HIPAA 2023 with a stethoscope

Top 5 HIPAA Changes for 2023

As healthcare providers enter 2023, it’s more important than ever to keep a pulse on the landscape of healthcare regulations, particularly those regarding patient privacy and security. The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, continues to change to adapt to new technologies, healthcare practices, and patient needs. In this blog post, we’ll explore some of the changes healthcare providers can expect to see from HIPAA regulations in 2023. 


Increased Penalties for Non-Compliance 

One of the most significant changes that healthcare providers can expect in 2023 is an increase in the penalties for non-compliance with HIPAA regulations. The Office for Civil Rights (OCR), which enforces HIPAA’s national standards, has indicated that it will increase its focus on enforcing the regulations and will be more aggressive in imposing penalties on organizations that fail to comply.  

The exact details of the new penalties are not yet announced, but it’s crucial for healthcare providers to take note of this change, prevent unauthorized access, and take steps to ensure that they comply with HIPAA regulations. Currently, penalties for non-compliance can be $100 to $50,000 per violation (or per record), with a maximum fine of $1.5 million per year for violations of an identical provision.  

New penalties will be adjusted for inflation in 2023 and likely impose additional costs for organizations that do not comply. Additionally, covered entities must adopt corrective action plans to ensure policies and procedures are up to standard. 


Expansion of Patient Rights 

Another change healthcare providers can expect to see in 2023 is an expansion of patient rights to data privacy under HIPAA. The OCR has proposed several changes to the regulations that would give patients more control over their health information.  

For example, patients would have the right to access their health information in a timely and electronic manner and have the right to direct that their information be shared with designated third parties. Healthcare providers will need to be aware of these critical changes and ensure that their policies and procedures comply: 

  • Reduction in the maximum time to provide access to PHI to a patient from 30 days to 15 days 
  • Stating when covered entities should provide individuals with ePHI without charge 
  • Requiring covered entities to inform individuals of their right to obtain or direct copies of their PHI to third parties when a summary of PHI is offered instead of a copy. 


Increased Emphasis on Cybersecurity 

In recent years, healthcare providers have been increasingly targeted by cybercriminals looking to steal sensitive patient information. In response to this threat, HIPAA regulations will likely place a greater emphasis on cybersecurity in 2023. Healthcare providers will need to take steps to ensure that they have adequate security measures in place to protect patient information from cyberattacks and data breaches. These include: 

  • Conducting annual risk analysis to keep information secure
  • Strengthening workforce cybersecurity awareness training 
  • Enforcing patient right of access rules 
  • Prioritizing resources for IT staff 
  • Reviewing existing business associate agreements (BAAs) or subcontractor BAAs 


Updates to the Privacy Rule 

The HIPAA Privacy Rule was last updated in 2013, and the OCR has indicated that it plans to update the rule again in 2023. The exact changes to the Privacy Rule have not yet been announced, but the updates will likely reflect changes in technology and healthcare practices since the last update. Healthcare providers must be prepared to update their policies and procedures to reflect any changes to the Privacy Rule. Expected changes include:  

  • Precise definitions of a patient’s right to data access, as well as a covered entity’s responsibility to respond to requests 
  • Allowing patients to inspect their PHI in person and document their PHI through notes or photographs 
  • Identity verification procedures for parties requesting access to PHI 
  • The expanded ability for covered entities to avert threats or health to safety when harm is “seriously and reasonably forseeable,” as opposed to “serious and imminent.” 


Updates to Permissive Use of PHI 

HIPAA’s Privacy Rule previously allowed covered entities to make specific uses or disclosures of PHI according to their “professional judgment.” In 2023, HIPAA’s new standard will permit specific uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of an individual.  

This is good news for using PHI in research and development, as good-faith disclosures can lead to advancing medical treatments and technologies to cure complex diseases. However, evidence of bad faith disclosures will still prove non-compliance with HIPAA regulations. 

In conclusion, healthcare providers can expect several changes to HIPAA regulations in 2023. These changes will likely focus on increasing penalties for non-compliance, expanding patient rights, emphasizing cybersecurity, and updating the Privacy Rule. Healthcare providers will need to stay informed of these changes and take steps to ensure that they comply with the regulations to avoid penalties and protect patient privacy and security. 


About TripleBlind 

At TripleBlind, we understand the struggles of maintaining HIPAA compliance in an evolving digital environment. We’ve built the TripleBlind Privacy Suite to solve real-world healthcare data challenges and enable fast, secure access to diverse patient data. Our HIPAA-tested and compliant products accelerate research and development, catalyze collaborative healthcare, and unilaterally protect sensitive information.  

Join us in delivering tomorrow’s healthcare solutions using today’s automated data deidentification technology. Receive your copy of our Healthcare Whitepaper to learn how. 

Diagnostic AI hero image

Data To Diagnosis: Top 10 Ways Artificial Intelligence Will Impact Healthcare

Science fiction often touts that artificial intelligence will be the end of humankind –– but what if AI could improve our quality of living or extend human lifespans instead? In the past decade, researchers, developers, and doctors have worked to turn fictional fantasies into the healthcare industry’s new reality. Now, artificial intelligence in healthcare enables the accelerated development of life-saving treatments, increased operational efficiency in clinical settings, and improved patient outcomes across the board. As more hospitals and research organizations adopt AI/ML into diagnostic and treatment processes, technologies are bound to improve and expand.

The future of artificial intelligence in healthcare is expected to unlock more medical insights we can’t even begin to anticipate, deliver better patient care, and enable a more proactive, results-based approach to medicine. Consider the following ways experts envision the role of AI in the future of healthcare.

1. Addressing Neurological Challenges with Brain-Computer Interfaces

Powered by artificial intelligence, brain-computer interfaces are a promising technology that could improve communication skills and mobility in patients with neurological conditions.

A brain-computer interface uses artificial intelligence to analyze neural signals associated with intended movement. The interface could then activate artificial limbs, mobility-related medical devices, or communication technology to dramatically improve the quality of life for individuals coping with traumatic brain injury, spinal cord injury, ALS, stroke, or other neurological conditions.

2. Less Invasive Biopsies

One particularly promising way AI will change healthcare is through so-called “virtual biopsies”. This promising technology involves the use of image-based artificial intelligence to categorize the phenotypes and genetic qualities of cancerous tumors.

Currently, it will require significant refinement in order for virtual biopsies to become a reality. If the technology does sufficiently develop, clinicians will be able to gain a more comprehensive understanding of how tumors function, as opposed to understanding the properties of a small segment of tumors. This will allow for a better diagnosis of individual cancers and more targeted treatments for patients.

3. More Efficient Administration

Over the past two decades, electronic health records have been transformative, but there are still significant challenges associated with the use of electronic health records, particularly when it comes to overwhelming documentation requirements. Another way that AI will change healthcare is the creation of more intuitive interfaces for documentation and the automation of routine processes related to record keeping.

Artificial intelligence will also increasingly be used to process routine administrative activities, such as providing refills on medication and notifications for test results. AI technology for healthcare administration can also help prioritize tasks for doctors, nurses, clinicians, and other important personnel, optimizing their time management.

4. Another Weapon in the War Against Superbugs

So-called superbugs like antibiotic-resistant strains of Clostridioides difficile are appearing in healthcare settings and becoming a major concern. Artificial intelligence is already being used to track patterns of infection for “C. diff,” and this information is being used to protect at-risk patients. The future of artificial intelligence in healthcare will likely see an expansion of this approach.

5. Better Patient Monitoring

Connected devices are increasingly found in healthcare settings to monitor patients. Aggregating data from all of these devices inside and outside the healthcare system is a Herculean task.

Artificial intelligence systems are capable of handling this, allowing the industry to extract more insights from the multitude of smart devices currently in operation. The use of artificial intelligence in this area can also enable a more proactive approach to patient monitoring. For example, a system could notify doctors when a patient starts to develop sepsis or other negative complications.

6. Improving Immunotherapy to Treat Cancer

By activating the body’s immune system to attack malignant cancers, immunotherapy is emerging as a promising approach to treating cancer. However, current immunotherapy options are only effective on a small number of patients, and researchers currently do not have a reliable method for determining which patients will benefit the most from this treatment option.

Many expect the future of AI in healthcare will involve the analysis of complex datasets related to immunotherapy, allowing for better targeting of patients with this treatment option. Through the analysis of disease pathology, artificial intelligence will also be able to identify new immunotherapy therapy treatment pathways.

7. More Insights from Electronic Health Records

Electronic health records hold a massive amount of readily-accessible patient data, but extracting insights from that data is a major challenge.

In addition to the administrative hurdles that come with aggregating such a massive, widespread dataset, there are also challenges related to record keeping. For example, an algorithm designed to predict stroke based on billing records could actually only be predicting the likelihood of a billing code for stroke, which is very different from predicting the actual medical condition.

Artificial intelligence can help researchers analyze electronic health records with more precision and specificity. Deep Learning technology will be able to locate novel connections within datasets, allowing for the development of new methods of care.

8. Better Use of Wearables

Smartwatches and other digital devices may be taking over the commercial marketplace, but the healthcare industry has yet to fully embrace the treatment possibilities that these devices could be offering. Artificial intelligence is expected to play a major role in making the most out of healthcare data collected from these personal devices. One of the major stumbling blocks to realizing this potential use of artificial intelligence and healthcare is having people get comfortable with sharing their personal data. If the healthcare industry is able to show patients that they can provide adequate privacy protections, it will likely be another way that AI will change healthcare.

9. Smile-Friendly Diagnostics

We know facial recognition software as the technology we use to unlock our iPhones, but the same type of technology, powered by artificial intelligence, could be used to diagnose diseases associated with facial abnormalities. According to a study published in Nature Genetics, a team of German researchers launched a new technology capable of detecting rare diseases based on facial features. The study team said their technology and genetic data could accelerate therapies for patients with rare disorders that manifest in facial abnormalities.

10. Enabling a Fee-for-Results Model

In the United States, there is a massive disparity between the amount of money spent on healthcare and positive outcomes. This disparity has triggered conversations around a fee-for-results model that involves health care providers being paid based on outcomes, not by the number of tests or treatments they provide.

Through prediction and risk analysis, artificial intelligence is able to provide the foundation for a fee-for-results model. Providers can deliver superior results based on more informed, evidence-based decision-making.

Realize the Future of Healthcare with TripleBlind

Data is at the heart of every AI project. Without good, representative data, healthcare AI is at risk for poor performance and bias.

Through our innovative privacy-enhancing solution, TripleBlind has been enabling all manner of artificial intelligence, especially AI in healthcare — which depends on sensitive medical information. If your healthcare organization is looking to unlock more insights from this sensitive data, schedule a demo to see how TripleBlind can unlock the potential of AI.

Pharmaceutical Clinical Trials and Data Analytics

Pharmaceutical companies and other organizations that rely on clinical trials are increasingly pushing for greater informational transparency and sharing of patient data.

The rise of sophisticated analytics has allowed for more insights than ever to be extracted from clinical data. In addition to aiding research and development, clinical data can be used to benefit patients, years or even decades after they have participated in a trial.

Unfortunately, pharmaceutical companies and research institutions do not have unfettered access to clinical trial data, especially down to the level of the individual patient. Trial participants understandably want to retain their privacy and many regulations prohibit the improper disclosure or use of personal information, such as patient ages or specific medical conditions.

Where Access to Clinical Trial Data Provides Value

Patient-Level Data

Datasets from most clinical trials contain detailed information on individual participants. Access to patient-level data can not only allow for more granular analyses, but patient-level data is also valuable when it comes to quality checks. If unexpected side effects suddenly become associated with a certain medication, going back through the trial data and performing analytics at the patient level can reveal insights into the development.

Access to patient-level trial data also helps to optimize the value of that information through secondary analysis. For example, both Pfizer and Moderna have massive amounts of clinical trial data related to the development of their individual COVID-19 vaccines. A secondary analysis involving trial data from both companies could theoretically provide many new insights about the novel coronavirus.

International Data Collaboration

Access to more data can also facilitate pharmaceutical research on an international scale. The United States, Europe, China, India, and other jurisdictions all have agencies that oversee the approval of new medications based on established guidelines. For a new drug to get approval by the FDA, for instance, the clinical trials for the drug must be run at U.S. institutions. If regulations can be effectively navigated, such as through clinical data anonymization techniques, it opens up broader possibilities for both research and drug approval.

A New Perspective on Existing Data

Access can also facilitate subsequent analyses of a clinical dataset with objectives that differ from that of the original analysis. Follow-up analyses can help researchers gain a deeper understanding of the original trial and possibly unlock additional insights.

Integrating Trial Data with Real-World Data

Access to clinical trial data can also facilitate more representative datasets. Clinical trial populations tend to be very unique cohorts that do not always reflect the broader population. With access, clinical trial data can be compared with subsequent real-world data.

Data Anonymization in Clinical Trials and Analytics

Access to clinical trial data must also be balanced with protections for the privacy of individual participants.

This can be done with data anonymization techniques that obfuscate or eliminate identifying aspects of patient records. Data anonymization in clinical trials should be calibrated such that the utility of data is maintained. Additionally, data anonymization techniques should maintain the integrity of the original dataset. If the integrity of pharmaceutical trial data is corrupted by poorly calibrated anonymization, it could pose a significant public health threat.

In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) outlines two approaches for anonymization. The Expert Determination approach involves a clinical trials data anonymization analyst applying statistical techniques to make the possibility of identifying individuals incredibly difficult or impossible. 

The Safe Harbor approach involves the removal of 18 specific types of identifying information from individual records, including name, Social Security number, telephone number, IP addresses, and license plate numbers. Many of these identifiers are not typically collected in the course of a pharmaceutical trial.

Accessing More Clinical Trial Data with Blind Query from TripleBlind

To address the challenges associated with sharing clinical data, TripleBlind has developed a unique set of data tools called Blind Query.

This innovative suite of data tools allows users to perform remote data queries while keeping privacy intact. Users can search datasets, join data sets, perform analyses, and create reports — all without needing to obtain direct access to sensitive data. With Blind Query tools, data operations are always performed remotely and can even be in multiple geographical or organizational silos.

The Blind Query suite of data tools can perform three main functions:

  • Blind join. Users can apply SQL-like methods to private tabular datasets to identify specific values, then extract those values to join with their own dataset. Data providers control access to specific data columns, and non-matched data is never revealed by Blind Join operations. Blind Join can perform operations on millions of records and identify non-exact (fuzzy) matches.
  • Blind string search. Users can conduct standard searches of text data without gaining access to non-matched text. Data providers are protected, and users can extract only the essential information they need.
  • Blind stats. Users can generate a report of descriptive statistics on private datasets, which is an essential function for understanding the demographics of clinical trial populations. Blind Stats also enables multi-party data collaborations by allowing participants to understand the qualities of a dataset, without compromising privacy.

TripleBlind offers a wide range of privacy-preserving data tools, including the Blind Query suite. If you would like to learn more about how TripleBlind can facilitate data access and collaborations, please contact us today.

Craig Gentry - CTO of TripleBlind

Meet Craig Gentry: CTO at TripleBlind

Last month, TripleBlind appointed encryption, privacy and blockchain expert Craig Gentry as Chief Technology Officer. Craig brings a wealth of knowledge and experience to the TripleBlind team and will take the lead executing on TripleBlind’s vision for continuously improving the most complete, scalable and comprehensive privacy-enhancing technology (PET) in the industry.

Craig has been recognized globally and has received numerous accolades for his research and advancements, most notably inventing the first fully homomorphic encryption scheme as part of earning his Ph.D. Prior to TripleBlind, he worked as a research fellow at Algorand Foundation and in the Cryptography Research Group at the IBM Thomas J. Watson Research Center. 

Most recently, Craig was awarded the prestigious 2022 Godel Prize for his outstanding paper on fully homomorphic encryption. In his new research, Craig and coauthors present entirely new constructions of fully homomorphic encryption that have the potential to unlock a vast array of applications, according to the Godel Prize Committee.

We sat down for a chat with Craig to learn more about his background and what he’s looking forward to in his new role as CTO.


Where did you get your start in technology? What sparked your interest?

I’ve always been good at math. That’s what I majored in during my undergrad years. There’s something creative and artistic about the way the pieces of an equation or algorithm fit and work together perfectly – it has a beauty to it. 

But, I went to law school after undergrad because I felt like that made more sense than spending my career working on math problems. I only practiced Intellectual Property Law for about two years before I realized I wanted to get back to my mathematical and computer science roots. 

I started applying to a bunch of math and computer science jobs online – anything I could find –  and finally, I got one response from DoCoMo USA Labs. They just launched a research lab and had a list of ideas that they were planning to research.

I started researching cryptography with them, and that’s how I got my start in the tech world. 


What enticed you about TripleBlind?

I have spent my career thus far researching and creating frameworks of thinking and practice, which has been fulfilling. Now, at my current stage, I want to move beyond ideas and into practice to improve the world in some way. The vision and promise that the TripleBlind solution holds will lead to accelerated collaboration around the world that in turn can solve some of the world’s most challenging problems.

I was also drawn to the TripleBlind team. Everyone, from the C-level execs to the engineers, is extremely knowledgeable and shares my focus on providing businesses the best PET solution. 


You’ve spent a significant part of your career working on homomorphic encryption, what potential do you see in the TripleBlind solution?

While I have a strong background in homomorphic encryption, I’m not tied to it or any one particular technology. What is more important to me rather is to see the technologies be used to provide some benefit for society. 

Unlike some other cryptography-based companies, TripleBlind and I share a common core goal to solve privacy problems regardless of the technology that is used. We’re both technology-agnostic in that way.

TripleBlind’s main priority is the solution, and that’s the potential I see in the company.

And who knows? If the problem calls for it, I think TripleBlind would even be willing to implement some homomorphic encryption schemes.


What do you look forward to most in your new role?

I’m looking forward to connecting with CTOs and data scientists that are dipping their toes into PET. This is still an unknown and new space for many enterprises, and I’ll be able to give a deeper dive into these technologies for TripleBlind’s current and future customers.

And, as I mentioned before, I’m looking forward to seeing how technologies that I come up with get deployed in the real world.


What is one recent development in data privacy that should be on every CTO’s radar?

Everybody, including regulators and enterprises, are becoming more serious about actually enforcing privacy rather than taking ad hoc approaches and accepting breaches. In general, privacy regulations are becoming more stringent. 

Just last year, there were more than 15 consumer data privacy bills enacted in the U.S. alone. Industry-specific data regulations are being more widely adopted. Big companies like Apple are taking action to protect their customers’ privacy. These things in combination will provide the impetus for various companies to implement serious privacy solutions in coming months.

It is more essential than ever for CTOs and data handlers to be laser-focused on compliance.

AICPA SOC 2 Type 1

TripleBlind Completes SOC 2 Type 1 Examination

Today, TripleBlind announced that we have completed our SOC 2® Type 1 examination! 

Data Practitioners at TripleBlind worked closely with compliance-as-a-service platform Laika to earn this certification. Laika helps companies manage information security and privacy compliance, obtain security certifications and build trust with customers.


What is SOC 2?

SOC 2 Type 1 is an auditing procedure established by the American Institute of Certified Public Accountants (AICPA). The audit examines an organization’s privacy and infosec controls, assessing compliance at a specific point in time. 

SOC 2 applies to any business that transmits or stores sensitive data in the cloud, which applies to TripleBlind’s solution. Achieving SOC 2 compliance indicates that TripleBlind’s solution meets the common Trust Services Criteria maintained by the AICPA Auditing Standards Board.

TripleBlind has already begun work with Laika on our SOC 2 Type 2 examination and we are expected to complete Type 2 testing later this year.

“The team at TripleBlind is taking all the right steps to ensure their data is secure and privacy standards are upheld. We’re thrilled they earned their SOC 2 Type 1! And as they pursue their Type 2 attestation and ISO 27001 certification, TripleBlind further demonstrates their commitment to security and privacy,” said Olivia Trieu, Customer Success Manager at Laika.


What does a SOC 2 certification mean for TripleBlind?

As the creator of the most complete and scalable solution for privacy enhancing computation (PEC), TripleBlind’s top priority has been to facilitate private and compliant data collaboration to allow for innovation that only comes from analyzing real, sensitive data. By achieving SOC 2 Compliance, TripleBlind customers in the financial services and healthcare industries will benefit from added layers of trust including security, availability, processing, integrity, confidentiality and privacy.  

Our innovation radically improves the practical use of PEC by adding true scalability and faster processing with support for all data and algorithm types, and ensuring compliance with all data privacy laws like HIPAA and GDPR.

“SOC 2 certification is important to show that TripleBlind has the correct policies and procedures in place to ensure that our customer’s data is protected. Our customers in all industries are held to the highest privacy standards, and these certifications verify that our solution can unlock the intellectual property value of data while ensuring compliance for them,” said Gary Moore, Senior Vice President of Engineering at TripleBlind. 

TripleBlind’s SOC 2 Type 1 report is available under NDA to existing and potential customers. To receive a copy of the report, or to learn more about how TripleBlind can unlock compliant data collaboration for your company, contact us today


Real World Data Use in Pharmaceutical Innovation

Real-World Data Fueling Innovation in Pharma

Over the past few decades, R&D divisions in the pharmaceutical industry have had to grapple with increasing costs. One increasingly prevalent way to reduce costs in R&D is to extract more from the post-commercial value chain via real-world data.

Unlike data collected in clinical trials, which is extremely focused and limited by design, the real-world data pharma companies seek out is highly varied in nature and collected by many different kinds of healthcare entities, such as private practices, insurance providers, mobile data, and other sources. Real-world data may be both structured and unstructured and sometimes data records are missing key elements. However, real-world data can expand upon clinical trial data by bringing in data from both normal clinical practice and everyday life.

Real-world data has been around as long as the healthcare industry itself, but advances in digital and analytics technologies are allowing for it to be used more than ever before. This kind of data can help pharmaceutical researchers better understand how unique patient attributes and behaviors impact the outcomes of medical treatments. Real-world data combined with modern analytic approaches can allow for the better prediction of disease progression, patient reactions to a medication, or adverse effects. From a business point of view, real-world data can extract more value from R&D investments and accelerate the time to market for new medications.

To access real-world data, pharma companies require direct access to data silos throughout the healthcare industry. Access to real-world data is still considered quite limited, and one of the greatest opportunities for the pharma industry is broader access to many data partners for analyses. Greater access would be of particular benefit to the artificial intelligence and machine learning technologies commonly used in modern R&D.


Turning Real-World Data into Real-World Evidence

When pharmaceutical companies can access real-world data and analyze it, they translate it into what is called real-world evidence.

While real-world data is a tool used in research, real-world evidence is the currency of analysis, and it is closely tied to implementation. Using real-world evidence, pharma companies can make more informed decisions. This information is derived from real-world data but not exclusively, as it may include information from clinical trials and other sources. In recent years, real-world data has become an increasingly viable source of real-world evidence in pharma thanks to advances in healthcare analytics.

Previous approaches in healthcare analytics used descriptive analysis to sort patients and conventional matching strategies to compare patient groups with similar qualities. More recent approaches use machine learning, predictive models, and unsupervised algorithms to unlock deeper insights from complex datasets. 

These more modern approaches allow pharmaceutical companies to leverage thousands of patient attributes to better understand outcomes and extract insights on drug performance at a more granular level. Companies can also use these techniques to develop predictive models and formulate hypotheses at scale for multiple therapies.

Real-world evidence is already being used to fuel innovations in large pharmaceutical companies. For example, Pfizer was able to use data from electronic medical records to get approval for a new breast cancer drug called Ibrance. Another example is AstraZeneca using real-world evidence data to illustrate the real-world effectiveness of Farxiga, a medication used to treat diabetes. Other use cases include predicting outcomes of an ongoing phase IV trial for a cardiovascular treatment and modeling the development of non-Hodgkin’s lymphoma to develop a progressive treatment regimen.

In addition to improving development and unlocking more insights, real-world evidence has been a major cost-cutting tool for pharmaceutical companies. In a 2020 report, McKinsey & Company said the typical top-20 pharma business that implements real-world evidence across its value chains for products in the market and in development could realize more than $300 million in value over 3-5 years. 

The research company said pharma businesses could save $100 million in R&D spending by using analytics to capture more insights from real-world data rather than from clinical trials — as well as using it to optimize clinical trial design and implement synthetic trial arms. Additional value could be realized by identifying more potential therapeutics, speeding up time to market, improving payer negotiations, and producing stronger proof of differentiation for products in the market. Additionally, real-world evidence is enabling a more proactive response to adverse treatment events, saving lives and potentially avoiding costly litigation.

McKinsey went on to say that emerging artificial intelligence technologies promise to realize even more value and open up more business possibilities. Technologies like generative adversarial networks (GANs) are poised to cultivate even more insights from the ongoing expansion of medical data found in electronic health records, insurance claims, wearables, consumer records, social media, and patient-reported outcomes.


Fueling Pharma Innovation with TripleBlind

Extracting more value from all of this data is well within our grasp, but access limitations are proving to be a major obstacle. The TripleBlind Solution helps companies unlock siloed sensitive and non-sensitive data to provide added value across the entire pharma value chain.

Because TripleBlind allows organizations to access data directly from data providers and maintain pharma data integrity, it enables all kinds of possible actions, such as the identification of top-performing analytics entities and subject matter experts. Our technology also enables more secure collaboration between pharma companies and data providers.

By enabling secure access to data, continuous real-time secure operationalization of data, and improved consistency with regulatory needs during post-market monitoring, the TripleBlind Solution facilitates the transition of real-world data to real-world evidence, unlocking untold value in the process.

If you would like to learn more about how TripleBlind can fuel pharma innovation, please contact us today.

Unlocking Research with HIPAA Compliant Data Encryption

The Health Insurance Portability and Accountability Act (HIPAA) plays an essential role in protecting patients. When you’re following HIPAA-compliant data encryption standards, however, it becomes difficult to get the most out of your data. There are strict rules around how data can be used (or who can use it), and making a data set usable often means stripping away its most useful components. 

In most industries today, Big Data is redrawing the limits of human knowledge and capability. Unfortunately, highly regulated industries like healthcare have a harder time maximizing these benefits. While HIPAA is paramount to safeguarding patient privacy, regulations prevent researchers from exploring the full potential of their patient data.

A single hospital’s internal data might be enough to draw conclusions about common diagnoses, but meta studies have found this approach to building datasets for research can result in too small (and too biased) a sample size to provide reliable conclusions. Larger data sets are necessary, but researchers within healthcare organizations don’t always know the options available to them.

Embracing the spirit of the growing legal requirements for individual privacy, new privacy enhancing technologies are fundamentally changing the way healthcare organizations can unlock patient data, especially for collaboration.

But how might these solutions be better than current practices? To start, let’s take a quick look at some issues with the current ways healthcare organizations handle data.


The Limitations to Current HIPAA-Compliant Data Use Practices

Using Institutional Review Boards (IRBs) for decrypted data use: slow, costly, constrained

Institutional Review Boards (IRBs) offer a way for organizations to collectively use data, but this has multiple issues. 

Firstly, the level of bureaucracy in an IRB isn’t conducive to novel research. Taking representatives from each organization, deciding who’s getting what data, what they can do with the data (and why), and dealing with all the compliance and checkpoints along the way — all this red tape makes research slow, limited, and expensive.

Additionally, since setting up an IRB involves legal review (which is expensive in both dollars and time), the scope of research has to be carefully understood beforehand. If you wish to dive deeper into any novel findings you uncover, this can require an entirely new legal review and IRB.  Thus the process inhibits the effectiveness and potential of research by discouraging researchers from doing what they are supposed to do.

Even after all this, you’re still responsible for the data you’ve allowed other organizations to access, so you still have to trust that other IRB participants won’t make human mistakes when handling data you are responsible for protecting.


Deidentified Data: A False Sense of Security

While you can always deidentify your patient data before taking part in collective research, even certified deidentification standards can’t fully free you from concern.

It might be tempting to think deidentified data is anonymized, but being “deidentified” is very different from being “unidentifiable.” Researchers have been demonstrating for years that they can reidentify data by pairing it with other data sources, which wouldn’t be possible if it were truly anonymized.

Similarly, artificial intelligence models have gotten so sophisticated that they can identify this kind of data with ease, so solely using deidentification is akin to setting your password as “password.”


Ignoring Data That Can’t Be De-identified: Large Opportunity Costs

In many cases, you can’t simply strip off identifying data without rendering it useless for research. Say you’re studying the human eye — eye veins are as unique as fingerprints, so you can’t simply distort the data, at least not without making your research useless. Similarly, genetic data and electrocardiograms are so unique to each person that they could always be used to identify the individual in question.


A Better Solution: One-Way Encryption for Safe Collaboration and Data Use

Normally, using encrypted data means  the user of the data needs to decrypt it first, but decryption is what introduces the risks (and incomplete solutions) mentioned above. So what if you never had to decrypt data, but you could still get full usage of it?

The TripleBlind Solution allows data users to perform the same operations on data as they normally would, without having to “see”, copy, or store any data. This involves using one-way encryption, which is like locking up the data and throwing away the key: mathematically impossible to reverse. Due to the way these operations are carried out on one-way encrypted data, our solution allows data owners full Digital Rights Management (DRM) over how their data is used on a granular, per-use level.

Since any AI or analytic code can be run on this one-way encrypted data, the output is identical to running code on raw data, without putting privacy at risk. This is possible because of the innovations by TripleBlind on best-in-class, privacy-enhancing computation techniques.

Our aim with this technology is to provide tools for organizations to stop wasting valuable time worrying about security or compliance issues around research, freeing you to pursue more creative or ambitious investigations.

Since our solution ensures the safe handling of sensitive data, researchers can use data much more freely. This means you can start analyzing unconventional data points like credit card statements or driving patterns, rather than just MRIs and blood tests.

This adds a new wealth of data into diagnostics, enabling research that could vastly improve quality and effectiveness of patient care, all while maintaining their anonymity. Even though it’s sensitive data, it remains private.


Blind to Data, Blind to Processing, and Blind to the Result

TripleBlind allows your data to remain behind your firewall while it is made discoverable and computable by third parties for analysis and ML training.

These innovations build on well-understood principles, such as federated learning and multiparty compute. Our solution unlocks the intellectual property value of data, while preserving privacy and ensuring compliance with HIPAA and GDPR and all data localization laws. Data owners never sacrifice control over sensitive assets.

Want to see how it works? Learn more about our technology.

The Present and Future of Healthcare – Webinar Recap with Dr. Suraj Kapa (MD)

Curious about the landscape of privacy in healthcare, now and in the future? Following the 2022 HIMSS Global Health Conference and Exhibition, TripleBlind’s SVP of Healthcare Dr. Suraj Kapa (M.D.) discussed how to collaborate with sensitive healthcare data, without compromising privacy, speed, or fidelity.

Dr. Suraj Kapa, M.D., is a board-certified cardiologist with subspecialty certification in cardiac electrophysiology at Mayo Clinic. Dr. Kapa has published over 200 peer-reviewed articles and book chapters, given hundreds of guest lectures, and filed over 30 patents that serve as the foundation for healthcare startups. During this webinar, he shared his highly-sought after views on the future of digital health and healthcare delivery. Here’s our recap:


Key Discussion Questions:

  • Privacy-enhancing computation facilitates rapid innovation in healthcare. By enabling AI development using high-quality global data, how can new and effective products and services can hit the healthcare market?
  • Specific challenges for the use of healthcare data include HIPAA regulations, third-party contracts and audits, de-identification tasks, and residency rules. How might we address these challenges in the future of healthcare?
  • Technical and legal barriers prevent healthcare institutions from unlocking data in safe and compliant ways. How can innovations in privacy-enhancing technologies satisfy compliance requirements and drive future developments with data.


What is data in medicine or healthcare?

As a medical student, a resident, a fellow, and as a practicing cardiac electrophysiologist, the things we always think about when we think about learning in medicine is the traditional large textbooks that each weigh about 30 pounds…But that’s not where medicine limits itself. It’s not just reading a Wikipedia page. It’s not just reading a textbook, because really where the context of medicine comes into play is at the forefront of when you’re interacting with the patients.” – Dr. Suraj Kapa

Data in medicine or healthcare is any and all information derived from interactions with patients. From a patient’s current symptoms to their entire family’s medical history, diagnostic information contributes to large swaths of healthcare data that medical professionals use to provide high-quality care.


What are the benefits of data scalability?

Data scalability can be thought of as the opportunity to operationalize patient data at the individual, organizational, and collective levels. According to Dr. Kapa,

“Ideally, you would want to take these insights and these understandings and deploy them globally –– so that a clinician who is only one year out of practice can get the same value from a patient’s interaction history as somebody who’s been in the practice for over 30, 35 years. That’s a large part of what we talk about when we talk about digital insight development and digital platform development. Part of it is leveraging this extraordinary cohort of data as we take care of patients.”


What are the challenges healthcare faces for data scalability?

  • Increasing provider level costs – Human touch-points are still required to engage patients, even as technologies and diagnostic modalities improve. Investments into human-centered logistics and improved technologies are bound to increase costs for hospitals and patients –– especially if data actualization requires providers to jump through hoops to be able to use valuable information.
  • Regulations create implementation barriers – While privacy regulations in healthcare seek to secure patient data, regulatory requirements add additional hurdles for data owners and providers to collaborate. If a research institution has an algorithm that can determine the likelihood of a rare disease for patients at another hospital, the research institution cannot simply receive raw data from the hospital. Legal departments must draft contracts for terms of use, compliance reviews must take place, and specialized legal teams must ensure that no regulatory violations take place. Each step increases the amount of time and overall cost spent on healthcare innovation.
  • Data discovery and pre-processing are often resource intensive – Efficiency in digital healthcare relies on an understanding of what data sets are available, as well as interoperability between data users and providers. Data prep must account for legal compliance, be transmitted with appropriate encryption/decryption standards, and prevent unintended uses of the original data. These processes are also time and resource intensive, adding further complexity to scalable digital healthcare.
  • Varying global standards for data collaboration can hinder progress – Data sharing across borders requires adherence to many different requirements for collaboration. If a US-based healthcare provider wanted to work with a satellite clinic in Dubai, strict yet mismatched laws can prevent valuable information from being shared between parties. Regulations limit the flow of data between regions, increase fines in the event of violations, and increase the cost of collaboration between healthcare institutions.


 What are current solutions and their drawbacks?

A variety of privacy-enhancing technologies (also known as privacy-preserving technologies) have been developed to enable data interactions while abiding by data regulations, such as HIPAA and others. Dr. Kapa lists and analyzes the following solutions in the context of healthcare:

  1. Tokenization – This approach masks sensitive data, but also takes it out of use. Masking eliminates the ability or possibility of data operationalization. If you tokenize half of a genomic data set, that half of a genome is no longer usable –– preventing whole genomic evaluations.
  2. Synthetic data – By using quantitative statistical approaches on real data, synthetic data can be generated to solve critical data issues. However, since synthetic data is representative of how an individual’s health should look according to statistics, results will only be as accurate as initial approximations. This can create errors within algorithms or limit the accuracy of what would occur if one had access to true, raw data.
  3. Differential privacy – This approach applies noise to a data set with the intention of limiting individual identification within the set. Differential privacy can limit accuracy and does not meet standards for regulatory compliance.
  4. Homomorphic encryption – This method allows for operations on encrypted data, but it is often computationally inefficient at scale. Homomorphic encryption works well for small data sets or genomes, but falls apart operationally when faced with hundreds, thousands, or millions of data points.
  5. Secure enclaves and confidential computing – These mechanisms enable interaction with data, but are inherently hardware-dependent –– increasing costs. Secure enclaves require both the data and the algorithm to be stored in one place, which silos data behind data residency and regulatory fences. 
  6. Federated learning – This approach distributes the process of training a machine learning model across different data providers, but keeps data in place. However, federated learning isn’t always accurate –– and often increases computational speed for individual data owners. It’s also possible to reconstruct portions of training data when building a neural or federated network, leaving holes in terms of privacy and security.


What are six key considerations to improve privacy technology in healthcare?

Solutions that can address the drawbacks of previously-listed privacy enhancing technologies are bound to drive innovation in healthcare. These are considerations that Dr. Kapa recommends PET-centered organizations focus on:

  1. Ensuring speed and accuracy to encourage interoperability in healthcare
  2. Real-time, de-identified computation
  3. One-way encryption 
  4. Hardware agnosticism 
  5. Cloud-based compatibility and API-driven exchanges
  6. Compliance with existing and overlapping data regulations


How does the TripleBlind Solution meet these considerations?

The TripleBlind Solution is an API-driven virtual exchange that reduces risk, effort, and cost without restricting data’s utility or value. TripleBlind applies one-way encryption to data and algorithms so that they can be used for authorized purposes only. Data stays resident, yet is also operationalizable. TripleBlind meets standards for the future of digital healthcare by being non-hardware dependent, facilitating secure and trustworthy multi-party interactions, and ensuring compliance with HIPAA, HITECH, and other data regulations. What benefits does this afford? In the words of Dr. Kapa, 

“Imagine if our ability to rapidly understand health information in real-time was more efficient. We wouldn’t be reactive. We can be proactive. In the midst of all this, we need to be able to deliver effectively and scalably.”

Healthcare organizations could use insights from data to increase our age by 20 years from where we are now, or promote optimal human health at age 90. Solutions and treatments could be devised for once-terminal illnesses, and costs for developing such treatments could drop from billions to millions of dollars. The opportunities for digital healthcare is endless –– so long as the right solutions are used in the context of healthcare data.

We’re thankful for Dr. Kapa’s thoughts and perspectives on The Present and Future of Privacy in Healthcare. To watch the full webinar, click on this link. For additional information on how TripleBlind is catalyzing innovation in the context of healthcare, read more about our use cases or download a complimentary copy of our whitepaper!

Big Data Security and Privacy Issues in Healthcare hero image

Big Data Security and Privacy Issues in Healthcare

The mass digitization of medical data expanded the possibility of improving healthcare through the application of big data analytics. However, personal medical issues are considered private matters and as a result, the use of patient data is highly regulated by privacy laws such as HIPAA and HITECH. On top of that, any data with value is a target for criminals, and thus, healthcare data must be kept secure. While striving to meet security and privacy challenges, the medical community is trying to get the most out of its valuable data. 

Technical capabilities in healthcare also led to an increased focus and evidence-based decisions. Health care researchers and professionals are seeing data as the key to improving care, informing clinical decisions, tracking disease, and monitoring adverse effects of drugs or medical devices.

None of these improvements are possible if healthcare data cannot be shared or operationalized without ensuring both security and privacy. This means that leveraging big data requires systems that not only unlock new insights, but also protect the privacy of patients.

Since threats to privacy and security keep evolving, stakeholders must also actively refine their protective methods. With the COVID-19 pandemic leading to a pronounced reliance on digital technology, hackers leveraged cyber crime opportunities According to a report from Critical Insights, data breaches reached an all-time high in 2021, exposing a record amount of sensitive data.

In trying to combat the threat of cyberattacks, organizations have been finding that relying on a bottom-up, reactive, and technically focused protection strategy is not enough to address big data security and privacy issues in healthcare. Instead, experts are recommending a proactive, top-down approach that includes proper training of employees and other non-technical methods.


The Differences Between Big Data Security and Privacy

Security and privacy may seem like very similar concepts, but in the context of healthcare data, there are important distinctions between them.

  • Security of healthcare data. Healthcare security measures are designed to prevent unauthorized access, data theft and cyberattacks that could expose data.
  • Privacy of healthcare data. Privacy measures are designed to prevent  connections between personal medical information and specific individuals. While security measures may be focused on shielding data from intentional attacks and theft, privacy measures are focused on the ways for data to be handled and used safely. Privacy measures outline the ways in which patient data can be collected, transferred, and used with respect to both privacy regulations and ethical behavior.


The distinctions between these two concepts are particularly relevant when trying to address big data security and privacy in healthcare. Security measures must be designed to ensure the integrity and confidentiality of data. Measures like firewalls and encryption prevent data from corruption and unauthorized access. In some ways, security measures for protecting healthcare data also support privacy. Administrative structures and techniques like anonymization are designed to prevent organizations that handle patient data from using that data against patients’ wishes.

It is important to note that a patient can waive some degree of privacy by giving consent to an individual or organization. For instance, a patient could authorize their provider to share the results of a medical test with clinical researchers. If you’re interested in learning more about what disclosures are permitted for personal health information, check out this Ultimate Guide to Healthcare Data Security.


Securing the Entire Data Lifecycle

Companies that handle healthcare data must use security methods that protect both their assets and satisfy compliance concerns. Experts recommend that organizations consider the entire lifecycle of the data when applying security measures. The typical life cycle of healthcare data contains four phases: collection, storage, processing, and knowledge creation.

Data collection can involve gathering data in various formats from multiple sources. From a security standpoint, this should mean collecting data from reliable sources in a secure manner. Importantly, healthcare data may not come directly from patients, and companies receiving healthcare data must have systems in place to ensure their data collaboration is secure. Security measures for this part of the data lifecycle should prevent improper access, corruption, unauthorized disclosure, duplication, erasure, misuse, loss, and theft.

The first step of the storage phase involves filtering and characterizing the data according to predefined qualities. Some data may require preprocessing to facilitate future analysis. Preprocess steps like removing duplicate data or statistical noise are meant to improve the quality of collected data prior to any processing. This step could involve some security-related preprocessing, such as anonymization methods or data partitioning. The secure storage of data typically involves keeping it isolated and applying access control measures.

After data has been collected, preprocessed and stored securely, it is ready for the analysis phase. This stage involves the use of robust data mining techniques to generate useful knowledge and insights. The data mining process should be configured in a way that prevents mining-based attacks or breaches of this part of an organization’s network. Access control measures should also be in place to ensure that only authorized personnel can access data analysis processes.

The ideal result of a processing phase is the creation of valuable insights. These insights themselves are also regarded as valuable data that must be protected, just as the data used to create these insights must be protected by security measures.

The entire life cycle of big data in healthcare requires the ability to securely store and maintain integrity via access control. Securing the entire lifecycle becomes more complicated as more touchpoints are added by different organizations. Data providers, collectors, analyzers, and any other stakeholders must all play their responsible part in keeping healthcare data secure. Some collaborations use business associate agreements (BAAs) to hold parties accountable for unauthorized use, but these agreements only establish a reactive mechanism for addressing security malpractice.


Privacy Issues with Big Data in Healthcare

Any discussion about maintaining patient privacy in the United States must include the Health Insurance Portability and Accountability Act (HIPAA). Enacted into U.S. law in 1996, HIPPA established national standards for ensuring patient privacy. In Europe, the General Data Protection Regulation (GDPR) has established a strict standard for ensuring patient privacy.   

HIPAA and GDPR have made it compulsory for healthcare organizations to address privacy concerns with big data in healthcare by establishing a robust privacy policy. In addition to addressing security concerns, employee training and access control systems can go a long way to addressing the privacy risks of big data in healthcare.

As you are well aware, organizations that handle healthcare data should be using HIPAA-compliant software and IT solutions. Any systems or applications developed by a company must prioritize privacy, compliance, and any privacy agreements. When there is significant overlapping privacy protection provided by technical security measures, companies should use anonymization techniques, which aim to remove any identifying information that could be traced back to a specific individual. However, removing potentially identifying information from patient records can result in a significant loss of value. For example, a cancer diagnosis for a female patient in a certain hospital could be traced back to identify a specific person but removing that diagnosis from the record results in a loss of value for cancer research purposes. Other anonymization efforts add statistical noise to data to obfuscate any attempts at identification, but the addition of noise too can diminish the value of the original dataset. There are other approaches to big data security and protection of privacy in healthcare, until now, all have had disadvantages along with their advantages.


Addressing Big Data Security and Privacy Issues in Healthcare with TripleBlind

Ensuring the security and privacy of big data in healthcare is a complicated undertaking, and one that gets even more complicated as more entities get involved. However, for organizations in healthcare, not making use of big data simply isn’t an option anymore.

The innovative TripleBlind Solution is designed to simplify both the security and privacy of big data analytics for data collaborations. Our privacy-enhancing approach allows data collaborators to protect both valuable data and algorithms used to process that data, avoiding the need for addressing security concerns with BAAs. TripleBlind’s innovations build on well understood principles, such as federated learning and multi-party compute. Our innovations radically improve the practical use of privacy preserving technology, by adding true scalability and faster processing, with support for all data and algorithm types, including such as medical imaging or genomic data. 

In addition to preserving security and privacy, our one-way encryption approach helps to retain a high level of data utility, unlike anonymization techniques. 

If you would like to learn more about how the TripleBlind Solution can address your big data security and privacy issues in healthcare, please contact us today.

Ultimate Guide to Healthcare Hero image of Dr. reviewing Guide and taking notes

The Ultimate Guide to Healthcare Data Security


What opportunities remain for the future of a healthcare industry that has faced decades of change in two short years? Countless –– as long as organizations remain dynamic and leverage digital opportunities. From optimizing telehealth offerings to catalyzing medical innovation, robust and reliable data is the backbone for healthcare’s advancement in 2022. In the same vein, data security is integral to ensuring the protection of confidential patient information and compliance with federal and state-level regulations. Interested in learning more about the intersection between data security and healthcare? Here’s our Ultimate Guide!


What is considered “healthcare data?”

Healthcare data, sometimes known as medical or clinical data, is any data related to health conditions, reproductive outcomes, causes of death, and quality of life for an individual or a population. Sources for this data include surveys, claims data, administrative and medical records, disease registries, and more.


What are the two federal laws that have been enacted to protect personal health information?

Numerous laws protect the privacy of health data. In the United States, The Health Insurance Portability and Accountability Act (HIPAA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act create standards that qualify and protect the privacy of identifiable health information.

HIPAA was enacted in 1996. Before its passage, hospitals, medical practices, and insurance companies complied with a variety of laws at state and federal levels. Oftentimes, patient information could be easily distributed without the patient’s authorization and for purposes unrelated to medical care. For example, lenders and employers could access an individual’s health record –– and subsequently deny a mortgage or job application based on medical history. 

To prevent these outcomes and protect patient privacy, legislators drafted HIPAA’s privacy rule and security rule. The privacy rule allows patients to decide who has access to their medical records, such as a primary care provider or a team of specialists. It also places specific limits on how a provider can access, use, or store patient data. The security rule ensures that electronically transmitted patient data is protected through appropriate administrative, physical, and technical safeguards.

In 2009, HITECH was also passed to ensure the confidentiality, integrity, and security of electronic health information. HITECH promoted and expanded the adoption of electronic health records (EHRs), clarified language in HIPAA to close potential loopholes, and created tougher penalties for HIPAA violations to incentivize compliance with privacy and security rules. Prior to HITECH, only 10% of hospitals adopted EHRs –– leaving healthcare out of the digital age. HITECH encouraged digital transformation through financial incentives, ultimately improving healthcare efficiency and coordination. 


What is Protected Health Information (PHI)?

Any health information that includes individual identifiers is considered PHI, including demographic information. Under HIPAA, the 18 identifiers of PHI are:

  1. Names 
  2. Dates, with exception to year
  3. Telephone numbers
  4. FAX numbers
  5. Geographic information
  6. Social Security numbers
  7. Email addresses
  8. Medical record numbers
  9. Account numbers
  10. Health plan beneficiary numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Web URLs
  14. Device identifiers and serial numbers
  15. Internet protocol addresses
  16. Full face photos and comparable images
  17. Biometric identifiers (i.e. retinal scans and fingerprints)
  18. Any unique identifying number or code


What distinguishes Protected Health Information (PHI) from healthcare data?

All PHI is healthcare data, but not all healthcare data is PHI. PHI refers to any past, present, or future identifiable health information that is used, maintained, or stored by a HIPAA-covered entity. Physical records, electronic records, and spoken information regarding a patient’s medical conditions, provisions of care, or payment of care are all considered PHI. Examples of PHI include:

  • Phone records between an individual and a healthcare provider
  • Billing information from a doctor
  • Diagnosis of a medical condition
  • Results from a blood test


What isn’t considered PHI? 

Two conditions determine what qualifies as PHI: who records the information, and whether or not the information is stripped of all identifiers that could tie the information to an individual. HIPAA applies to HIPAA-covered entities and their business associates. This does not pertain to education or employment records, which may retain certain information about an individual’s health, such as allergies or blood type. Information is only considered PHI if the information was recorded by a healthcare provider or used by a health plan. Additionally, if the 18 identifiers of PHI are stripped from the health information, HIPAA does not apply. The data is then considered de-identified PHI. It is important to note that certain characteristics that could uniquely identify an individual cannot be reasonably stripped from data, as context clues and introducing additional publicly available information can lead to re-identification of an individual. This highlights how HIPAA typically does apply when using patient information, and how healthcare institutions should take appropriate and proactive measures to ensure compliance.


When are disclosures permitted for PHI?

There are, of course, instances where disclosure of PHI is required by law. Typically, these types of disclosures handle circumstances that involve public policy, safety, or other legal concerns that compete with a patients’ need for medical confidentiality. HIPAA permits disclosures under the following provisions:

  • Public health activities, such as those involving disease control, product recalls, or work-related illnesses
  • Suspected abuse, neglect, or domestic violence
  • Health oversight activities of the healthcare system, government benefit programs, or civil rights law;
  • Judicial or administrative proceedings in response to a court order or subpoena;
  • Law enforcement purposes when the PHI is relevant and material to a criminal investigation;
  • Deceased patients (to coroners, medical examiners, or funeral directors);
  • Organ donation;
  • Research, provided specific requirements are met; and
  • Government functions such as national security or intelligence activities

With such a specific and limited list of permitted reasons for disclosure, sharing data for medical research or other industry-related developments requires a careful, privacy-by-design approach. So how do organizations collaborate with data? First, let’s start by exploring why data collaboration is important in the first place.


What are the benefits of data collaboration in healthcare?

Data collaboration is critical for healthcare institutions. Interoperability –– the ability of two or more systems to exchange and use health information –– allows for increased clinic/hospital efficiency, reduced visits and admissions, improved diagnostic accuracy, and more. This host of potential benefits for patients’ health and well-being depends on private, secure, and streamlined sharing between healthcare providers. 

One key example of the benefits of data collaboration in healthcare is this study, conducted by researchers at Stanford University and the Houston Methodist Research Institute in 2016. By examining more than 16 million electronic health records of 2.9 million people to probe the link between common gastroesophageal reflux disease treatments and heart attacks, they found that individuals taking proton pump inhibitors (Nexium, Prilosec, and Prevacid) were 16 percent more likely to have a heart attack than those who did not take these drugs. While the study does not establish that these drugs cause heart attacks, the findings catalyze a closer examination of a potential cause-and-effect relationship between proton pump inhibitors and future heart attacks.

This example highlights how collaboration and secure information sharing can also vastly improve wider-level medical research, in addition to population health management and epidemiology/disease tracking. Access to transparent and informative data can improve the accuracy of research, provide a backbone for risk/benefit analysis of treatment options, and strengthen clinical research collaborations between healthcare providers. 


What is the biggest threat to the security of healthcare data?

Healthcare organizations are continually at risk for cyberthreats due to their possession of information that is of high monetary and intelligence value to hackers, cyber-thieves, and other bad actors. Protected health information, financial information such as credit card and bank account numbers, Social Security numbers, and intellectual property are all forms of targeted data. Ransomware, credential harvesting, and device theft are top mechanisms for stealing patient health information.

Immediate patient outcomes are often impacted by cyber crimes. In May of 2017, the “WannaCry” ransomware attack targeted computer systems in 150 countries, hitting over 230,000 computers globally. American hospitals and healthcare systems faced diverted ambulances, canceled surgeries, and disrupted operations –– consequences that could have been avoided through updated software and education on data security. In 2021, a Critical Insights report found that cybersecurity breaches hit an all-time high, with over 45 million individuals impacted by healthcare attacks. This number has tripled in the past three years, partially resulting from the unprecedented stress hospital and health systems faced during COVID-19. As healthcare systems continue to shore up defenses, the U.S. Department of Health & Human Services Office of Civil Rights (OCR) recommends vigilance around these top cybersecurity threats:


What types of data security does the healthcare industry currently implement?

Protecting data in the healthcare industry is a serious challenge, and as regulatory requirements for data protections increase, healthcare organizations must take a proactive approach to implement best-practices for data security. Currently, these are steps healthcare organizations take to remain compliant and lower the risk of data breaches:

  • Educating healthcare staff
    Human error can lead to catastrophic and costly consequences. Through robust security awareness training, healthcare employees can independently make critical and careful decisions when handling sensitive patient data.
  • Implementing access and usage controls
    Data controls allow healthcare organizations to restrict access to patient information and applications to users who require access to perform their roles, or block specific actions (such as web uploads, copying to external drives, or unauthorized email sends) altogether. Data discovery and classification can also ensure that sensitive data is identified and tagged according to the level of protection necessary for the information.
  • Logging and monitoring the use of data
    An audit trail allows healthcare providers to identify which users are accessing patient information, pinpoint areas of concern in security, and strengthen protective measures. 
  • Encrypting data at-rest and in-transit
    Encryption makes deciphering patient information more difficult for attackers. By encoding data so that only authorized parties can receive and understand information, healthcare providers can prevent unauthorized persons or applications from gaining access to PHI.
  • Securing mobile devices and applications
    Smartphones and other devices are commonplace in 21st-century healthcare, with patients, physicians, and insurance providers inputting and receiving information to increase operational efficiency. Mobile device security requires a range of measures, such as encryption of application data, installation of mobile security software, and enablement of remote-wipe or lock applications for lost or stolen devices. 
  • Conduct Frequent and Thorough Risk Assessments
    Regular risk assessments encourage proactive measures against potential data breaches and cyber attacks. Locating vulnerabilities in security, growth points in employee education, and other areas of concern can reduce the risk of costly penalties from regulatory agencies and the reputational damage associated with a breach.


How can we improve data security in healthcare?

Scaling digital transformations, increasing cyberattacks, and rapidly changing technologies in healthcare all reinforce the need for innovative and reliable data security solutions. Ideally, these solutions should also promote interoperability between hospitals, research institutions, and other healthcare providers to maximize value derived from healthcare data –– without compromising patient privacy or incurring severe penalties after a breach.

According to the American Hospital Association, “the key to leveraging health data’s full potential for improving patient care is the establishment of a framework for compatible technical and linguistic (semantic) standards adopted by all parties that leads us to a generic, vendor-neutral data exchange program. We currently lack universally agreed upon ways of sharing and using information.”

TripleBlind is a software-only solution that can unlock the intellectual property of health data without compromising PHI or violating HIPAA. By keeping data private and in place while allowing authorized operations on the data, healthcare providers can collaborate around sensitive information and ensure compliance with regional and national privacy regulations.

Take, for example, this use case in hospital and pharmacy analytics. A critical pain point for hospital and life science researchers is the need for detailed information about patient drug purchases and usage. While these researchers often know what drugs have been prescribed to patients, they have little information about actual purchase or use rates –– information that pharmacies possess, but struggle to or cannot share due to interoperability challenges or legal barriers. 

Using TripleBlind, the hospital can run a “fuzzy match” (or exact) to identify the intersection of their customers and the pharmacy’s customers. The pharmacy can also set permissions on what data the hospital is able to see on their shared patients’ customers, allowing the pharmacy to have full access and usage controls. Through this data collaboration, the hospital can then gain insights into what medications patients are actually purchasing and taking after receiving a prescription, then incorporate their findings into future research and models.

With our privacy enhancing computation solution, no exchange of raw data ever takes place. Permissions on how data is used can be set to per-use authorization, ongoing permissions, or anything in-between –– giving data owners full autonomy over data and algorithms, while allowing data collaboration and innovation to take place. The TripleBlind Solution offers the following additional advantages:

  • Streamlined interoperability between healthcare organizations –– Using or combining PHI and PII is often a compliance migraine for healthcare professionals. The TripleBlind Solution reduces time and resource cost, allowing organizations to extract insight from data without compromising or relinquishing control over proprietary information.
  • Exceptional AI/ML modeling and analysis toolset –– TripleBlind enables all data operations to occur on any type of data, without adding speed penalties or requiring additional storage. Train AI models and find healthcare solutions faster than and with greater accuracy than ever before.
  • Aggregation of granular-level patient data while ensuring HIPAA/HITECH compliance –– Since PHI is protected by design and never moved, shared, or seen by any parties, critical information can be included in every research process –– including early indication clinical trial reporting, pharmaceuticals, and more.

Are you ready to learn more about how TripleBlind can support your organization in joining the future of healthcare data security? Check out our use cases or contact us for a demo of our next-generation product.