the data. And the data expansion is far greater than it was even three years ago, when more of it was confined inside the firewall.

Justin Steinman:
So how do you identify all these different types of data? Is there metadata that says this is a PHI record, this is a claim. How does that get identified?

David Ting:
So you identify data, you classify data based on the shape of the data, which is what does it look like? So if you were looking at a document, you'd say, that's a claim data, that's a prescription, that's a referral, that's a consult, that's a history. You as a human being have that built-in intelligence to recognize these categories. We've done the same thing with a neural net and natural language processing by embedding that into an algorithm that can be deployed right at the edge. So it's using neural nets, advanced technology that you can run right on the endpoints to basically look at the content, whether you've stored it, whether you've created it on the fly, whether you cut and paste it between one application and another, whether you've moved it out over the web or to an email server or to the cloud server.
So all of a sudden you can start to not only identify, one, you're creating moving PHI, you are storing PHI, you are creating derivatives of that same information. The linkages now can be tied together. So you can track what happens across all your endpoints. So we have a ILT sensor technology that once you deploy it at the endpoint, we will send all that metadata back to a cloud-hosted analytics platform where we can track all this stuff.
So that means I can tell you, gee, you have patient records on this machine that should be encrypted, but they're not encrypted, violation of the HIPAA rule. Two, you're moving it to places where the recipients are not BAA, have not signed BAAs. You're business associates, but you may not have known them to be a business associate with a tight agreement. It can also know that you are moving the data into private clouds, which is, again, a no-no because you should have full auditability and full awareness of the security that you have placed around the data. So principles of data security is that you need to protect the confidentiality, the integrity, and the availability of the data, that's mandated by the HIPAA security role. And so you need to make sure that every piece of data that you have out there, you have a way to prove to your internal compliance team as well as the OCR that you've met the CIA requirements.

Justin Steinman:
Wow.

David Ting:
That should all happen underneath the covers without the clinician saying, gee, should I be able to do this? Should I not be able to do this? Should I send this data out? Do I need to worry about the data that I keep on my machine? And that really gets to how do you make sure that the technologies and the approach that you take doesn't interfere with clinical access?

Justin Steinman:
Right. And that's actually a really interesting point, clinical access, because one of the key problems here is that Justin isn't sharing my PHI data, my clinician is, right? And at the same time, if my clinician causes a cybersecurity leak, he's not going to get fired. That's not his job. Cybersecurity is the job of the IT department, not him; versus in another organization, if I expose all the Definitive Healthcare's data for some reason, not even if I have access to do that. But imagine I figured out how to do that, I'd lose my job. So how do we leverage digitization without the fear of being out of compliance or, even worse, trying to lock these clinicians down. It's not their job.

David Ting:
I think one of the key benefits of digitization is improving the speed and the velocity by which information can be securely shared. Clinicians want to take care of their patients and they'll take whatever resources they can get their hands on to improve patient care. They'll send it to a consult to somebody to say, hey, can you take a look at this? And that's what you, as a patient, will want. And that's what you, as a provider organization, will want to encourage, but you also have to have policies that they can adhere to, which hopefully will be transparent to them. So you're not stopping them every other email that they want to send out, but you should have the system take care of it for them.
One CIO I talked to said, "It's more important for me to allow the doctors to do what they need to do, but I need to make sure I know what they're trying to do to make sure I have mitigations for everything they need to do." That means if they're transferring information to their home machine so they can get access to it, I need to make sure that that workflow is covered. So a lot of clinical workflows start with understanding the intent of the clinician. Doctors aren't out there trying to steal their information. They're out there to get the job done, to take care of the patient and so if they work at home, make sure that they can securely do it.

Justin Steinman:
Right. I mean, they're obviously operating from a place of good intent. And the question is, how do we prevent them from making an accidental mistake? Nobody again wakes up in the morning and says, Hey, I want to share all this PHI data with everybody. Where can I publish it? But they are trying to say, I know this doctor out in Los Angeles and I'm here in Boston and she's an expert in this disease, that I'm trying to treat somebody. Can I just flip her the record and get a consult? And we want to make sure they can get that record fast and get that counsel quickly as time is often of the essence in this.

David Ting:
That's exactly right.

Justin Steinman:
So let's talk a little bit about digitization. I mean, we all know healthcare is kind of a "different" industry and I could use the word different in air quotes. I think everybody would get it. I like to joke, it's the only industry where if you have a bad experience or bad outcome, you're probably going back to the same place to get more of it. You have a bad deal at a restaurant, you're not going back to that restaurant. If your surgeon leaves a scalpel inside you, you're probably going back to the hospital to get the scalpel out. So we're one of the last industries, in healthcare, if not the last large industry to digitize. Why do you think we were so late as an industry to digitize?

David Ting:
I think the technology for digitizing the information has lagged all the other fields. I mean, EMR started out as a extension, as billing systems where you can now glom onto it the patient records. I've watched digitization in my career for, I think, six verticals. I've participated in that transition. Healthcare was the last one. And from a physician's perspective, most of them will tell you they preferred it when it was a paper record. Once they made the transition that they're starting to get the benefits of, gee, you could do decision support, I could transfer information, I can have a better exchange of medical information with my patients. And now, even as patients bring in their own data, I can now integrate some of that into my diagnoses and my maintenance of that patient's health. It's a transition. I've watched it in the early 80s and with computer data design, when engineers used to do everything on a drafting table. They would describe, they would say, here's what I would like you to do.
And the draftsmen would draw it on a blueprint, erase what they couldn't do, or for revisions. When CAD came in, the engineers revolted and they said, we are never going to be able to do this on our own. The draftsmen said, it'd be so much slower without us, and yet we know it happened. And engineers design everything on a computer these days without even thinking about it. Why? Because now you can simulate that part. You can look at it in different dimensions. You can quickly make modifications. You can have design support, does that sound familiar?
You could share designs with your manufacturing counterpart in China who will make that part for you. You could make revisions on the fly. That's what healthcare's going to have to evolve to as it embraces digitization. And that's the promise of speeding up the interactions that we can have once the records are electronic and can be secure. Now, healthcare is also more difficult because it's an alliance of healthcare services that are all participating for the patients. So unlike manufacturing a part which is an alliance of multiple manufacturers and sub-manufacturers, you have patients that go to multiple places for care. The thing that you want to do is to make sure that the design for what you want the patient to undergo is electronically shared. No different than a well-coordinated manufacturing process.

Justin Steinman:
Yeah. Except the difference is a manufacturing process, the car doesn't have independent action or independent thought, right? I could choose to go get a second opinion; the car's not going to get a second opinion. If I go get that second opinion, I'm going to expect my data to follow me. And you can't control me. You can't control where I'm going to go. So how do you secure my data when I'm out as an independent actor just doing things?

David Ting:
That's the new frontier that really is going to be a problem as patient records become more available through the portal. And like you say, that's a great analogy, that you have the choice to take your data and basically plop it on another physician's desk and say, I want a second, third opinion. That information gets even more distributed. So those are the new challenges. I'm not sure we know how to solve that one yet, especially from a privacy perspective where one day you say to that second opinion doctor, I want to retract all of the data I gave you. I no longer want you to have it. How do you do that? That's going to be the challenge as privacy rules start to overlap with securing your privacy.

Justin Steinman:
I think Epic is trying to solve this. So I'm part of the Mass General system, my doctor practices there, and I think when I log onto the patient portal, there's a big button that says, click here to share your data and tell us where to send it to.

David Ting:
Correct.

Justin Steinman:
Right. But when I do that, I don't recall who I sent it to a year ago. I have no idea. It's still probably floating out there somewhere.

David Ting:
It's like what you put on the internet stays on the internet. I think there's going to be a little bit of the awakening at some point to say, where have I put all my information?

Justin Steinman:
Yeah, that's pretty frightening. So your website talks about this phrase that I saw, situational PHI awareness. What is that?

David Ting:
So today, if you were to ask most CIOs, can you account for where all your EPHI is, and what's happening to it? We used to wake up and people used to say, "They get created wherever the doctors write a note. So how am I ever going to know where all my PHI is?" And so what you really want to know is how do I know from a situational awareness perspective, where's my PHI, and what's happening to and can I account for it? Can I account for what EPHI is on that researcher's laptop that was reported stolen out of her car? How can I report the EPHI that's on a removable drive that we gave somebody and lost it? Or where's all my EPHI that's moving into some personal cloud that we didn't know they had? So situational awareness is understanding exactly what goes on across your system to those critical assets.

Justin Steinman:
This is a frightening conversation. I'm going to be honest with you. I'm walking out of here going back. I think I want my data back on a piece of paper again, I feel like it's going all over the place.

David Ting:
There's some truth to that.

Justin Steinman:
So let's talk a little bit about telemedicine, right? So we've seen a significant increase in telemedicine over the past two years. Our data shows that telemedicine utilization grew 6000%. That's 6000%, for listeners out there, during the pandemic, and some experts estimate that the pandemic drove roughly 10 years worth of innovation in telemedicine in roughly 12 months, what's been the impact of telemedicine on PHI?

David Ting:
So I've asked a lot of CIOs and CISOs that, and their immediate reaction is that information is now everywhere, right down to the machine at home, that the physician might have been using to carry out telemedicine tele-visits. That increases the surface area for compromise. And once CIO said, "I can expect several years of remediation that I will have to undertake because of the rapid nature of decentralization of care." There are going to be new technologies that will have to be introduced to help understand what that exposure needs to look like. Because, frankly, the FBI had a stat which frightened me, which said, "The average laptop that's sold, one in 12 will be stolen that year." So you can imagine what's the fan out of loss of information from those machines.

Justin Steinman:
So you said that CIO's going to have remediation, years of remediation. What's the cost of that? Do you have any idea of sizing the cost of that remediation?

David Ting:
I do not. To be honest, I think it's substantial. You got to go back to every place where potentially the clinician have accessed EPHI in that rapid, if we remember that rapid transition from visits in the office to we'll do a tele-visit with you. I remember helping my physician go through his first setup so that he could do a remote visit. I'm on the phone with him, walking him through how to set it up and he said, "IT hasn't caught up yet to what we're needing to do." And so you can understand that, all the security, all the compliance, and all the auditing will not have been put in.

Justin Steinman:
We got a real problem out there. So, I mean, this has been great. Mildly alarming, but great today. Thank you for coming in. Love having you actually in the offices here with me today, looking face-to-face. But before I let you go, I have to ask one last question for you, right? So one of the hallmarks of this podcast is what I would call listener empowerment. We talk about some pretty heavy topics on this podcast. We talked about mental health, chronic disease management, and one of the things that we always try to do is empower our listeners to do something about it. Don't just sit there and put your head in your hands and go, oh, no, woe is me, right? So it's pretty clear that securing PHI is a challenge and something that we as an industry haven't fully solved yet. But what can our listeners do? The average Joe or Josephine listening to our podcast, what can he or she do to help secure their own PHI data?

David Ting:
So if you're a clinician, make sure you're doing things that are compliant or following the policies that your organization has prescribed. It may seem awkward, it may seem counterintuitive, but there's probably a reason. And if it doesn't make sense, go talk to the IT person and say, look, I'm trying to do this. Is it compliant? Can you help me make it more fluent in terms of what I need to do in getting this information distributed? Always be aware that the first things you want to make sure are; check with your IT team, check your machine, if you're bringing a new machine in, make sure it's encrypted.
Make sure you know that the access to it is secured. Use your multifactor anytime you're outside the organizational boundaries. These are just basic hygiene things that you need to follow to protect the data. And think twice about printing was one suggestion. One CIO always used to say, "I find PHI everywhere, whether it's at home, whether it's in the printer." I was in one office, we're waiting for a discharge summary, and the nurse said, "Oh, machine's out of paper." So she goes and fills it up. And when you know it, mine was the 20th patient record to print out. So printing is another area where PHI totally is exposed as soon as you print it.

Justin Steinman:
So that's good for what a clinician can do. What can a hospital executive do or an IDN executive, what can he or she do to help?

David Ting:
I think awareness of the dangers of not being able to secure your PHI, not knowing where all your EPHI is and what's happening to it. Understanding the concerns. You brought up the fact that breaches are occurring at an incredible rate. Most boards are aware of it. They need to think, gee, are we going to have to go into the media and explain ourselves? One CSIO used to tell me, "My job here is to protect and prevent a CEO from having to explain to the public why they lost the record."
Now, you brought up a point earlier on that even with a bad encounter, you still go back to the hospital. A lot of CIOs will tell you that post-breach, their patients had less trust in the organization and many of them would say, "I'm not coming back. If you can't protect my records, can you actually take care of me?" And so one CIO said, "Some of them, they did notice a loss." Some of the patients never came back. They went to a competing hospital. So there is a downside to not being able to protect those records that will reflect itself in a patient's loss of trust.

Justin Steinman:
That's unbelievable. It's really interesting. That's another criteria almost in shopping for hospitals. It used to be only about the quality of the doctor. Now privacy is an issue, interesting. And then last but not least, what can I as a consumer or a patient do to protect my PHI data?

David Ting:
Well, I always look at the EOBs first, just to make sure that my billings, my insurance billings, are actually from places where I've been so that somebody isn't scamming my records. I also shred all that stuff, but that's paranoia on my part. But I think just being aware of the consequences. If your medical records, if your insurance records are gone, what does that mean to you?

Justin Steinman:
Well, David, thanks for coming on to Definitively Speaking today. A lot of really good insights. Appreciate taking the time to talk with me.

David Ting:
No, pleasure. Thank you for having me.

Justin Steinman:
And for all listeners out there, thank you for listening to Definitively Speaking, a Definitive Healthcare Podcast. Please join me next time for a conversation with Mark Claremont, the CEO of Cecilia Health. Cecilia Health is a virtual first provider organization delivering integrated care to patients across all chronic disease risk profiles. CDM is one of the most expensive and pressing problems facing our country as we've explored in some previous podcasts. And I'm curious to hear Mark's perspective of unique approaches Cecilia Health is taking. Please be sure to join us. If you like what you've heard today, please remember to review, rate and subscribe to the show on Apple Podcast, Google Podcast, Spotify, or wherever you get your podcast. To learn more about how healthcare commercial intelligence can support your business, please follow us on Twitter at Definitive HC or visit us at definitivehc.com. Until next time, take care. Please stay healthy, and remember to check those EOBs.