On March 18, Lindsey Holden, a reporter for the San Luis Obispo Tribune, reported that “A state employee improperly accessed more than 2,000 Atascadero State Hospital [ASH, in the town of Atascadero] patient and employee records in a data breach identified in late February, [the California] Department of State Hospitals said. The breach occurred when the DSH employee accessed names, COVID-19 test results, and health information necessary for tracking coronavirus for 1,415 ASH patients and former patients and 617 employees, a DSH news release said. The employee had access to ASH data servers through their information technology job duties. The employee had been improperly accessing the information for about 10 months before DSH found out about the data breach, an FAQ about the incident said.”
Holden quoted the FAQ as stating that “It appears that the employee used the access they were provided in order to perform their normal job duties to go directly into the server, copy files containing patient, former patient, and employee names, COVID-19 test results, and related health information without any apparent connection to their job duties, indicating a high probability of unauthorized access.” And she wrote that “DSH identified the breach on Feb. 25 as part of an annual review of employee access to data folders, the release said. The agency is investigating the improper access, and the employee is on administrative leave. It’s currently unclear why the employee accessed the information, the FAQ said.”
That attack highlights some of the challenges related to the current public health information reporting issues during the ongoing COVID-19 pandemic, says Caleb Barlow, CEO of the Austin, Texas-based CynergisTek consulting firm, which is currently partnered with over 1,000 patient care organizations around their cybersecurity efforts. Barlow spoke recently with Healthcare Innovation Editor-in-Chief Mark Hagland regarding the situation Below are excerpts from that interview.
What should people be thinking about, regarding that unusual breach at Atascadero State Hospital in Atascadero, California?
What gets so interesting about this is that we all already operate in a world where our mobile devices are gathering all sorts of information on us, from web search through to other types of information. Companies want to know where you go locally and where you travel. Do you go to the gym? Do you go to certain places for vacation? And we’ve all kind of gotten used to that, knowing that our data, our personally identifiable information, PII, is shared and sold.
Now, here’s where contact tracing data adds a whole new element. When you do contact tracing, you find out who an individual is and where they’re traveling, and you also find out whom they’re with. The most common way to do it is through phone-based apps. And so now we have information about where you’ve been but also people you’ve encountered, i.e., a person who might have been in the restaurant when you did your take-out. But it could also identify people who work in the office next to you or who are fellow students. But there’s information you may not want people to know—your frequent locations, your lovers, your drug dealers, your doctors, your psychologist—all of this other data is in there about whom you associate with, that tell us about you.
And the point we’re trying to raise around this issue is that no one has thought about the potential uses of contact-tracing data. What happens when the pandemic is over? Does that data get used? Sold? Used for research? Nobody had any expectations about it. That’s in contrast to the fact that Google is collecting my search data; I know that and am OK with it.
So what will happen once that contact-tracing data is no longer needed?
We don’t really know. If I spin this to the good side, a lot of that data will simply be deleted. If it’s sitting inside a company, much of it will be gotten rid of. I’m more concerned about data sets in applications. There will be a desire to use data for other things like research. And that’s where we’ve got to have some really tough questions. And in many cases, contact-tracing was not optional for people; for example, many universities required compliance. More importantly, even in the short term, now that this is something that we can track, that we have the formulas, the math, the APIs for, there will be a lot of reasons we might be able to use contract-tracing data beyond disease.
Public health departments aren’t going to sell this data, correct?
I wouldn’t think so. But it depends: sometimes, the data set is held in a public health department; sometimes in a private company; sometimes in an app. I suspect that we don’t really even know all the places where this is being held. The logical places are at work, in college campuses and universities and in mobile apps. I would like to think that in most cases, this stuff gets deleted. But now that we’ve opened the door to a new data set, you know that people might apply this data and track this data in the future for both positive and negative purposes. Think about the value for law enforcement: let’s say I have a criminal actor; I can now figure out whom you’re associating with. And a repressive government regime could use this in very bad way. On the other hand, I could also imagine legitimate research, such as looking at adolescents, etc., and we could also be in a situation where a well-intentioned prosecutor subpoenas the contact-tracing data of a suspected criminal. And that opens the door to a whole new discussion.
How much of this data is out there?
I think that we honestly have no idea. And our business really focuses on helping hospitals and healthcare providers deal with various types of highly regulated data. There are a lot of regulations in that space. One of the things that got interesting for us as the pandemic emerged was that we started getting phone calls from public health departments saying, I’ve got mountains of data and don’t know what to do with it. Suddenly, public health departments suddenly have all this data they’d never had. And universities were a huge area. And universities were doing amazing things like tracking sewage streams and overlaying contact-tracing data, and quarantining populations in order to protect them. It’s pretty amazing, in a positive way, what some of these schools have been able to do to stay open, through leveraging data to figure out where this virus was spreading. And in the vast majority of cases, they’ve done this with the best of intentions.
At the same time, we now need to look at what’s now a new-player asset. Are you going to delete it? Or do something with it? And how are you going to be transparent about what you’re doing? In most cases, they’re simply going to delete it. But that won’t be the case in 100 percent of the cases. And as a society, we’ve never thought about this data set and what the implications are.
Do you have any specific thoughts on the Atascadero breach itself?
The thing is, we don’t even know whether that breach involved malicious intent or not. That being said, one of the things we have seen historically, and this is the case with medical records, as well as hotel records, employees who have access to that data will get curious, and they do. And it’s a huge problem in hospitals, whether to check up on their favorite celebrity, or to find out about their kids’ soccer coach. And there are a huge number of tools to guard against that. The same kind of thing happens in hotels, employees checking into what the celebrity bought, watched, etc. So the thing is that there’s real potential here for abuse. So you have to pay attention to the intent of the person looking at the data. And that’s a tough thing for people to wrestle with. There are a lot of people in the world who have access to data sets for their jobs. But what’s their intent? Someone in a police department has access to a lot of personal data. And if I’m speeding down the highway at 90 miles an hour, their search based on my license makes sense. But if someone employed by a police department wants to look at someone’s record for personal reasons, that’s a different situation.
Broadening out the discussion, in terms of overall cybersecurity, what is the present state of the adoption of behavioral monitoring—are most hospitals and health systems doing it yet?
The tooling is very good, and the efficacy of the results from the tooling, is very good. The problem is that it’s very easy to overwhelm an organization with everything you’ve found. And what we’ve found is that the number of incidents can be so overwhelming, that you can overwhelm the HR department. So what’s happening is that people go back to re-tune the tools to focus on the most egregious actions. And what we really want to do is to identify as many incidents as possible. So in a lot of ways, the state of the art is very high in terms of the tooling, but we’re still in a very early phase of HR and employee relations teams recognizing what’s important.
Are CISOs getting the resources they’re needing right now? And how are they faring in the current environment?
They’re doing a much better job, because they’re focused on determining the risk posture of individuals, to determine whether to initiate an investigation. They’re looking at unusual access attempts, unusual numbers of access attempts, unusual locations. And it’s very easy to identify an individual who’s about to quit the company. The tooling there is very good. Are CISOs staffing this to the level they need to? Probably not yet.
So, as far as you know, what percentage of hospitals and health systems are using behavioral monitoring right now?
We don’t have current data, and I’d question the validity of it in any case. Most are doing something. The question is, what percentage of cases are they driving to ground, versus ignoring, and that’s something that nobody’s going to admit to, at least not publicly. And unfortunately, some of the tools vendors have responded, saying, we can help you to drive down the reporting so you only find the most egregious cases.
What’s the solution over time?
Over time, I have absolutely optimism that over time, that this gap will get closed. Remember, this is a new set of tools that people are still getting used to using. And the reason I’m optimistic about this over time is that, if something goes sideways because of a medical record, that’s going to end up in a lawsuit. We’re definitely in the early stages of managing this. Now, remember that many other industries outside healthcare that have these data sets, aren’t as regulated. So will we see movement against an individual who has access to this data in an environment that’s not regulated in the way that healthcare is? And that’s not certain.
And, per contact tracing, we haven’t seen any lawsuits yet. And all it takes is a good divorce attorney, who normally would subpoena the Facebook records of the spouse, but if they had access to contact-tracing data, they could use that. And then we’ve got a whole can of worms to deal with.
So we’ll just have to wait to see what happens?
Well, I think the reason to have conversations like the one we’re having is to say, let’s look at this. This might not be the only pandemic we’re going to go through, so, how do we manage this and make sure we have systems in place to make this work properly. Because, God forbid we have another pandemic, and no one’s willing to use these tools.
