All,

(See article link above & below)
https://www.beckershospitalreview.com/cybersecurity/aha-hhs-should-withdraw-health-data-tracking-rule.html

This issue strikes me as a potential emergency. All American health professionals need to be writing our professional associations to demand that they oppose what The American Hospital Association is trying to do here.

I will be writing ACA, and -- time permitting -- will publish more on this later.

The problem in a nutshell is that every time hospitals -- or any other medical source -- make use of 3rd party trackers like Google Analytics, they provide data that can identify a patient. It is a HIPAA violation. They will argue that -- depending upon what is provided -- it does not actually give away enough information to identify the patient, but that is a bogus argument. Google Analytics (and many other outside tech tools) collect databases of information so they can put together profiles over time.

So -- for example -- if a hospital gives Google Analytics a web browser cookie showing that the client logged into their site, the cookie MIGHT just identify the web browser without the client name. BUT -- when that same client goes and logs into their Google account later (for which they have previously given their name), Google can observe the same "anonymous" cookie in the web browser and deduce that this is the same person who logged into the hospital website. If it happens to be an abortion clinic, then Google knows roughly the services provided. If the hospital sends the cookie from psychotherapist John Smith LCPC's telehealth page, then Google knows that the patient sees psychotherapist John Smith.

If hospitals need the tools that Google and other tech companies are providing, they need to buy internal versions of such to run on their own systems. If hospitals need to do marketing, then they need to run the 3rd party trackers only on the most public parts of their websites. therapyappointment.com is a good example of being a good citizen about this -- they run about eight 3rd party trackers on their home page, but only 1 tracker once a therapist has logged in. And that one tracker is for Amazon Cloud Services -- arguably a tracker that is necessary to the operation of their website.

I could see narrow exceptions allowing for 3rd party trackers that might make sense (AHA is making heavy use of these fringe cases in the article). Most of the time its a big problem.

I'm disgusted that the AHA is taking this position. It means they have NO respect for the data privacy they supposedly support!

-- Michael

@rsstosecurity @infosec
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords #telehealth #netneutrality #socialengineering #AHA #americanhospitalassociation #APA #americanpsychologicalassociation #ACA #americancounselingassociation #NASW #nationalassociationofsocialworkers #AMA #americanmedicalassociation #EHR #medicalnotes #progressnotes @psychotherapist @psychotherapists @psychology @socialpsych @socialwork @psychiatry #technology #healthcare #patientportal
#HIPAA #dataprotection #infosec #doctors #hospitals #BAA #businessassociateagreement #congress #senate #lobbying