One of the things I like about Twitter is the flexibility it offers as a bi-directional communication channel.  I use it almost every day to communicate with or just read-up on what my friends are doing.  Mostly it’s just friends talking to each other and randomly erupting into flame-wars, just like on IRC.  Sometimes after such a heated discussion people would later comment that they missed the brawl and wished they were able to engage.  This was partially the imputes behind #SecChat.

I really like it when vendors engage the audience instead of just tweeting their own marketing news briefs or re-tweeting other people’s content.  Engaging in actual conversations with actual people somehow breaches the corporate veil and makes large companies more … human.  There are a few companies that have done this well, such as @TripwireInc with their #PCIHugItOut series.  They leveraged the diplomatic skills of @RealGeneKim and the arbitration skills of @McKeay to bring together @JoshCorman and me, with the goal of finding specific solutions to an issue that impacts most every company on earth.  @CindyV and @MattHixson were the people behind the veil making everything happen, but it felt very organic and most of all, constructive.

Recently, @McAfeeBusiness reached out to me about organizing another kind of engaging conversation.  The idea was to harness those flame-wars and schedule them so people who wanted to participate could.  Thus was born #SecChat.  The first #SecChat topic was Personal Health Information (PHI) and garnered more conversation than I honestly expected for a new hash-tag event like this.  (The concept is not new, there is also #PrivChat, #FTCpriv, and others, but this was the first – to the best of my knowledge – focusing on security issues.)

The chat itself was interesting, but the behind the scenes was even more interesting.  Katherine Nellums (@knellums) and Haley Hebert (@haleyhebert), two of the active voices behind @McAfeeBusiness, reached out to me to discuss who would be good people to offline-invite to participate.  We ran through the usual suspects, analysts, and vocal voices, but also added to the list a few people you may not know that have much to say about the industry.

  • Pete Hillier (@DeathwishDuck) presented on “So my Doctor has an EMR; should I worry?” at BSidesOttawa and had some interesting points to make.
  • Nick Lewis (@lewisnic), an old friend of mine and former Information Security Manager at a hospital.  He had direct experience implementing security for health care institutions.

One person I wish had participated was Wes Rishel (@wrishel), the Gartner analyst who has been discussing Electronic Health Records for quite some time.

The conversation is sometimes referred to as – “E-consonant-R” – due to the format of “Electronic _____ Records” (Medical, Health, etc.)

My overall take is to not directly try to solve the problem of health care data security but to compare the approach to that of other data types.  My first concern is that people should understand the use cases for data before they espouse ways of protecting it.

Use Cases

Unlike payment-card data that has very limited uses (authorization, clearing/settlement, chargebacks, reoccurring transactions, etc), personal health information (PHI) has a plethora of use cases with a list a mile-long of individuals that need access to it.  At a basic level, PHI data requires the following features:

  • Static: Unlike payment-card data which should only be needed for one-time use, PHI data by necessity must remain in place for reference at multiple points during the treatment and after-care of a patient.  I’d like to know that each visit to a hospital the doctor would not start from square one. Instead, I want them to easily references my medial history.  This requires health information to exist in a static environment, thus increasing the risk potential.
  • Multi-access: The more people who require access to data, the harder it is to protect.  With medical data the hospital may need access, so does the doctor on call, but also emergency access is required from the Emergency Room.  The use case rules for medical data are so complex, because unlike other data, a failure of access to PHI may mean people die.  This emphasis on data access over data security puts a strain on those who try to wrap their arms around the problem set.
  • Mashable: Sites like Google HealthMicrosoft HealthVault, and other Health Information Exchanges (HIE) enable individuals to aggregate, mix, and mashup their various health records.  This could mean big money for the HIE provider in ad revenue, but who owns this new aggregate data? It is certainly of value to insurance companies, who are already joining social networks like twitter. Hopefully these organizations are following HiTECH security requirements.
  • Error Correction: Nick pointed out a valuable point that, “Correcting medical history errors everywhere PHI is stored is harder than fixing issues with CC statements.” True, in that it’s relatively simple to replace a compromised credit card number but virtually impossible to reinstate the security of compromised medical records.

Overall, I like the idea of #SecChat and enjoyed the long-tail conversation.  Although I focused on the comments of core participants, there were others who would suggest a new take on the topic, or suggest their personal experience which I really appreciated.  It’s like having a personal conversation with close friends that enables bi-directional communication and input from thousands of others.

I like it and look forward to many more.