October 12, 2015

Privacy and Security

On Thursday, January 6, 2011, the Dossia Service Corporation announced that its Board of Directors had elected me as the new CEO. I am thrilled for this opportunity, but it has also reminded me that I have a more hands-on responsibility to insure the security and privacy of the individuals and families who have entrusted us with their health information.

Fortunately, Dossia is not only in compliance with all applicable laws and regulations, but, having had to market our personal health record system through large employers, we have had to meet much more challenging security and privacy standards than our competitors, who market directly to consumers. I am very familiar with exacting security and privacy standards from working inside a company that had to manage sensitive financial information for postal services and their customers because of our postage meter business.

In the last decade, my immersion in security and privacy issues increased exponentially for a variety of reasons:

  • Pitney Bowes Management Services took on more large financial services and health services customers, and managed major functions like print and mail, which caused us to be exposed to a considerable amount of personally identifiable information. Not surprisingly, our customers demanded security and privacy protection far in excess of what the law required.
  • Pitney Bowes Management Services also became a major provider of mail and print services to more government agencies like the FBI, the U.S. House of Representatives, and the Justice Department, which had their own security standards. After the 9/11 and anthrax bioterrorism events, these security standards became even more exacting.
  • As Pitney Bowes expanded its reach into the consumer and small business customer space this past decade, we began accepting credit cards, which meant that we had to withstand the audits and scrutiny of the major credit card auditors for American Express, Mastercard, and Visa.

I learned a great deal about security and privacy. Some of the most important insights that I take with me into my new assignment are the following:

  • A system dependent on privacy and security is only as strong as its weakest link. Therefore, every system needs to be stress-tested at multiple points at all times, to make sure that there is not even a single point of weakness. Moreover, a system that is large, expensive, and highly secure in many places, but has more potential points of failure than a less expensive system in which there are fewer points of failure can actually be less safe. There is an optimal level of spending on security at any given time.
  • The most frequent and, often, most serious security breaches do not occur because of technological flaws in a system, but because of human failures. A private investigator and security Kevin Mitnick wrote a very insightful book some years ago called The Art of Deception, in which he made the point that he could find the most sensitive information about anyone from even the most secure system. For example, when he was retained by a party to a divorce proceeding to learn about the other party’s salary and benefits from an employer, he would pretend to represent the employer’s CEO and would demand payroll information on an individual from someone who should not have surrendered it. He would play upon an employee’s fear of upsetting the CEO and that employee’s desire to be helpful and would get access to information that should not have been available to him.
  • Closely related to the previous point, security and privacy systems have to be compatible with how individuals function within various processes. If the process is made too cumbersome because of security protections, people who need to function more efficiently will find a way to work around or even disable security and privacy systems. The ultimate goal is to maximize security and privacy, based on how people will use a system, not to achieve a theoretical maximum level that will not get achieved because people compromise a system.
  • Maximizing security and privacy is not a one-time effort. Those seeking to compromise systems keep improving their skills, so those protecting the systems have to keep improving their vigilance and the effectiveness of their efforts.
  • Among members of the public, there are differences among people in their attitudes toward privacy. There are also differences for a single individual in terms of privacy concerns relative to different categories of information. A privacy policy and system needs to recognize that individuals will care differently about whether information is disclosed, to whom it is disclosed, when it is disclosed, and how the disclosure will take place. To the degree that we secure informed consent from individuals, we also need to understand that individuals have diverse ways of locking in on the data that is relevant to them giving informed consent. We also need to be as upfront with people every time there is potential for their data to be shared, and to have a dialogue with them that gives them a reasonable opportunity to give an informed consent. They should be aware of the risks of disclosure, but also the benefits to them, and should make a knowledgeable decision.
  • There are cultural norms that privacy policies and procedures have to respect. One example of this was the absurdly legalistic view that individuals could not be identified by their last name in a doctor’s office waiting room because of HIPPA privacy rules. The theory was that other people would know who they were, and that having strangers hear their last name violated their privacy. One day, I listened to a receptionist adhere to this rule by calling a black adult patient by his first name. Many adult black people from an older generation feel that being called by their first name is insulting and disrespectful. To many adults, including me, having a stranger address me by my first name is disrespectful and condescending. Requiring doctor’s office employees to deal with strangers on a first name basis without getting their prior permission is stupid.
  • No security system is ever invulnerable to breach as long as human beings have something to do with it. The goal is to strive to have zero breaches, to minimize their seriousness, and to learn from them when they happen, so that they never happen again.

The Dossia team has done a superb job building an exceptionally secure personal health records platform. I plan to improve it continuously.