0:05: Hello everybody and welcome to episode 22 of Cracking the Code.
0:09: I’m here with Chris Bowen to pick his brain on some healthcare cybersecurity topics.
0:13: In this episode, we will be discussing committee chairs Rogers and Cantwell, who unveiled a historic draft of a national and comprehensive data privacy legislation.
0:22: So Chris Bowen, you have been,, you started out in politics.
0:26: I know you have a lot of thoughts on this topic, so I’m gonna go ahead and just dive right in with some questions to pick your brain if that’s OK.
0:33: We’ve been trying for a long time to get some kind of a, a holistic privacy bill or some kind of legislation that makes it contiguous among different states, so that there’s not this amount of confusion as to what happens if there’s data breached in one state versus another state.
0:51: , it’s, it’s just, it’s been kind of a pain in the butt, if you will, for,, consumers, for patients, for those who are safeguarding data.
1:04: , you have to have, you know, I think there’s 15 different laws right now on the books in different states that are different in every state.
1:15: And and there are more laws coming.
1:18: You’ve got some of the notorious ones in California, you’ve got the the Texas bill,, House Bill 300, I believe, I’m I’m just going from memory.
1:28: Massachusetts had a big one.
1:31: And it was very stringent.
1:33: And so how do you navigate all of this?
1:35: And The European Union, not that we hang our hats on everything that they do, but they came across with a great proposal in GDPR, which was, let’s just make the uniform,, kind of code of conduct for how we handle personal data, even special categories of personal data.
1:55: So we’ve we’ve Taking our sweet time.
1:59: To try to figure this out.
2:01: HIPA was written in 1996 by Bill Freston team.
2:05: They did a great job.
2:06: , since then, we’ve, we’ve had to go to different websites on law firms to understand which state has which law and which how you act within within each jurisdiction.
2:18: I think it’s great that it’s a bipartisan effort.
2:21: And I, I’m hopeful that it gets some traction.
2:25: So, so with that, how do you think it’s going to change the regulatory landscape will change now and, and how our health systems and health plans supposed to respond to this?
2:35: Well, it’s still in, still slugging its way through Congress, if you recall that I’m just a bill, still just a bill.
2:43: And it’s, it’s gonna be an interesting ride.
2:47: We’re we’re starting to see some of the states protest a bit.
2:51: Some of them legitimately so, some of them have protections around things like biometrics and how do you govern that, how do you govern,, you know, some of these,, you know, T gen is here in Phoenix,, genetic.
3:07: Data, all kinds of information flows back and forth, and they’ve kind of figured out how to, how to skirt the the patchwork of of laws and not skirt them but really navigate them.
3:19: And, and so you’re you’re starting to see some of the states.
3:22: I don’t know if they’re protesting per se, but, but raising the red flag that says, hey, caution here, don’t throw the baby out with bathwater to use that old coined political phrase, if you will.
3:35: , it’s, it’s a, it’s a tricky one.
3:38: We’re hopeful that we see some continuity around the 50 states of the United States.
3:44: Right, it seems like it’s, it’s high time for that, and you’ve spent a lot of your career advocating for patient safety.
3:50: That’s why you founded Clear Data, it’s why you focus cybersecurity efforts within healthcare.
3:55: So, and you touched a little bit about it on the beginning, but can you provide an overview, you know, how is this going to set the stage.
4:01: now for consumer and patient safety, because as we know, this doesn’t just impact, you know, hospitals, but this can impact maybe digital health companies as we discussed last week, any, any type of way that we provide our, our data on a wearable device, so to speak.
4:16: So how is this impacting the patient?
4:19: Yeah, it’s, it’s The word consent is a thing, and it’s always been a thing, and some of the the the big platforms,, I, I won’t name names, but we probably look at them on social media a lot.
4:34: Some of them just ignore that.
4:35: Some of them ignore the the preferences.
4:38: They, if you look at your, your terms of use before you can even say hello to your neighbor,, online, you have to agree to 17 volumes of of terms of service.
4:51: At this point, nobody really takes any of that seriously until there’s a lawsuit and then it’s like, oh, page 1448, you’ve got this, this one provision that you agreed to, so do that.
5:03: , I think you’re gonna see a lot more explicit consent be required and not just the Yeah, we’ll just assume that you consent, but it’s actually explicit, you opt in instead of you have to opt out, which is most of the time today.
5:22: So we’re gonna see some of that, we’re gonna see some of the The data flows change a bit.
5:28: I, I predict we’re gonna start to see.
5:32: Some of the flows.
5:34: Take a little bit more of a direct path, and make it a little bit more transparent, so you actually know where your data is going.
5:41: That’s the hope.
5:43: Right, absolutely the hope.
5:44: So, you, you mentioned some pushback from states.
5:47: What are some of the specific ways that some states are that you anticipate maybe states pushing back and maybe some some steps for them to take, you know,, in, in their business practices to to overcome those challenges if this does become a national effort.
6:01: You know, I’m a, I’m a state right guy rights guy.
6:04: , I, I, I believe the states usually are better prepared to tackle local issues than Than say the federal government.
6:14: However, I used to work for the Speaker of the House in Arizona, and every state is a big crybaby about this is our this is our right, you know.
6:25: , I won’t pick on Texas.
6:27: Texas is the biggest baby in my opinion.
6:29: I don’t know if I can actually say that, but, you know, we’re Texas, we’re, you know, or we’re Massachusetts, live free or die in Delaware, whatever it is, every state seems to have this protest that if it’s not their idea, it’s not a good idea.
6:44: And I’ve seen this over my career in the past.
6:46: I continue to see it.
6:48: The lobbyists are involved, that’s the special interests are involved.
6:52: There is an organization, I think they’re still in Chicago.
6:56: I think it’s called the the Uniform State Laws Commission.
7:00: Which is a commission which I, I applaud.
7:02: I, I actually ran into this when I wrote the Anatomical Gift Act back in’96.
7:07: I just dated myself.
7:08: I’m really old now.
7:10: And when I wrote that bill, what I ended up having to do was take it to the uniform State Laws Commission and have it, have it become congruent with other state laws.
7:22: What a novel concept.
7:24: Well, now we got a bunch of states being babies about it and saying, oh well, you’re gonna you’re gonna destroy my sacred cow, and you know what they say they make sacred cows make the best burgers, right?
7:36: So it’s time for us to change.
7:39: We gotta, we gotta continue to evolve.
7:42: all of Europe did it, and it seems to be working.
7:45: , California, which is kind of a subset of Europe.
7:50: Seems to be working.
7:51: So, So if I can push back there, what if we have a state that has more stringent data privacy laws than a national effort?
7:59: Give me more details.
8:00: How so?
8:02: How, how stringent?
8:05: Well, in terms of data flow, data privacy, and like you were mentioning some of those life sciences companies if they have different regulations in those areas,, you know, they would be a little bit of a microc category there, but, you know, is there a way to to navigate that?
8:18: I, I think in the legislative process, what you’re going to see with the two chairmen who are pushing this legislation, is they’re going to be very careful about how to incorporate some of the some of the good stuff into this law, into this bill.
8:35: , that’s gonna take some time.
8:37: That’s gonna take some stakeholder input.
8:40: You’re certainly gonna have, you know, different privacy groups,, the IAPP I’m sure is already involved.
8:46: , you’ve probably got other privacy centered organizations involved.
8:51: And then, of course, you’ve got Facebook, you’ve got, you know, meta, you’ve got all these, you got Google, you got all these other stakeholders who are trying to preserve their own revenue streams, if you will, and, and I think it’s probably a bad idea.
9:05: But I, I think you’re, you’re gonna see some deliberate.
9:10: Focused legislation that’s gonna take into account those those great bills.
9:15: Some of these states have some great bills, some great legislation.
9:19: Some of them don’t, some of them are just confusing, and some of them are just check the box kind of legislation.
9:25: I think they’re gonna come out with something really important.
9:28: Excellent, thank you there.
9:29: , so what advice would you maybe give to your colleagues, the, the CIOs, the other healthcare CISOs out there, you know, in response to this, this draft in terms of maybe preparing different organizations, you know, at the business at the organizational level.
9:45: I mean, the CISOs need to continue to do their job of protecting the data.
9:49: The privacy officials, they’re the ones that are gonna make this, this magic happen.
9:54: They’re the ones that are going to make sure that the policies, the procedures are focused on the proper consent.
10:02: They’re the ones that are going to help navigate the laws.
10:05: The CISOs don’t necessarily do that.
10:07: They’re there as guardians of the gate.
10:10: To protect that data from ransomware, from misconfigurations, from leakage or whatever.
10:15: , this is, this is the privacy officials right, or the privacy officials time to shine, if you will, because they’re going to be helping to implement some of these legislative actions, assuming that it gets through the House and Senate.
10:32: Well, thank you.
10:33: And that we always kind of end with this our our episodes and stuff.
10:37: What advice would you provide to the consumer, the patient,, going into the doctor’s office, checking boxes, downloading digital apps?
10:46: What can they do from a digital footprints stance and in-person stances to protect their data and protect their privacy because we obviously play an active role as well.
10:56: I mean, there’s some basic ones.
10:58: You know, with your email address, for example, why put your your entire name?
11:03: Chris, blank blank blank, you know, last name.
11:07: Why, why give the the bad guys an opportunity to see your middle name?
11:11: , even in just those kinds of things, your handles on, on social media,, make them private.
11:18: You don’t need to, you know, unless you’re an influencer and that’s your way of living, you don’t need to share it with everybody in the world because there are people that are bad people in the world that are gonna use that information against you or against others.
11:32: So be careful about what you download.
11:35: Even on LinkedIn, especially on LinkedIn, that there are many.
11:39: Right, we’re seeing a lot of that now.
11:41: Yeah, let’s just throw some kind of, hey, here’s my resume, take a look.
11:44: Oh, let me take a look, and now you’ve just been infected with ransomware or some kind of vulnerability.
11:49: Be very careful about bank fraud.
11:52: They’re getting very sophisticated.
11:54: They’re they’re, they’re starting to Do things that most people don’t even think about.
12:01: And if you think about AI and you think about voice recognition, And you think about impersonating celebrities, it’s easy to impersonate anybody at this point.
12:13: So, so limit what you’re putting out there.
12:18: Absolutely, thank you.
12:20: And your eyeballs, right, even your eyeballs, right, we are saying that now.
12:23: Yes, absolutely.
12:24: It is insane what’s happening.
12:26: It’s, it’s.
12:27: But thank you so much, Chris, as always, for your insights.
12:30: We’ll be back with episode 23.
12:32: , if you haven’t seen episode number 22 yet, the finalization of the health breach notification rule,, some great insights from Chris there.
12:40: We’ll link below to our 2023 healthcare threat report as well, referencing some of the the types of attacks Chris just mentioned,, but as always, Chris, thank you so much for your insights, and we’ll talk again soon.
12:51: Thanks, Natalie.