Medical “Right to be forgotten,” GDPR-Ready, Clinical AI

TLP White: In this edition of Hacking Healthcare, we explore a recent ruling in a “right to be forgotten” case that has a connection to the healthcare sector. Then, we examine evidence of the cybersecurity benefits of being GDPR-ready.  Finally, we detail a report on the issues affecting integration of AI into clinical decision support that parallels other technology use cases in healthcare.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC.

Welcome back to Hacking Healthcare.

Hot Links –

1. A Landmark Ruling in Prominent “Right to be Forgotten” Case.

Google has been compelled to remove search results for a Dutch surgeon previously disciplined for medical negligence in a ruling by Amsterdam’s district court. The surgeon had been found negligent in her postoperative care, but upon appeal, she was given a conditional suspension and allowed to continue to practice. Even though she had been cleared, a Google search of the doctor’s name continued to display links to a website described as an unofficial blacklist of suspended doctors. This prompted a legal challenge under the EU’s “right to be forgotten.”

 

This outcome is significant as it is considered the first time that “right to be forgotten” will be used to remove search results relating to medical negligence.[1] Willem van Lynden, the surgeon’s lawyer, has subsequently attempted to remove details of 15 more doctors on the blacklist and believes that this is just the beginning of an effort to clear maligned medical practitioners.[2]

 

The EU’s “right to be forgotten” stems from a 2014 Spanish case, which ruled that EU citizens may appeal to remove inaccurate, embarrassing, or out of date information from internet search results.[3] Controversy over “right to be forgotten” has existed since its inception. EU Advocate General Maciej Szpunar voiced concerns two weeks ago, stating that he did not believe that search results outside of the EU should be impacted. He believes that other “fundamental rights, such as the right to data protection and the right to privacy, as well as the legitimate public interest in accessing the information sought”[4] should also be considered.

 

2. GDPR-Ready Firms Suffered Fewer Data Breaches Last Year.

If Google’s recent €50 million fine wasn’t enough to convince companies to prioritize GDPR compliance, perhaps Cisco’s January release of their Data Privacy Benchmark Study might. Cisco’s study found that, of 3,200 respondent companies, those that were GDPR-ready were 15 percentage points less likely to suffer a breach than their peers who estimated being over a year from compliance.[5] Additionally, GDPR-ready compliance correlated to more than just reducing the likelihood of a breach. GDPR-ready companies also enjoyed a significant drop in records impacted in a breach, with fully compliant companies averaging only 79,000 records to the 212,000 records averaged by companies who estimate being over a year from completion.[6] Finally, the report also found a substantial reduction in system downtime as a result of a breach between GDPR-ready companies who averaged 6.4 weeks and companies at least a year removed from GDPR-ready status at 9.4 weeks.[7]

 

While correlation among these breach indicators does not necessarily imply that GDPR is responsible for these apparent benefits, it does add additional impetus for companies to move toward compliance. Furthermore, aside from the cybersecurity aspect, Cisco’s study noted that respondents claimed they saw additional benefits from full GDPR compliance, including gaining a competitive advantage over peers, achieving operational efficiency, and winning appeal with investors.[8]

 

3. Report Details Pros and Cons of Integration of AI Into Clinical Decision Software.

A report from the Duke-Margolis Center for Health Policy has outlined the challenges and potential benefits of AI and machine learning in clinical decision support (“CDS”) software.[9] The report cites priorities for the near future regarding the implementation of these technologies, including the need for regulatory clarification from the Food and Drug Administration. In addition, it addresses evidentiary needs for increased adoption of these technologies, examines the difficulties of effective risk assessment for these products, and recommends that AI systems are ethically trained and flexible.[10]

 

Greg Daniel, deputy director for policy at Duke-Margolis, says he recognizes the potential for AI to “improve patient outcomes, reduce costs, and enhance work-life balance for health care providers,” but he notes that a clear policy process is needed to safely integrate these emerging technologies into pre-existing systems.[11] While the report focuses on AI as it relates to CDS, the need for in-depth assessment and forward thinking policy solutions applies to numerous other cases in the healthcare industry. As integration of emerging technologies in the healthcare field continues to quicken, it has become increasingly important that new use cases are clearly articulated and their effects studied.

 

Congress –

 

Tuesday, January 29:

— Hearings to examine access to care, focusing on health centers and providers in underserved communities (Senate Committee on Health, Education, Labor, and Pensions)[12]

 

Wednesday, January 30:

–No relevant hearings.

 

Thursday, January 31:

–No relevant hearings.

 

International Hearings/Meetings –

 

            EU – No relevant hearings.

 

 

Conferences, Webinars, and Summits –

–H-ISAC EU Council Meeting and Workshop – London, UK (2/5/2019)

<https://h-isac.org/hisacevents/h-isac-cyberrx-biotech-pharma-workshop-london/>

–HCIP Fireside Chat Series (Webinar) (2/6/2019)

<https://meetingserver.hhs.gov/orion/joinmeeting.do?MTID=d301763a303e7c88b6b172892968afe9>

–HCIP Fireside Chat Series (Webinar) (2/8/2019)

<https://meetingserver.hhs.gov/orion/joinmeeting.do?MTID=d301763a303e7c88b6b172892968afe9>

–H-ISAC Radio Show, members discuss software security – (2/5/2019) link will send in member listserver

–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)

<https://nhisac.org/events/nhisac-events/first-symposium-2019/>

–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)

<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>

–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)

<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>

–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>

–H-ISAC Israel Showcase & Innovation – Tel Aviv, Israel (4/8/19-4/13/19)

<https://www.regonline.com/registration/Checkin.aspx?EventID=2551847>

–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)

<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>

–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)

<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>

–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)

<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>

–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>

–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)

<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>

–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)

<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>

–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)

<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)

<https://h-isac.org/hisacevents/health-it-summit-northeast/>

–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)

<https://www.loewshotels.com/coronado-bay-resort>

 

 

Sundries –

 

—DHS releases emergency order to prevent DNS hijacking

<https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/>

—How sloppy OPSEC gave researchers an inside look at the exploit industry

<https://www.cyberscoop.com/mobile-zero-days-lookout-shmoocon-2019-android-barracuda-ios-stonefish/>

—‘Gold mine’ of customer loan, tax and other records exposed on open server

<https://www.cyberscoop.com/data-exposure-ascension-bob-diachenko-zack-whittaker/>

—From the NSA to Silicon Valley, a new kind of encryption is going commercial

<https://www.cyberscoop.com/homomorphic-encryption-nsa-silicon-valley-commercial/>

—AI, cross-industry collaboration will continue to reshape healthcare in 2019, Optum says

<https://www.healthcareitnews.com/news/ai-cross-industry-collaboration-will-continue-reshape-healthcare-2019-optum-says>

—New Phishing Campaign Packs Triple Threat

<https://www.darkreading.com/attacks-breaches/new-phishing-campaign-packs-triple-threat/d/d-id/1333726>

—Cloud Customers Faced 681M Cyberattacks in 2018

<https://www.darkreading.com/attacks-breaches/cloud-customers-faced-681m-cyberattacks-in-2018/d/d-id/1333721>

—GOOGLE’S PROPOSED CHANGES TO CHROME COULD WEAKEN AD BLOCKERS

<https://www.wired.com/story/googles-proposed-changes-chrome-could-weaken-ad-blockers/>

—NEST CAMS HIJACKED IN THE NAME OF PEWDIEPIE AND NORTH KOREA PRANKS

<https://www.wired.com/story/nest-cameras-pew-die-pie-north-korea-passwords/>

—SECURITY NEWS THIS WEEK: DID RUSSIA TAKE ANOTHER SHOT AT HACKING THE DNC?

<https://www.wired.com/story/dnc-russia-spearphishing-aclu-lawsuit-security-roundup/>

—How the government shutdown is flushing away federal cyber-talent

<https://arstechnica.com/information-technology/2019/01/how-the-government-shutdown-is-flushing-away-federal-cyber-talent/>

—Malvertisers target Mac users with steganographic code stashed in images

<https://arstechnica.com/information-technology/2019/01/malvertisers-target-mac-uses-with-stenographic-code-stashed-in-images/>

 

 

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://www.theverge.com/2019/1/22/18192626/eu-right-to-be-forgotten-dutch-surgeon-medical-negligence

[2] Ibid

[3] https://epic.org/privacy/right-to-be-forgotten/

[4] https://www.cnet.com/news/right-to-be-forgotten-by-google-should-only-apply-in-eu-says-court-adviser/

[5] https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf

[6] Ibid

[7] Ibid

[8] Ibid

[9] https://www.healthcareitnews.com/news/policy-process-changes-needed-safely-integrate-ai-clinical-workflows

[10] https://healthpolicy.duke.edu/sites/default/files/atoms/files/dukemargolisaienableddxss.pdf

[11] https://www.healthcareitnews.com/news/policy-process-changes-needed-safely-integrate-ai-clinical-workflows

[12] https://www.senate.gov/committees/hearings_meetings.htm