March 26, 2021 6 min read

Opinions expressed by Entrepreneur contributors are their own.

If the 2020 hack on IT giant SolarWinds offered anything of substance to the business world, it should be an unquenchable desire to protect their employees. The hack — targeted to infiltrate SolarWinds’ Orion network management tool — affected thousands of customers, ranging from Fortune 500 companies to several government agencies. Unfortunately, the effects will be felt for years. 

Early this year, American intelligence agencies pinned the attack on Russia after discovering several similarities between the code used in the attack (referred to as UNC2452) and an older Russian malware (called Turla). The extent of the infiltration is still unknown, but the is already staggering. More than 18,000 customers downloaded the infected update, including national agencies like the U.S. Treasury, the  and the Department of State. 

The ramifications of this attack are sobering; nation-states and their agencies are able to infect a top-rated IT company’s software and spread it to thousands of companies when they patch their systems. Such an attack, known as a supply-chain attack, is insidious because patches and updates are considered a must for maintaining a defensive cybersecurity posture. When the patch gets compromised, the results can be devastating.

Related: 5 Signs of a Smartphone Hack (and How to Protect Yourself)

Tech-savvy users are more conscious about data-sharing

With such risks out there, enterprises should be doing everything in their power to protect their employees and data. When the resources of a hostile nation-state are stacked against you, you can’t afford to miss out on easy victories. Cue the recent controversy with WhatsApp, a messaging platform that owns. It started bleeding customers when it began sharing data with its parent company. With data an ever-present concern, enterprises should shy away from using apps that allow data to be shared with any outside party.

If the thought of sharing company data with one of the biggest data-harvesters in the world scares you, it should. With its pioneering of end-to-end (E2E) encryption on standard text messages, WhatsApp quickly built up a huge customer base among people concerned about their privacy with Facebook messenger and notoriously insecure SMS messaging. 

That customer base is quickly leaving as WhatsApp becomes that which it swore to destroy,  requiring users to consent to share their data with Facebook. Suddenly, there’s no real reason to keep using WhatsApp, so users are flocking to alternatives like Signal or Telegram. 

As of January 12, Signal reported it had 50 million downloads on Android devices alone. In January, Telegram hit 500 million users, with 25 million of their new users joining within a 72-hour period. For reference, it took Telegram about six months to add 100 million in 2019 and 2020. Clearly, WhatsApp’s mass exodus shows that secure messaging apps are still something most people want and need.

These apps are also using clever ways to get more people to download and use their app — like giving users the ability to migrate an entire group chat from WhatsApp to Signal with a simple link. Using this feature, Signal can grow its user base exponentially without asking people for their contact lists. Signal had around 20 million active users in December 2020. While the company hasn’t disclosed how many new users they’ve added since WhatsApp started hemorrhaging users, it was downloaded 7.5 million times in a five-day period in January 2021 after Elon Musk tweeted about it. 

Related: The Pivot to Remote, and What It Means for Security

Finding a Secure Alternative for Business

As more people join these secure messaging apps, they’re becoming a viable alternative for other users. A messaging app is only as good as its customer base, after all. If you can’t find a user on it, why use it? But are these apps suitable for widespread enterprise use? 

Truthfully, Signal is a pretty bare-bones app without a lot of features, and it can be clunky to use. Many believe it’s primarily useful for messaging, but enterprises need more robust features from an internal-communication app. Additionally, privacy advocates have their concerns because it requires a phone number to be associated with the account. Additionally, any contacts that are already using the app get a notification when one of their contacts signs up for Signal, which strikes many as a privacy issue. Enterprises simply can’t afford to have this type of unsecured platform as part of their communications. 

Similarly, using WhatsApp across devices is difficult. It may be cloud-based, but it requires all data first be sent to your phone. Then, other devices can sync from that. 

Although it is not end-to-end encrypted by default (you must enable it), Telegram is somewhat better for businesses because it allows customization and lets users access their group chats and messages from any device simultaneously. It also allows direct-to-consumer marketing, similar to emails, by offering companies the capability to send one-way messages to people who sign up for notifications. 

It’s worth noting, though, that as these free, widely-adopted apps expand their customer base, they become more of a target. For example, a collection of 13 different vulnerabilities was recently discovered in the Telegram apps for both Android and iOS. The vulnerabilities existed in a library that Telegram uses to parse and render animated stickers in chats and created an attack surface for potential remote code execution.

Also, these apps are still in their nascent stages without the server capacity to handle huge migrations of large enterprises or government organizations. Already in widespread use across many government agencies, apps like Teams offer much more robust options for enterprises, such as file storage, two-factor authentication and voice/video chat. It still lacks in the security arena, however. All in all, many of these solutions are not viable for securing employee communications, leaving their devices vulnerable to intruders. The best solution is a secure messaging app that is end-to-end encrypted.

Companies looking to secure their employees’ online activity, devices, and messaging need to seek out innovative solutions. Research is critical for enterprises to understand whether or not their communications and data are as secure as they think. With threats lurking everywhere online, they can’t afford to leave anything to chance. While not the only solution, using encrypted messaging platforms is an important way to secure vital communications and keep employees safe — especially in an era when more and more professionals are working remotely. The SolarWinds hack should be a wake-up call that organizations can never stop innovating.

0 comment
0 FacebookTwitterPinterestEmail

An upcoming Apple iOS update for the iPhone, iPad and Apple TV will give users the power to decide whether or not an app can access their data across sites and other apps.

The iOS 14 (iPhone), the iPadOS 14 and the tvOS 14 beta updates will be ramping up privacy measures with an opt-in requirement Apple is calling App Tracking Transparency. The privacy feature will ensure companies and developers have to ask for a user’s permission before they can collect and use data for advertising and tracking purposes.

The update is expected to go out in the spring in the US and autumn for those in Australia. Apple initially had planned for this feature to be installed in September 2020, but delayed the update to provide developers more time to prepare for the change in requirements.

ALSO READ: Emerging Tech Apple releases new warnings about iPhone 12 and medical devices

There are currently capabilities in the iPhone’s settings to disable tracking, but this feature is the first time users will be prompted with the option and developers will risk being removed from the App Store if they fail to comply.

Image credit: Apple

As for the types of tracking we could be experiencing now if we haven’t taken a dive into our settings, here are four examples provided on Apple’s developer page:

  • Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
  • Sharing device location data or email lists with a data broker.
  • Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
  • Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

However, there are exceptions to what data access Apple considers “tracking.” User permission will not be required when data “is linked to third-party data solely on the user’s device and is not sent off the device in a way that can identify the user or device”, and when data is shared with a data broker “solely for fraud detection, fraud prevention, or security purposes, and solely on your behalf.”

Facebook: Not happy, Jan.

The transparency-focused move from Apple has, of course, been cause for concern for certain companies – namely Facebook. The social media giant has been arguing – and even taking full-page ads in American newspapers in doing so – that removing personalised advertising will cost small business attention and websites ad revenue, driving the latter to implement more subscription-style fees and reduce high-quality content.

“These changes will directly affect their ability to use their advertising budgets efficiently and effectively,” read the company’s stance, published on Facebook for Business. “Our studies show, without personalised ads powered by their own data, small businesses could see a cut of over 60% of website sales from ads.” 

Apple Chief Executive Officer Tim Cook responded to Facebook’s concerns with a tweet in December.

“Facebook can continue to track users across apps and websites as before,” Mr. Cook posted. “App Tracking Transparency in iOS 14 will just require that they ask for your permission first.”

Keep up to date with Dynamic Business on LinkedInTwitterFacebook and Instagram.

0 comment
0 FacebookTwitterPinterestEmail

virtual care

Next year is poised to be a banner year for people accessing their health information. In April, the Department of Health and Human Services will implement its long-awaited interoperability and information blocking rules.

Though providers were already giving patients access to their data to some extent, the new rules widen the scope of the information to be provided. As a result, providers are retooling their policies and processes around data access and working to iron out potential hurdles that may have a negative impact on patient experience. EHR vendors, on the other hand, are focusing on shoring up the technology infrastructure that will enable expanded patient access and helping to educate their provider clients. Both groups received a breather when HHS decided to push back the compliance date of the ONC’s final rule to April 5 from Nov. 2. 

What’s in the ONC’s final rule?
Together, the ONC and CMS rules implement the interoperability and patient access provisions of the 21st Century Cures Act and support the MyHealthEData initiative, which aims to provide patients control over their healthcare data so they can decide how it will be used.

The ONC’s final rule specifically establishes new regulations to prevent information blocking practices by healthcare providers, health IT developers, health information exchanges and health information networks. According to Leah Voigt, Spectrum Health’s chief compliance officer, there are two main reasons why information blocking occurs. First, complex privacy laws and regulations overlap at the federal and state levels, due to which these laws can be “over interpreted” to prevent the sharing of health information even when it is actually allowed, she said in an email. Second, the cost and complexity associated with making health information available can be a deterrent to data sharing.

“This is compounded by the first reason — it’s hard to know which law or regulation applies when, under what circumstances; and designing processes and technology solutions to make health information available in ways that comply with these laws and rules is not easy,” she said. “Often the more complex or nuanced the rules, the more costly the solution.”

The ONC’s final rule requires healthcare entities to give patients complete access to their personal health information, including clinician notes. It also establishes standards-based application programming interface requirements. APIs are the foundation of smartphone applications, and the new requirements will support the patient’s ability to securely obtain their health information from their provider’s EHR using an app of their choice.

“One of the goals of the 21st Century Cures Act is to make sure that health information is interoperable and computable, giving patients more control of their medical record,” said an ONC official in an email who declined to be publicly identified. “That seamless exchange of electronic health information and patient use of smartphone apps have the potential of delivering affordability and quality through transparency and competition.”

The law states that certified health IT developers and HIEs/HINs would be subject to penalties of up to $1 million per violation of information blocking, the ONC spokesperson said. But healthcare providers will be treated differently. The HHS is reviewing feedback on what the appropriate deterrents may be for situations where a provider is found to have engaged in information blocking.

By April, healthcare providers have to make a subset of health data available to patients. The subset called the United States Core Data for Interoperability set includes a dozen or so data elements, including information on allergies, medications and clinical notes. By October 2022, providers have to make all health data available to patients.

How health systems are preparing
Boston-based Mass General Brigham, which includes Brigham and Women’s Hospital and Massachusetts General Hospital, one of the many systems that would need to comply, set up a working group to discuss the process ahead, said Deborah Adair, executive director of enterprise health information management at the health system, in a phone interview. 

The health system was already in compliance with some of the regulations. For example, Mass General Brigham patients received their medical records on request. But to ensure compliance with the new rule, the health system now makes records immediately available via the patient portal. This includes inpatient information, as well as information related to ambulatory visits.

Other elements of the new rule, however, placed the health system in a quandary. What should they do when test results contain sensitive information? Up until now, these results were delayed to give clinicians enough time to review the results and personally contact the patient, with whom they have a relationship, to explain what the results mean and answer questions and concerns, Adair said.

But the new regulations stipulate that all test results be made available immediately and easily to patients, so the health system needed to decide how to comply while also considering how to deliver unwelcome health news to patients via the portal. 

“That was one of the biggest things we grappled with because the law requires you to share everything with the patient and we weren’t used to that, and our doctors were concerned it would cause [the patient] emotional harm if they get a cancer diagnosis without getting a call from them first,” Adair said. “And the regulation requires that you can only block a note if it’s going to cause significant physical harm or life-threatening injury. The law specifically excludes emotional harm.”

To ensure patients were not left feeling like they had to deal with traumatic diagnoses on their own, the health system decided to put a note on test results containing sensitive health news. That lets patients know that their provider would call them to discuss the results.

“It’s gone [over] pretty well,” Adair said. “I think people were nervous that there was going to be a lot of reactions from patients and phone calls and concerns and so forth. But it hasn’t proven to be that way. So, I think it’s good that patients have access to their information any time they want it.”

The information sharing is of course not a one-way street from providers to patients. With the new rule, health systems have to make provisions for patients authorizing third-party apps like Apple Health, to access their health information. Mass General Brigham however, was already prepared for this. 

The health system uses Epic EHR technology, which provides an industry standard set of Fast Healthcare Interoperability Resources (FHIR) APIs that can be used by third-party apps to access medical records it manages. Further, Mass General Brigham has a security protocol that allows third-party apps to request access to patient information in a secure way, Adair said.

Getting to compliance, wasn’t just a matter of IT tweaks and allaying physicians’ concerns. It required internal education as well. Mass General Brigham worked with its clinicians — educating them on the rule, how it affects them and what they need to do to remain in compliance, she added.

Like Mass General Brigham, Spectrum Health, based in Grand Rapids, Michigan, has also started sharing clinician notes for all types of visits with its patients, Voigt, the system’s compliance chief, said in a phone interview. Though it already had an initiative in place to share notes from ambulatory visits, it has spent the last few months providing notes from inpatient visits as well to patients via Spectrum Health’s online portal.

“Use of our EMR and an app for a portal to grant patient access is not something new to us,” Voight said. “We’ve just expanded the scope of the information we are giving patients access to.”

Over the next few months, Spectrum Health plans to monitor the new processes and understand whether any tweaks need to be made. For example, as noted above, clinicians can hold back information for patients if they feel it may cause them physical harm, but that is at the clinician’s discretion. The health system will monitor EHRs and disclosures to apps to see how often clinicians are holding back information and what their reasons are, Voigt said.

Spectrum Health will also examine other trends, such as whether the withholding of information is occurring more often in a certain specialty area or among a certain set of clinicians. This is important “so we can go back and look at those patterns to determine whether or not we need to have focused education for providers on the information blocking [regulations].” Further, it can help to determine “if there is something we need to change in our process of providing those open notes that will further help ensure compliance. So, we are really taking advantage of this time,” before compliance is required, she added.   

The EHR vendor perspective
Both Cerner and Epic — the two biggest EHR vendors in the country — make APIs available for third-party app developers so that the health information on their respective systems can be easily shared with patients. To ensure compliance with the new rule, both companies are making changes to their ongoing efforts.

“In response to the ONC’s 21st Century Cures Act final rule, we are pursuing development efforts to upgrade those APIs to the latest version of FHIR adopted as a standard by ONC,” said Dick Flanigan, senior vice president at Cerner, in an email. “We will also be overhauling our app registration and onboarding processes to ensure that apps used by patients to access their health information can connect as seamlessly and effortlessly as possible. Incorporated into these processes are industry standard privacy and security capabilities to ensure that a patient’s health information is securely transmitted and only made accessible to an app when authorized by the patient.”

In addition, the company is making enhancements to consolidated-clinical document architecture (C-CDA) documents, which are “used by providers to exchange information for referrals and other critical technologies,” he said. 

Epic already makes several APIs available to share data elements in the United States Core Data for Interoperability set, including data on medications, allergies and other information, said Stirling Martin, senior vice president and chief security officer at Epic, in a phone interview. More recently, the company added clinical notes to the set of APIs available.

For both Epic and Cerner, educating customers — the health systems which use their EHRs —is a must.

“Where a lot of our time and energy has gone [in the last six to nine months] is into educating the customer community on what the rule really requires and the scope of what it applies to,” Martin said. “[The rule] certainly applies to the data in their Epic system but it also applies to the lab system, dietary system, heck it even applies — if they exchange health information by email, it applies to that as well. As organizations get [data] requests, they need to think about what’s their workflow, what’s their process for managing those requests.”

Cerner’s Flanigan said that his company is providing education and resources to customers on how they can use the company’s software to exchange health information in different scenarios.

While health systems and EHR vendors alike accelerate efforts to comply with the new rule, it’s worth noting that it’ll likely be years before the regulations become fully integrated with the healthcare ecosystem.

It will be a “multi-year journey,” Voigt of Spectrum Health said. Industry stakeholders can expect updates and changes along the way.

Voight believes the “journey” will likely mimic other major policy changes that have been instituted.

“The one thing I would say, from a compliance officer and a privacy officer standpoint, is similar to what the healthcare industry experienced when the HIPAA rules were created…it took several years for the healthcare industry as well as the government agency that enforced the HIPAA rules, in that case the ONC, to really understand how those rules would be implemented and where those regulations weren’t so clear, or where the agency needed to provide guidance,” she said. “We know a lot more about how to comply with HIPAA now, about 20 years in, than we did [initially], and I think it’s going to take similarly that time for the healthcare industry, and ONC and CMS to understand how these regulations really work in practice.”

Photo credit: ipopba, Getty Images

0 comment
0 FacebookTwitterPinterestEmail