Privacy Laws Being Passed in 2022 hero image

Privacy Laws Being Passed in 2022

In 2020, California passed the California Consumer Privacy Act (CCPA), paving the way for other states to pass similar laws that enhance privacy rights and consumer protection. To date, Virginia and Colorado have enacted their own privacy laws and, just last month, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (Utah Law). Although these new laws are more business-friendly than CCPA, executive leaders need to strategize and pivot to new practices that will comply with new data privacy laws. 

According to Reuters, additional states are expected to pass their own comprehensive privacy laws in 2022 and into 2023. Last month, there were data privacy bills pending in Connecticut, Hawaii, Massachusetts, Minnesota, Oklahoma, and Wisconsin. Overall, there are 22 states with consumer privacy legislation pending. Some of these bills were first introduced in carried over 2021, but many are new and remarkably similar to the California Consumer Privacy Act.

CPO Magazine reported that “[CPRA].. will introduce some other changes for companies that could contribute to added labor and costs. It creates a new category of “sensitive personal information” that covers things like unique identification numbers, financial account information, geolocation, biometric information and health information. This comes with new opt-in and opt-out requirements as well as purpose limitation and disclosure rules, and potentially bigger penalties for not keeping pace with the new standards.”

Business leaders in states where data privacy bills are being enacted should be prepared for how these new laws will affect their risk profile, IT processes and operations burden. And if the U.S. is successful at passing a comprehensive federal privacy law, all business sectors will have to keep pace with both Federal and state regulations.

 

How can businesses prepare?

With substantial amounts of data being collected and managed, businesses will always have to contend and comply with data privacy laws. As new laws are being developed, a business can prepare by ensuring privacy best practices for their industry and compliance with state and federal laws. One way to preserve privacy and ensure compliance is with TripleBlind.

TripleBlind has created the most complete and scalable solution for privacy enhancing computation. The TripleBlind Solution helps mitigate the risks of sharing data for computation by providing capabilities for protecting data in-use.

TripleBlind allows data users to compute on data as they normally would, without having to “see”, copy, or store any data. Our solution allows data owners full Digital Rights Management (DRM) over how their data is used on a granular, per-use level.

We support all cloud platforms and unlock the intellectual property value of data, while preserving privacy and ensuring compliance with all known data privacy and data residency standards, such as HIPAA and GDPR.

If your company is looking to remain compliant with data privacy laws, schedule a personalized demo with us.

Healthcare Data Privacy Laws hero image

Healthcare Data Privacy Laws

In healthcare, electronic records make it easier to coordinate care, deliver better treatments, and conduct medical research. However, digital records can be abused or accessed without proper authorization, both of which are serious breaches of patient privacy.

As a way to protect patient privacy, governments around the world have enacted healthcare data privacy laws that regulate the ways in which people and organizations handle patient data. In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most prominent law related to protecting the privacy of patients. In the European Union, the most prominent healthcare data privacy law is the General Data Protection Regulation (GDPR).

 

Understanding HIPAA

Healthcare data is extremely valuable and while privacy concerns must be taken seriously, it is also important for organizations to use this data in responsible ways, such as the pursuit of better healthcare or drug development.

The main section of HIPAA related to healthcare data privacy regulations is called the Privacy Rule. This section is designed to protect privacy while still permitting the responsible use of healthcare data.

The Privacy Rule covers the following entities:

  • Health Insurance Plans. These plans can be for individuals or groups.
  • Healthcare Providers. Any organization that administers care or medical procedures is considered a provider.
  • Healthcare Clearinghouses. These organizations process insurance claims and act as middlemen between providers and health insurance payers.
  • Business Associate. These individuals or organizations perform functions on behalf of or provide services to one of the above covered entities.

In an attempt to balance privacy and legitimate use of healthcare data, the Privacy Rule was written to be flexible. The need for responsible disclosure and a range of potential use cases were considered and these considerations were incorporated into the rule.

In trying to strike the right balance, the Privacy Rule prioritizes patient privacy and gives individual patients some rights related to their personal health information, such as the right to: 

  • obtain a copy of their health record
  • authorize their provider to send information to a third party
  • ask for corrections to their record.

The rule also says people and organizations that handle healthcare data must take all appropriate steps to safeguard the privacy of personal health information.

On the other side of the ledger, a covered entity is allowed to use and disclose healthcare data. It can do so without authorization from an individual if the purpose is: 

  • providing treatment
  • processing payment 
  • offering the opportunity to agree or object to use or to benefit a greater public good

Covered entities can also provide a limited set of healthcare data for research, public health, or healthcare purposes.

If a covered entity plans to use protected health information that isn’t related to treatment, payment, or other purposes permitted by the Privacy Rule, it must obtain written permission from the individual(s). Covered entities cannot condition treatment, enrollment, payment, or benefits eligibility based on an individual giving authorization, except in some limited situations.

The core tenet of the Privacy Rule is the notion of minimal use and disclosure. Covered entities looking to use or disclose healthcare data must develop a healthcare data privacy policy that ensures the only information released is that which is needed to achieve the stated purpose behind use or disclosure.

Under President Donald Trump, two key HIPAA-related privacy regulations were enacted. The CARES Act gave healthcare providers more latitude for the sharing of  records related to treatment of substance abuse disorders, more closely aligning existing regulations with HIPAA. The Safe Harbor Act gave the Department of Health and Human Services permission to refrain from handing out penalties for data breaches if a covered entity could show it had a recognized security framework. These evolving frameworks highlight the need for more advanced solutions to enable collaboration on data to ensure alignment with existing and future regulatory requirements.

 

Understanding GDPR

GDPR is much broader in scope than HIPAA, as it covers the protection of personal data collected outside the healthcare industry.

GDPR also has a much broader scope of data considered to be private information. Therefore, the European standard is generally considered to be much higher than the one established by HIPAA.

This healthcare privacy regulation singles out three specific types of information for protection:

  • Health Data. This data is related to the mental or physical health of an individual, including any administered healthcare services that may indicate a health condition.
  • Genetic Data. This data is related to inherited or acquired genetics of an individual that translates to their distinct physiology, including the results of a genetic analysis conducted on a biological sample provided by an individual.
  • Biometric Data. This is data created by specific technical analysis of an individual’s physical, physiological, or behavioral qualities — such as a fingerprint scan — that can then be used to confirm their unique identification.

GDPR also outlines how protected data is allowed to be processed. Sensitive data can be processed for medical diagnosis, medical treatment, or the management of healthcare systems and services. The European regulation also says that sensitive data may be processed in serious situations related to public health, such as preventing the spread of disease across borders or assessing the safety of medical products.

 

Data Collaboration and Compliance

Both HIPAA and GDPR were written with the good intentions of protecting patient privacy, but both sets of healthcare data privacy regulations do present several obstacles when it comes to the handling and legitimate use of healthcare data. Covered entities looking to use healthcare data in a collaboration with another party must have a healthcare data privacy policy focused on remaining compliant.

For instance, a covered entity looking to have its healthcare data processed by a third-party analytics provider must enter into a business associate agreement with the provider and take several other steps to ensure HIPAA compliance. Furthermore, the data provider should take steps to ensure the data is only used for authorized purposes, while the analytics provider should take steps to ensure its proprietary algorithms are not disclosed.

While the challenges presented by compliance can be significant, data collaborations can be incredibly beneficial to individuals, organizations, and society. For example, healthcare data could be used to help discover new drugs or uncover new indications for existing drugs. Data collaborations can also improve research processes. For example, machine learning algorithms are capable of driving the next generation of medical developments, but these sophisticated systems must be trained on massive amounts of healthcare data.

The results of healthcare data collaboration can range from improved patient outcomes to reduced healthcare costs all the way to saved lives. So despite the challenges of compliance, it is worth the extra effort to ensure data privacy by adhering carefully to healthcare data policies like HIPAA and GDPR.

 

How the TripleBlind Solution Can Help

TripleBlind’s complete and scalable solution for privacy-enhancing computation makes HIPAA and GDPR compliance much less expensive, simpler, and more reliable. 

Our one-way encryption technology allows both healthcare data collectors and data processors to keep their valuable assets behind respective firewalls. This solves for many compliance issues associated with data collaboration while attenuating risk. TripleBlind natively supports major cloud platforms, including availability for download and purchase via cloud marketplaces, and unlocks the intellectual property value of data.

If you would like to learn more about how our technology can simplify data partnerships, please contact us today.

Big Data Security and Privacy Issues in Healthcare hero image

Big Data Security and Privacy Issues in Healthcare

The mass digitization of medical data expanded the possibility of improving healthcare through the application of big data analytics. However, personal medical issues are considered private matters and as a result, the use of patient data is highly regulated by privacy laws such as HIPAA and HITECH. On top of that, any data with value is a target for criminals, and thus, healthcare data must be kept secure. While striving to meet security and privacy challenges, the medical community is trying to get the most out of its valuable data. 

Technical capabilities in healthcare also led to an increased focus and evidence-based decisions. Health care researchers and professionals are seeing data as the key to improving care, informing clinical decisions, tracking disease, and monitoring adverse effects of drugs or medical devices.

None of these improvements are possible if healthcare data cannot be shared or operationalized without ensuring both security and privacy. This means that leveraging big data requires systems that not only unlock new insights, but also protect the privacy of patients.

Since threats to privacy and security keep evolving, stakeholders must also actively refine their protective methods. With the COVID-19 pandemic leading to a pronounced reliance on digital technology, hackers leveraged cyber crime opportunities According to a report from Critical Insights, data breaches reached an all-time high in 2021, exposing a record amount of sensitive data.

In trying to combat the threat of cyberattacks, organizations have been finding that relying on a bottom-up, reactive, and technically focused protection strategy is not enough to address big data security and privacy issues in healthcare. Instead, experts are recommending a proactive, top-down approach that includes proper training of employees and other non-technical methods.

 

The Differences Between Big Data Security and Privacy

Security and privacy may seem like very similar concepts, but in the context of healthcare data, there are important distinctions between them.

  • Security of healthcare data. Healthcare security measures are designed to prevent unauthorized access, data theft and cyberattacks that could expose data.
  • Privacy of healthcare data. Privacy measures are designed to prevent  connections between personal medical information and specific individuals. While security measures may be focused on shielding data from intentional attacks and theft, privacy measures are focused on the ways for data to be handled and used safely. Privacy measures outline the ways in which patient data can be collected, transferred, and used with respect to both privacy regulations and ethical behavior.

 

The distinctions between these two concepts are particularly relevant when trying to address big data security and privacy in healthcare. Security measures must be designed to ensure the integrity and confidentiality of data. Measures like firewalls and encryption prevent data from corruption and unauthorized access. In some ways, security measures for protecting healthcare data also support privacy. Administrative structures and techniques like anonymization are designed to prevent organizations that handle patient data from using that data against patients’ wishes.

It is important to note that a patient can waive some degree of privacy by giving consent to an individual or organization. For instance, a patient could authorize their provider to share the results of a medical test with clinical researchers. If you’re interested in learning more about what disclosures are permitted for personal health information, check out this Ultimate Guide to Healthcare Data Security.

 

Securing the Entire Data Lifecycle

Companies that handle healthcare data must use security methods that protect both their assets and satisfy compliance concerns. Experts recommend that organizations consider the entire lifecycle of the data when applying security measures. The typical life cycle of healthcare data contains four phases: collection, storage, processing, and knowledge creation.

Data collection can involve gathering data in various formats from multiple sources. From a security standpoint, this should mean collecting data from reliable sources in a secure manner. Importantly, healthcare data may not come directly from patients, and companies receiving healthcare data must have systems in place to ensure their data collaboration is secure. Security measures for this part of the data lifecycle should prevent improper access, corruption, unauthorized disclosure, duplication, erasure, misuse, loss, and theft.

The first step of the storage phase involves filtering and characterizing the data according to predefined qualities. Some data may require preprocessing to facilitate future analysis. Preprocess steps like removing duplicate data or statistical noise are meant to improve the quality of collected data prior to any processing. This step could involve some security-related preprocessing, such as anonymization methods or data partitioning. The secure storage of data typically involves keeping it isolated and applying access control measures.

After data has been collected, preprocessed and stored securely, it is ready for the analysis phase. This stage involves the use of robust data mining techniques to generate useful knowledge and insights. The data mining process should be configured in a way that prevents mining-based attacks or breaches of this part of an organization’s network. Access control measures should also be in place to ensure that only authorized personnel can access data analysis processes.

The ideal result of a processing phase is the creation of valuable insights. These insights themselves are also regarded as valuable data that must be protected, just as the data used to create these insights must be protected by security measures.

The entire life cycle of big data in healthcare requires the ability to securely store and maintain integrity via access control. Securing the entire lifecycle becomes more complicated as more touchpoints are added by different organizations. Data providers, collectors, analyzers, and any other stakeholders must all play their responsible part in keeping healthcare data secure. Some collaborations use business associate agreements (BAAs) to hold parties accountable for unauthorized use, but these agreements only establish a reactive mechanism for addressing security malpractice.

 

Privacy Issues with Big Data in Healthcare

Any discussion about maintaining patient privacy in the United States must include the Health Insurance Portability and Accountability Act (HIPAA). Enacted into U.S. law in 1996, HIPPA established national standards for ensuring patient privacy. In Europe, the General Data Protection Regulation (GDPR) has established a strict standard for ensuring patient privacy.   

HIPAA and GDPR have made it compulsory for healthcare organizations to address privacy concerns with big data in healthcare by establishing a robust privacy policy. In addition to addressing security concerns, employee training and access control systems can go a long way to addressing the privacy risks of big data in healthcare.

As you are well aware, organizations that handle healthcare data should be using HIPAA-compliant software and IT solutions. Any systems or applications developed by a company must prioritize privacy, compliance, and any privacy agreements. When there is significant overlapping privacy protection provided by technical security measures, companies should use anonymization techniques, which aim to remove any identifying information that could be traced back to a specific individual. However, removing potentially identifying information from patient records can result in a significant loss of value. For example, a cancer diagnosis for a female patient in a certain hospital could be traced back to identify a specific person but removing that diagnosis from the record results in a loss of value for cancer research purposes. Other anonymization efforts add statistical noise to data to obfuscate any attempts at identification, but the addition of noise too can diminish the value of the original dataset. There are other approaches to big data security and protection of privacy in healthcare, until now, all have had disadvantages along with their advantages.

 

Addressing Big Data Security and Privacy Issues in Healthcare with TripleBlind

Ensuring the security and privacy of big data in healthcare is a complicated undertaking, and one that gets even more complicated as more entities get involved. However, for organizations in healthcare, not making use of big data simply isn’t an option anymore.

The innovative TripleBlind Solution is designed to simplify both the security and privacy of big data analytics for data collaborations. Our privacy-enhancing approach allows data collaborators to protect both valuable data and algorithms used to process that data, avoiding the need for addressing security concerns with BAAs. TripleBlind’s innovations build on well understood principles, such as federated learning and multi-party compute. Our innovations radically improve the practical use of privacy preserving technology, by adding true scalability and faster processing, with support for all data and algorithm types, including such as medical imaging or genomic data. 

In addition to preserving security and privacy, our one-way encryption approach helps to retain a high level of data utility, unlike anonymization techniques. 

If you would like to learn more about how the TripleBlind Solution can address your big data security and privacy issues in healthcare, please contact us today.

Privacy Enhancing Technology Summit Hero

Privacy Enhancing Technology Summit, May 18-19, Hilton Boston Back Bay, USA

Privacy Enhancing Technology Summit, May 18-19, Hilton Boston Back Bay, USA

TripleBlind is honored to be speaking and exhibiting at Privacy Enhancing Technology Summit North America. We couldn’t imagine a better location to discuss unleashing the power of sensitive data and mitigating risks.

TripleBlind Founder and COO Greg Storm will take part in The PET Category: Trends, Trajectory, and Predictions as he discusses, “How and Why Adoption Could 100x over the Next 18 Months.” Most everyone is already aligned on the importance of privacy and the potential of PET. Greg will highlight how the healthcare, financial services and other industries are getting past mere POCs and deploying commercially, by making the business case and demonstrating ROI for privacy enhancing technology. He will also briefly touch on TripleBlind’s unique solution which makes previously unfeasible projects that involve sensitive data possible!

Are you attending PETS? Set up a meeting with us here.

Ultimate Guide to Healthcare Hero image of Dr. reviewing Guide and taking notes

The Ultimate Guide to Healthcare Data Security

Introduction

What opportunities remain for the future of a healthcare industry that has faced decades of change in two short years? Countless –– as long as organizations remain dynamic and leverage digital opportunities. From optimizing telehealth offerings to catalyzing medical innovation, robust and reliable data is the backbone for healthcare’s advancement in 2022. In the same vein, data security is integral to ensuring the protection of confidential patient information and compliance with federal and state-level regulations. Interested in learning more about the intersection between data security and healthcare? Here’s our Ultimate Guide!

 

What is considered “healthcare data?”

Healthcare data, sometimes known as medical or clinical data, is any data related to health conditions, reproductive outcomes, causes of death, and quality of life for an individual or a population. Sources for this data include surveys, claims data, administrative and medical records, disease registries, and more.

 

What are the two federal laws that have been enacted to protect personal health information?

Numerous laws protect the privacy of health data. In the United States, The Health Insurance Portability and Accountability Act (HIPAA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act create standards that qualify and protect the privacy of identifiable health information.

HIPAA was enacted in 1996. Before its passage, hospitals, medical practices, and insurance companies complied with a variety of laws at state and federal levels. Oftentimes, patient information could be easily distributed without the patient’s authorization and for purposes unrelated to medical care. For example, lenders and employers could access an individual’s health record –– and subsequently deny a mortgage or job application based on medical history. 

To prevent these outcomes and protect patient privacy, legislators drafted HIPAA’s privacy rule and security rule. The privacy rule allows patients to decide who has access to their medical records, such as a primary care provider or a team of specialists. It also places specific limits on how a provider can access, use, or store patient data. The security rule ensures that electronically transmitted patient data is protected through appropriate administrative, physical, and technical safeguards.

In 2009, HITECH was also passed to ensure the confidentiality, integrity, and security of electronic health information. HITECH promoted and expanded the adoption of electronic health records (EHRs), clarified language in HIPAA to close potential loopholes, and created tougher penalties for HIPAA violations to incentivize compliance with privacy and security rules. Prior to HITECH, only 10% of hospitals adopted EHRs –– leaving healthcare out of the digital age. HITECH encouraged digital transformation through financial incentives, ultimately improving healthcare efficiency and coordination. 

 

What is Protected Health Information (PHI)?

Any health information that includes individual identifiers is considered PHI, including demographic information. Under HIPAA, the 18 identifiers of PHI are:

  1. Names 
  2. Dates, with exception to year
  3. Telephone numbers
  4. FAX numbers
  5. Geographic information
  6. Social Security numbers
  7. Email addresses
  8. Medical record numbers
  9. Account numbers
  10. Health plan beneficiary numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Web URLs
  14. Device identifiers and serial numbers
  15. Internet protocol addresses
  16. Full face photos and comparable images
  17. Biometric identifiers (i.e. retinal scans and fingerprints)
  18. Any unique identifying number or code

 

What distinguishes Protected Health Information (PHI) from healthcare data?

All PHI is healthcare data, but not all healthcare data is PHI. PHI refers to any past, present, or future identifiable health information that is used, maintained, or stored by a HIPAA-covered entity. Physical records, electronic records, and spoken information regarding a patient’s medical conditions, provisions of care, or payment of care are all considered PHI. Examples of PHI include:

  • Phone records between an individual and a healthcare provider
  • Billing information from a doctor
  • Diagnosis of a medical condition
  • Results from a blood test

 

What isn’t considered PHI? 

Two conditions determine what qualifies as PHI: who records the information, and whether or not the information is stripped of all identifiers that could tie the information to an individual. HIPAA applies to HIPAA-covered entities and their business associates. This does not pertain to education or employment records, which may retain certain information about an individual’s health, such as allergies or blood type. Information is only considered PHI if the information was recorded by a healthcare provider or used by a health plan. Additionally, if the 18 identifiers of PHI are stripped from the health information, HIPAA does not apply. The data is then considered de-identified PHI. It is important to note that certain characteristics that could uniquely identify an individual cannot be reasonably stripped from data, as context clues and introducing additional publicly available information can lead to re-identification of an individual. This highlights how HIPAA typically does apply when using patient information, and how healthcare institutions should take appropriate and proactive measures to ensure compliance.

 

When are disclosures permitted for PHI?

There are, of course, instances where disclosure of PHI is required by law. Typically, these types of disclosures handle circumstances that involve public policy, safety, or other legal concerns that compete with a patients’ need for medical confidentiality. HIPAA permits disclosures under the following provisions:

  • Public health activities, such as those involving disease control, product recalls, or work-related illnesses
  • Suspected abuse, neglect, or domestic violence
  • Health oversight activities of the healthcare system, government benefit programs, or civil rights law;
  • Judicial or administrative proceedings in response to a court order or subpoena;
  • Law enforcement purposes when the PHI is relevant and material to a criminal investigation;
  • Deceased patients (to coroners, medical examiners, or funeral directors);
  • Organ donation;
  • Research, provided specific requirements are met; and
  • Government functions such as national security or intelligence activities

With such a specific and limited list of permitted reasons for disclosure, sharing data for medical research or other industry-related developments requires a careful, privacy-by-design approach. So how do organizations collaborate with data? First, let’s start by exploring why data collaboration is important in the first place.

 

What are the benefits of data collaboration in healthcare?

Data collaboration is critical for healthcare institutions. Interoperability –– the ability of two or more systems to exchange and use health information –– allows for increased clinic/hospital efficiency, reduced visits and admissions, improved diagnostic accuracy, and more. This host of potential benefits for patients’ health and well-being depends on private, secure, and streamlined sharing between healthcare providers. 

One key example of the benefits of data collaboration in healthcare is this study, conducted by researchers at Stanford University and the Houston Methodist Research Institute in 2016. By examining more than 16 million electronic health records of 2.9 million people to probe the link between common gastroesophageal reflux disease treatments and heart attacks, they found that individuals taking proton pump inhibitors (Nexium, Prilosec, and Prevacid) were 16 percent more likely to have a heart attack than those who did not take these drugs. While the study does not establish that these drugs cause heart attacks, the findings catalyze a closer examination of a potential cause-and-effect relationship between proton pump inhibitors and future heart attacks.

This example highlights how collaboration and secure information sharing can also vastly improve wider-level medical research, in addition to population health management and epidemiology/disease tracking. Access to transparent and informative data can improve the accuracy of research, provide a backbone for risk/benefit analysis of treatment options, and strengthen clinical research collaborations between healthcare providers. 

 

What is the biggest threat to the security of healthcare data?

Healthcare organizations are continually at risk for cyberthreats due to their possession of information that is of high monetary and intelligence value to hackers, cyber-thieves, and other bad actors. Protected health information, financial information such as credit card and bank account numbers, Social Security numbers, and intellectual property are all forms of targeted data. Ransomware, credential harvesting, and device theft are top mechanisms for stealing patient health information.

Immediate patient outcomes are often impacted by cyber crimes. In May of 2017, the “WannaCry” ransomware attack targeted computer systems in 150 countries, hitting over 230,000 computers globally. American hospitals and healthcare systems faced diverted ambulances, canceled surgeries, and disrupted operations –– consequences that could have been avoided through updated software and education on data security. In 2021, a Critical Insights report found that cybersecurity breaches hit an all-time high, with over 45 million individuals impacted by healthcare attacks. This number has tripled in the past three years, partially resulting from the unprecedented stress hospital and health systems faced during COVID-19. As healthcare systems continue to shore up defenses, the U.S. Department of Health & Human Services Office of Civil Rights (OCR) recommends vigilance around these top cybersecurity threats:

 

What types of data security does the healthcare industry currently implement?

Protecting data in the healthcare industry is a serious challenge, and as regulatory requirements for data protections increase, healthcare organizations must take a proactive approach to implement best-practices for data security. Currently, these are steps healthcare organizations take to remain compliant and lower the risk of data breaches:

  • Educating healthcare staff
    Human error can lead to catastrophic and costly consequences. Through robust security awareness training, healthcare employees can independently make critical and careful decisions when handling sensitive patient data.
  • Implementing access and usage controls
    Data controls allow healthcare organizations to restrict access to patient information and applications to users who require access to perform their roles, or block specific actions (such as web uploads, copying to external drives, or unauthorized email sends) altogether. Data discovery and classification can also ensure that sensitive data is identified and tagged according to the level of protection necessary for the information.
  • Logging and monitoring the use of data
    An audit trail allows healthcare providers to identify which users are accessing patient information, pinpoint areas of concern in security, and strengthen protective measures. 
  • Encrypting data at-rest and in-transit
    Encryption makes deciphering patient information more difficult for attackers. By encoding data so that only authorized parties can receive and understand information, healthcare providers can prevent unauthorized persons or applications from gaining access to PHI.
  • Securing mobile devices and applications
    Smartphones and other devices are commonplace in 21st-century healthcare, with patients, physicians, and insurance providers inputting and receiving information to increase operational efficiency. Mobile device security requires a range of measures, such as encryption of application data, installation of mobile security software, and enablement of remote-wipe or lock applications for lost or stolen devices. 
  • Conduct Frequent and Thorough Risk Assessments
    Regular risk assessments encourage proactive measures against potential data breaches and cyber attacks. Locating vulnerabilities in security, growth points in employee education, and other areas of concern can reduce the risk of costly penalties from regulatory agencies and the reputational damage associated with a breach.

 

How can we improve data security in healthcare?

Scaling digital transformations, increasing cyberattacks, and rapidly changing technologies in healthcare all reinforce the need for innovative and reliable data security solutions. Ideally, these solutions should also promote interoperability between hospitals, research institutions, and other healthcare providers to maximize value derived from healthcare data –– without compromising patient privacy or incurring severe penalties after a breach.

According to the American Hospital Association, “the key to leveraging health data’s full potential for improving patient care is the establishment of a framework for compatible technical and linguistic (semantic) standards adopted by all parties that leads us to a generic, vendor-neutral data exchange program. We currently lack universally agreed upon ways of sharing and using information.”

TripleBlind is a software-only solution that can unlock the intellectual property of health data without compromising PHI or violating HIPAA. By keeping data private and in place while allowing authorized operations on the data, healthcare providers can collaborate around sensitive information and ensure compliance with regional and national privacy regulations.

Take, for example, this use case in hospital and pharmacy analytics. A critical pain point for hospital and life science researchers is the need for detailed information about patient drug purchases and usage. While these researchers often know what drugs have been prescribed to patients, they have little information about actual purchase or use rates –– information that pharmacies possess, but struggle to or cannot share due to interoperability challenges or legal barriers. 

Using TripleBlind, the hospital can run a “fuzzy match” (or exact) to identify the intersection of their customers and the pharmacy’s customers. The pharmacy can also set permissions on what data the hospital is able to see on their shared patients’ customers, allowing the pharmacy to have full access and usage controls. Through this data collaboration, the hospital can then gain insights into what medications patients are actually purchasing and taking after receiving a prescription, then incorporate their findings into future research and models.

With our privacy enhancing computation solution, no exchange of raw data ever takes place. Permissions on how data is used can be set to per-use authorization, ongoing permissions, or anything in-between –– giving data owners full autonomy over data and algorithms, while allowing data collaboration and innovation to take place. The TripleBlind Solution offers the following additional advantages:

  • Streamlined interoperability between healthcare organizations –– Using or combining PHI and PII is often a compliance migraine for healthcare professionals. The TripleBlind Solution reduces time and resource cost, allowing organizations to extract insight from data without compromising or relinquishing control over proprietary information.
  • Exceptional AI/ML modeling and analysis toolset –– TripleBlind enables all data operations to occur on any type of data, without adding speed penalties or requiring additional storage. Train AI models and find healthcare solutions faster than and with greater accuracy than ever before.
  • Aggregation of granular-level patient data while ensuring HIPAA/HITECH compliance –– Since PHI is protected by design and never moved, shared, or seen by any parties, critical information can be included in every research process –– including early indication clinical trial reporting, pharmaceuticals, and more.

Are you ready to learn more about how TripleBlind can support your organization in joining the future of healthcare data security? Check out our use cases or contact us for a demo of our next-generation product.

How is Federated Learning Used in Healthcare Hero

How Is Federated Learning Used in Healthcare?

Machine learning is gradually becoming a valuable tool which augments research and discovery in many industries, including healthcare. Machine learning models require massive amounts of unbiased, diverse, and easily accessible data to be effective. 

Too often, however, datasets remain confined to silos within their respective healthcare organizations because of privacy concerns, keeping valuable potential insights from being realized through collaboration. In healthcare, the prospect of sharing data for machine learning is made more challenging by strict regulations related to patient privacy.

 

Understanding Federated Learning

Federated learning is a solution designed to facilitate distributed machine learning by addressing issues related to data governance and privacy. With federated learning, the development of a machine learning model is fragmented, with decentralized training of individual model copies at participating healthcare institutions using these institutions’ own proprietary data. The individual models can then be aggregated to produce a global model. Therefore, federated learning allows healthcare institutions to safely train shared models on their joint, private data without having to exchange it with one another. 

Research has shown that this approach can produce models comparable to those trained on a single, centrally hosted set of original raw data. Thus, federated learning holds promise for the development of machine learning models that produce granular insights and unlock new insights — such as on effective treatments — while considering patient privacy and regulatory compliance.

 

Current Uses of Federated Learning in Healthcare

Federated learning is already being used in healthcare for a wide range of applications. In medical imaging and analysis, federated learning is being applied for whole-brain and tumor segmentation. Federated learning has also enabled models in the ABIDE project to operate on sensitive fMRI imaging data for the identification of disease biomarkers.

Several efforts are underway to amplify this approach by connecting multiple healthcare institutions. In France, the HealthChain project is focused on establishing a massive dataset for federated learning in healthcare that includes four different hospitals. The goal is to predict treatment responses for melanoma and breast cancer patients. By analyzing dermoscopy images and histology slides, federated learning can provide oncologists with additional information so they can determine the most effective course of treatment for individual patients.

Federated learning is also being applied to industrial healthcare research, often with competing companies in collaboration with one another. The Melloddy project is focused on establishing a federated learning framework for datasets from 10 different pharmaceutical companies. The goal is to create a shared predictive model that can infer how proteins will bind to chemical compounds. This promises to optimize drug discovery processes at each participating company without sacrificing extremely valuable in-house data.

As a valuable tool enabling data privacy protection, federated learning has massive implications for patients. If a federated learning framework could be established on a broad international scale, it would support high-quality clinical decisions regardless of location. Patients located in developing countries and remote areas would have access to the same high level of healthcare decision-making as patients in world-renowned hospitals. Federated learning could also help doctors address rare diseases and combat emerging viruses before they become global pandemics.

Concurrently, the ability to ensure patient privacy lowers the bar for people considering participation in clinical trials. While federated learning holds much promise for healthcare applications, it’s also important to understand its limitations. 

 

Limitations of Federated Learning

While there are many benefits to federated learning, it does not address all potential issues related to privacy. To be clear, there is some inherent privacy risk associated with the use of machine learning algorithms, because the use of machine learning may involve trade-offs between privacy and performance. And while federated learning offers a level of privacy that standard machine learning models do not, the critical need for complete protection when it comes to handling personally identifiable information means that privacy risk must be carefully evaluated.

With federated learning, participants never provide direct access to their own raw data. Participants only exchange model parameters for aggregation. However, all machine learning models are capable of incorporating private data. Because of this, participants need to use privacy-enhancing measures.

When organizations enter into a federated learning framework, they must agree to the scope and goals of the project, as well as the technologies to use. If a participant were to vary from these agreements, the entire project could be compromised.

For obvious reasons, organizations usually aim to partner with other organizations they deem trustworthy. There are also times when organizations will enter into large-scale federated learning systems. These large initiatives can be more vulnerable to bad actors who may intentionally try to degrade performance or extract sensitive information from other participants. Organizations that enter into large federated learning systems must therefore have a security strategy in place that can mitigate associated risks.

 

The TripleBlind Solution Facilitates Collaboration between Healthcare Organizations

TripleBlind’s novel privacy-enhancing technology can supplement the privacy afforded by federated learning, ensuring compliance with HIPAA and the secure operationalization of data.

The TripleBlind solution addresses many of the inefficiencies and inherent vulnerabilities associated with federated learning and can also be used as a stand-alone privacy technology for training machine learning models. For example, the distributed learning algorithm of TripleBlind is baked with a specialized privacy function that mitigates membership inference attacks, while reducing the computational requirements by more than 60% at the client side.  After all, TripleBlind’s innovations are built on well-understood principles, including federated learning and multi-party compute, but radically improve the practical use of privacy-preserving technologies with faster processing and scalability. TripleBlind requires less computational resources and it avoids a partial network inadvertently passing private data into a composite model. In other words, TripleBlind can help healthcare organizations more easily unlock the intellectual property value of their data through collaboration. 

To learn more about our scalable privacy-enhancing technology, schedule a demo today.

State of Financial Crime Hero, lock, keyboard and credit card

The State of Financial Crime in 2022 and What That Means For Your Business

In the State of Financial Crime 2022 report, Comply Advantage provides a look into the top concerns of C-suite and compliance decision-makers across North America, Europe and Asia-Pacific. Comply Advantage surveyed 800 respondents from enterprise banking, investments, cryptocurrency, insurance organizations and fintech companies to identify insights that will shape the industry this year. Eighty percent of firms included in Comply Advantage’s report said they filed more suspicious activity reports (SARs) in 2021 than the previous year – up 10 percentage points from the 2020 report.

As financial crimes rise, the report found that issues pertaining to COVID-19, supply chain disruptions, fraud and cybercrime, and cryptocurrencies and NFTs are the major pain points posing security threats. A common explanation is the accelerating pace of data creation and the sheer volume of data that exists today. Another contributing factor is remote work. Data now resides on peoples’ mobile devices and cloud networks an organization’s IT and security teams may not even be aware of. This creates an ideal situation for bad actors to breach networks. As more data is created, and companies’ infrastructures are expanding to accommodate remote work worldwide, enterprises are more vulnerable to bad actors interfering during data collaboration.

IDC predicts that by 2025, 463ZB of data will be created every day. Our past blogs have delved extensively into how the financial services industry greatly benefits from innovation that is only possible via analysis of large amounts of real, sensitive data. So, how can banking and fintech companies capitalize on and realize this benefit amid the heightened crime risks?

Privacy-enhancing computation (PEC) solves a broad range of data challenges, especially in financial services and healthcare. TripleBlind’s work with partners like Accenture has mathematically proven that PEC allows financial institutions to collaborate and innovate without giving up proprietary data.

 

Here are four examples of how PEC benefits the financial sector as financial crime rates rise:

  1. Using aggregated customer data from credit card companies and banks, including point-of-sale, customer transaction, geolocation and online retail activity data, financial institutions can more easily and quickly identify fraudulent activity.
  2. Without the risk of misuse or redistribution of their IP during collaboration, credit bureaus can develop better algorithms for bureau management using one-way encryption.
  3. Using data from large retail banks and other financial institutions with customers-in-common, financial institutions will better know their customers and be able to accurately identify money laundering faster.
  4. Without the need for human intervention while processing sensitive data from financial  institutions, alternative data providers can provide better insights to investment firms and hedge funds while reducing risk or liability for all parties involved.

 

TripleBlind’s innovations build on well understood principles of data protection, such as federated learning and multi-party compute, and radically improve the practical use of PEC by adding true scalability and faster processing. TripleBlind’s software-only solution is delivered via a simple API with support for all data and algorithm types.

To learn more about how privacy-enhancing computation can benefit your business and increase collaboration opportunities, please contact us today to schedule a personalized demo of our innovative technology.

TripleBlind Now Available in AWS Marketplace

TripleBlind is Now Available in the AWS Marketplace

We are delighted to announce that TripleBlind is now available in the AWS Marketplace, a digital catalog that makes it easy for organizations to discover, procure, entitle, provision, and govern third-party software.

Through the AWS Marketplace, IT teams now have access to TripleBlind’s solution and can avoid some common barriers that inhibit utilization of their data: 

  • Legal Agreements: IT teams can utilize their existing pass through Amazon legal agreement. Because legal teams would have already approved the existing pass, the need for supplemental reviews is eliminated.
  • Budget: Many enterprises already using AWS cloud solutions have existing budgets in place for the Marketplace, so no incremental budget requests are necessary to include TripleBlind’s solution.
  • Time: The AWS Marketplace enables enterprises to be up and running with TripleBlind in a matter of hours, using a process that is familiar to them.

When choosing TripleBlind through AWS, customers have three plan options:

  1. 30 Day Evaluation – Limited time evaluation license. Valid for thirty days.
  2. Annual Enterprise License – Unlimited number of users and counter parties for your organization. Valid for one year.
  3. Hourly Software Cost – Hourly pricing plan for customers preferring a pay-as-you-use model. Includes a free trial to start.

Once a plan is selected, a TripleBlind account manager will:

  1. provide the proper documentation and user guides to get started with our software
  2. set up a kick-off call to walk through the basics
  3. schedule optional recurring communication channels and/or regular standing meetings to help you get the most out of your plan

TripleBlind’s inclusion in the AWS Marketplace will accelerate collaborative data initiatives among organizations around the world by enabling more institutions to tap into the benefits of the powerful, opportunity-expanding technology. This will directly benefit heavily regulated industries, like financial services and healthcare, that rely on the exchange of intellectual property.

AWS Overview About TripleBlind Marketplace Offering

 

TripleBlind has created the most complete and scalable solution for privacy enhancing computation.

The TripleBlind solution is software-only and delivered via a simple API and supports all cloud platforms. It solves for a broad range of use cases, with current focus on addressing the demand in healthcare and financial services.

TripleBlind’s innovations build on well understood principles, such as federated learning and multi-party compute. Our innovations radically improve the practical use of privacy preserving technology, by adding true scalability and faster processing, with support for all data and algorithm types. TripleBlind unlocks the intellectual property value of data, while preserving privacy and ensuring compliance with HIPAA and GDPR. 

TripleBlind compares favorably with other privacy preserving technologies, such as homomorphic encryption, synthetic data, and tokenization and has documented use cases for more than two dozen mission critical business problems.

 

To learn more about the solution or how to get started, reach out to contact@tripleblind.ai.

TripleBlind Now Available in AWS Marketplace

The TripleBlind Solution Now Available in AWS Marketplace

KANSAS CITY, MO — April 20, 2022 TripleBlind, creator of the most complete and scalable solution for privacy enhancing computation, is now available in AWS Marketplace. The launch allows enterprises worldwide to leverage TripleBlind’s solution which unlocks the intellectual property value of data while preserving privacy and ensuring compliance with HIPAA and GDPR.

AWS Marketplace is a curated digital catalog that makes it easy for customers to find, buy, deploy and manage third-party software, data and services to build solutions and run their businesses on Amazon Web Services (AWS). TripleBlind is available to AWS customers today.

TripleBlind offers users three pricing plans based on their organization’s budgets and needs: 30-Day Evaluation License, Annual Enterprise License, or Hourly Software Cost with a Free Trial. TripleBlind’s software-only solution is delivered via a simple API, allowing enterprises to get started through AWS Marketplace in a matter of hours versus weeks or months. AWS ensures seamless cloud delivery and integration and facilitates payment directly through users’ annual AWS commitment.

“Launching TripleBlind in AWS Marketplace is a pivotal step in accelerating data collaboration and unlocking the untapped intellectual property value of data around the world,” said Chris Barnett, Vice President, Marketing & Partnerships at TripleBlind. “The TripleBlind Solution has been mathematically proven to solve data use cases across many industries, especially healthcare and financial services, and this launch will make it easier for more organizations to realize that potential.”

TripleBlind’s innovations build on well understood principles of data protection, such as federated learning and multi-party compute. Its innovations radically improve the practical use of privacy preserving technologies by adding true scalability and faster processing, with support for all data and algorithm types. TripleBlind deploys on all cloud platforms and compares favorably with all existing privacy preserving technology, including homomorphic encryption, synthetic data, and tokenization.

 

Additional Resources:

 

 

About TripleBlind

Combining Data and Algorithms while Preserving Privacy and Ensuring Compliance

TripleBlind has created the most complete and scalable solution for privacy enhancing computation.

The TripleBlind solution is software-only and delivered via a simple API. It solves for a broad range of use cases, with current focus on healthcare and financial services. The company is backed by Accenture, General Catalyst, and The Mayo Clinic.

TripleBlind’s innovations build on well understood principles, such as federated learning and multi-party compute. Our innovations radically improve the practical use of privacy preserving technologies, by adding true scalability and faster processing, with support for all data and algorithm types. We support all cloud platforms and unlock the intellectual property value of data, while preserving privacy and ensuring compliance with all known data privacy and data residency standards, such as HIPAA and GDPR.

TripleBlind compares favorably with existing methods of privacy preserving technology, such as homomorphic encryption, synthetic data, and tokenization and has documented use cases for more than two dozen mission critical business problems.

For an overview, a live demo, or a one-hour hands-on workshop, contact@tripleblind.ai.

 

Contact

Madi Olivé / Valeria Carrillo
UPRAISE Marketing + Public Relations for TripleBlind
tripleblind@upraisepr.com
415.397.7600