Google Cloud has been providing Ascension, the second biggest healthcare provider in the US, with cloud infrastructure services since July 2019. Providing software services to healthcare providers to facilitate the secure management of patient data is not uncommon for Google. The services Ascension are taking are similarly commonplace- the migration of data to Google Cloud, utilizing suite productivity tools and providing technological tools to Ascension’s doctors for use. What perhaps is the defining factor is the scale, with this being the largest project of its kind to date – managing data of over 50 million Americans. This was dubbed “Project Nightingale”.
Recently, a whistle-blower sought to raise privacy concerns surrounding the use of sensitive patient data by the technology company. An anonymous whistle-blower posted a video on the Dailymotion video streaming platform containing hundreds of images of confidential files relating to the Project. The whistle-blower later leaked information to the Wall Street Journal and the Guardian. Whilst the reporting of the issues surrounding the leak has been sensationalized, with references to a “secret scheme”, the conduct of the Project does seem to raise legitimate concerns over the fitness of privacy regulation in particular.
The whistle-blower has highlighted that data being transferred to Google is sensitive in nature- containing names and medical history of patients. This is allegedly not de-identified but rather identifiable raw data. The transfer of this data, of over 50 million patients, is said to be slated for completion in March 2020. It is also alleged that patients and doctors have not been made aware of the data transfer.
In an interview with the Guardian the whistle-blower stated as follows:
“Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place. This is a totally new way of doing things. Do you want your most personal information transferred to Google? I think a lot of people would say no.”
The response
In response Google and Ascension released statements. Google Cloud issued a detailed press release covering the nature of its work with Ascension citing that, despite concerns, the Project “adheres with industry-wide regulations” including the Health Insurance Portability and Accountability Act 1996 (“HIPAA”). The Business Associate Agreement operated to allow Google to utilize data received from Ascension only for the purpose of providing the agreed services.
One area which gives rise to concerns is the allegedly low protective standard set by HIPAA. Which has been criticized for being outdated given the recent development of healthcare data. A federal inquiry into whether the provisions of HIPAA have been followed has been launched.
The nature of the services provided to Ascension have been broadened to cover the optimizing of care for patients through technology. This goes further than the norm, combining Google’s technology to pilot tools that can better provide for patient care. In this field, it will be interesting to see how Google’s extensive data profiling capabilities impact the ability to provide higher quality patient care, though it seems the collaboration (thankfully from a privacy perspective) does not go so far. Patient data and Google profiling data are kept separate. The safeguards in place to ensure the protection of data are of key importance here:
– Data is siloed from Ascension housed within a private space with encrypted keys;
– Patient data is kept in a secure environment and is used only for purpose;
– Access logs are put in place for those areas involving the data; and
– The systems used are included in ISO 27001 certifications and SOC2/3 audits.
Recent events highlight the need for updated and best practice guidelines reinforcing the industry standards in place. Especially in the healthcare space given recent market changes such as Google’s $2.1bn acquisition of Fitbit, giving it access to a wide variance of health-oriented data. The prospects for this being used alongside Google’s data analytics and profiling presents highly innovative and concerning developments in data usage.
The Privacy Perspective 