Will the rise of technology mean the fall of privacy–and what can be done? UK seeks a new National Data Guardian.

Can we have data sharing and interoperability while retaining control by individuals on what they want shared? This keeps surfacing as a concern in the US, UK, Europe, and Australia, especially with COVID testing.

In recent news, last week’s acquisition of Ancestry by Blackstone [TTA 13 August] raised questions in minds other than this Editor’s of how a business model based on the value of genomic data to others is going to serve two masters–investors and its customers who simply want to know their genetic profile and disease predispositions, and may not be clear about or confused about how to limit where their data is going, however de-identified. The consolidation of digital health companies, practices, and payers–Teladoc and Livongo, CVS Health and Aetna, and even Village MD and Walgreens–are also dependent on data. Terms you hear are ‘tracking the patient journey’, ‘improving population health’, and a Big ’80s term, ‘synergy’. This does not include all the platforms that are solely about the data and making it more available in the healthcare universe.

A recent HIMSS virtual session, reported in Healthcare Finance, addressed the issue in a soft and jargony way which is easy to dismiss. From one of the five panelists:  

Dr. Alex Cahana, chief medical officer at ConsenSys Health.”And so if we are in essence our data, then any third party that takes that data – with a partial or even complete agreement of consent from my end, and uses it, abuses it or loses it – takes actually a piece of me as a human.”

Dignity-Preserving Technology: Addressing Global Health Disparities in Vulnerable Populations

But then when you dig into it and the further comments, it’s absolutely true. Most data sharing, most of the time, is helpful. Not having to keep track of everything on paper, or being able to store your data digitally, or your primary care practice or radiologist having it and interpretation accessible, makes life easier. The average person tends to block the possibility of misuse, except if it turns around and bites us. So what is the solution? Quite a bit of this discussion was about improving “literacy” which is a Catch-22 of vulnerability– ‘lacking skill and ability’ to understand how their data is being used versus ‘the system’ actually creating these vulnerable populations. But when the priority, from the government on to private payers, is ‘value-based care’ and saving money, how does this prevent ‘nefarious use’ of sharing data and identifying de-identified data for which you, the vulnerable, have given consent, to that end? 

It’s exhausting. Why avoid the problem in the first place? Having observed the uses and misuses of genomics data, this Editor will harp on again that we should have a Genomic Data Bill of Rights [TTA 29 Aug 18] for consumers to be fully transparent on where their data is going, how it is being used, and to easily keep their data private without jumping through a ridiculous number of hoops. This could be expandable to all health data. While I’d prefer this to be enforced by private entities, I don’t see it having a chance. In the US, we have HIPAA which is enforced by HHS’ Office of Civil Rights (OCR), which also watchdogs and fines for internal data breaches. Data privacy is also a problem of international scope, what with data hacking coming from state-sponsored entities in China and North Korea, as well as Eastern European pirates.

Thus it is encouraging that the UK’s Department of Health and Social Care is seeking a new national data guardian (NDG) to figure out how to safeguard patient data, based on the December 2018 Act. This replaces Dame Fiona Caldicott who was the first NDG starting in 2014 well before the Act. The specs for the job in Public Appointments are here. You’ll be paid £45,000 per annum, for a 2-3 day per week, primarily working remote with some travel to Leeds and London. (But if you’d like it, apply quickly–it closes 3 Sept!). It’s not full time, which is slightly dismaying given the situation’s growing importance. The HealthcareITNews article has a HIMSS interview video with Dame Fiona discussing the role of trust in this process starting with the clinician, and why the Care.data program was scrapped. Of related interest is Public Health England’s inter-mortem of lessons learned in data management from COVID-19, while reportedly Secretary Matt Hancock is replacing it with a new agency with a sole focus on health protection from pandemics. Hmmmmm…..HealthcareITNews.

About time: digital health grows a set of ethical guidelines

Is there a sense of embarrassment in the background? Fortune reports that the Stanford University Libraries are taking the lead in organizing an academic/industry group to establish ethical guidelines to govern digital health. These grew out of two meetings in July and November last year with the participation of over 30 representatives from health care, pharmaceutical, and nonprofit organizations. Proteus Digital Health, the developer of a formerly creepy sensor pill system, is prominently mentioned, but attending were representatives of Aetna CVS, Otsuka Pharmaceuticals (which works with Proteus), Kaiser Permanente, Intermountain Health, Tencent, and HSBC Holdings.

Here are the 10 Guiding Principles, which concentrate on data governance and sharing, as well as the use of the products themselves. They are expanded upon in this summary PDF:

  1. The products of digital health companies should always work in patients’ interests.
  2. Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  3. “Do no harm” should apply to the use and sharing of all digital health information.
  4. Patients should never be forced to use digital health products against their wishes.
  5. Patients should be able to decide whether their information is shared, and to know how a digital health company uses information to generate revenues.
  6. Digital health information should be accurate.
  7. Digital health information should be protected with strong security tools.
  8. Security violations should be reported promptly along with what is being done to fix them.
  9. Digital health products should allow patients to be more connected to their care givers.
  10. Patients should be actively engaged in the community that is shaping digital health products.

We’ve already observed that best practices in design are putting some of these principals into action. Your Editors have long advocated, to the point of tiresomeness, that data security is not notional from the smallest device to the largest health system. Our photo at left may be vintage, but if anything the threat has both grown and expanded. 2018’s ten largest breaches affected almost 7 million US patients and disrupted their organizations’ operations. Social media is also vulnerable. Parts of the US government–Congress and the FTC through a complaint filing–are also coming down hard on Facebook for sharing personal health information with advertisers. This is PHI belonging to members of closed Facebook groups meant to support those with health and mental health conditions. (HIPAA Journal).

But here is where Stanford and the conference participants get all mushy. From their press release:

“We want this first set of ten statements to spur conversations in board rooms, classrooms and community centers around the country and ultimately be refined and adopted widely.” –Michael A. Keller, Stanford’s university librarian and vice provost for teaching and learning

So everyone gets to feel good and take home a trophy? Nowhere are there next steps, corporate statements of adoption, and so on.

Let’s keep in mind that Stanford University was the nexus of the Fraud That Was Theranos, which is discreetly not mentioned. If not a shadow hovering in the background, it should be. Perhaps there is some mea culpa, mea maxima culpa here, but this Editor will wait for more concrete signs of Action.

Babylon Health’s ‘GP at hand’ not at hand for NHS England–yet. When will technology be? Is Carillion’s collapse a spanner in the works?

NHS England won’t be rolling out the Babylon Health ‘GP at hand’ service anytime soon, despite some success in their London test with five GP practices [TTA 12 Jan]. Digital Health cites an October study by Hammersmith and Fulham CCG (Fulham being one of the test practices) that to this Editor expresses both excitement at an innovative approach but with the same easy-to-see drawback:

The GP at Hand service model represents an innovative approach to general practice that poses a number of challenges to existing NHS policy and legislation. The approach to patient registration – where a potentially large volume of patients are encouraged to register at a physical site that could be a significant distance from both their home and work address, arguably represents a distortion of the original intentions of the Choice of GP policy. (Page 12)

There are also concerns about complex needs plus other special needs patients (inequality of service), controlled drug policy, and the capacity of Babylon Health to expand the service. Since the October report, a Babylon spokesperson told Digital Health that “Commissioners have comprehensively signed off our roll-out plan and we look forward to working with them to expand GP at Hand across the country.” 

Re capitation, why ‘GP at hand’ use is tied into a mandatory change of GP practices has left this Editor puzzled. In the US, telemedicine visits, especially the ‘I’ve got the flu and can’t move’ type or to specialists (dermatology) are often (not always) separate from whomever your primary care physician is. Yes, centralizing the records winds up being mostly in the hands of US patients unless the PCP is copied or it is part of a payer/corporate health program, but this may be the only way that virtual visits can be rolled out in any volume. In the UK, is there a workaround where the patient’s electronic record can be accessed by a separate telemedicine doctor?

Another tech head-shaker: 45 percent of GPs want technology-enabled remote working. 48 percent expressed that flexible working and working from home would enable doctors to provide more personalized care. Allowing remote working to support out-of-hours care could not only free up time for thousands of patient appointments but also level out doctor capacity disparities between regions. The survey here of 100 GPs was conducted by a cloud-communications provider, Sesui. Digital Health. This is a special need that isn’t present in the US except in closed systems like the VA, which is finally addressing the problem. The wide use of clinical connectivity apps enables US doctors to split time from hospital to multiple practices–so much so on multiple devices, that app security is a concern. 

Another head-shaker. 48 percent of missed NHS hospital appointments are due to letter-related problems, such as the letter arriving too late (17 percent), not being received (17 percent) or being lost (8 percent). 68 percent prefer to manage their appointments online or via smartphone. This preference has real financial impact as the NHS estimates that 8 million appointments were missed in 2016-2017, at a cost of £1bn. Now this survey of 2,000 adults was sponsored by Healthcare Communications, a provider to 100 NHS trusts with patient communications technology, so there’s a dog in the hunt. However, they developed for Barnsley Hospital NHS Foundation Trust a digital letter technology that is claimed to reduce outpatient postal letters by 40 percent. Considering my dentist sends me three emails plus separate text messages before my twice-yearly exam…. Release (PDF).

Roy Lilley’s daily newsletter today also engages the Tech Question and the “IT desert” present in much of the daily life of the NHS. Trusts are addressing it, junior doctors are WhatsApping, and generally, clinicians are hot-wiring the system in order to get anything done. It is much like the US about five to seven years ago where US HHS had huge HIPAA concerns (more…)

16 or 27 million 2016 breaches, 1 in 4 Americans? Data, IoT insecurity runs wild (US/UK)

What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/03/Accenture-Health-2017-Consumer-Survey.jpg” thumb_width=”150″ /]Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release  PDF of the US Digital Trust Report

So what’s 16 million breaches between friends? Or 4 million? Or 27 million?

  • That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
  • For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
  • HIMSS and Healthcare IT News insist that ransomware is under-reported, (more…)

Summertime, and the health data breaches are easy….

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Cybersecurity is the word, not the bird, from South Korea (see here) to the US.  The week opened with an unusual healthcare plan supplier breach: 3.3 million payer records held by a card issuer, Newkirk Products of Albany, NY. The company issues ID cards for several Blue Cross and Blue Shield plans and provides management services to other commercial payers. Ironically, it was discovered five days after their $410 million acquisition by Broadridge Financial Solutions of Lake Success, Long Island. On July 6, Newkirk discovered ‘unauthorized access’ to a server with records containing the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number. “No health plans’ systems were accessed or affected in any way” according to the release. MedCityNews, Newkirk release on notice

Another supplier breach affected another estimated 3.7 million patients at Arizona’s Banner Health. This one was a bit closer to home, hacking computer systems used in payment processing on debit and credit cards used at their food and beverage outlets in four states between June 23 and July 7.  A week later, the hackers gained unauthorized access to systems containing patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers. MedCityNews, Banner Health release

But what’s secret anymore about your health data anyway? It’s all those apps that are sending data via your Apple Watch and your Fitbit which aren’t necessarily covered by HIPAA or secure. (more…)

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)

Seven safeguards for your mHealth app

With cyberattacks from all sources on the rise, and mHealth apps being used by providers in care coordination, telehealth, patient engagement and PHRs, Practice Unite, which has some experience in this area through designing customized app platforms for healthcare organizations’ patient and clinician communications, in its blog notes seven points for developers to keep in mind:

1. Access control– unique IDs assigned to each user, remote wiping of the mHealth app from any user’s device.
2. Audit controls
3. Authentication
4. Integrity controls, such as compartmentalization, to ensure that electronically transmitted PHI is not prematurely altered or corrupted
5. Transmission security: data encryption at rest, in transit, and on independently secured servers protects PHI at each stage of transmission
6. Third party app integration–must fully comply with HIPAA safeguards
7. Proprietary data encryption

But all seven points need backing from the top on down in a healthcare organization. (More in the article above)

“Data moves at the speed of trust”–RWJF report

The report issued today by the influential Robert Wood Johnson Foundation (RWJF), ‘Data for Health: Learning What Works’ advocates a fresh approach to health data through greater education on the value/importance of sharing PHI, improved security and privacy safeguards and investing in community data infrastructure. If the above quote and the first two items sound contradictory, perhaps they are, but current ‘strict’ privacy regulations (that’s you, HIPAA), data siloing and the current state of the art in security aren’t stemming Hackermania (or sheer bad data hygiene and security procedures). Based on three key themes, the RWJF is recommending a suite of actions (see below) to build what they term a ‘Culture of Health. All of which, from the 10,000 foot view, seem achievable. The need–and importantly, the perception of need–to integrate the rising quantity of data from all these devices, pry it out of its silos (elaborated upon earlier this week in ‘Set that disease data free!), analyze it and make it meaningful plus shareable to people and their doctors/clinicians keeps building. (‘Meaningful’ here is not to be confused with the HITECH Act’s Meaningful Use.)

But who will take the lead? Who will do the work? Will the HIT structure, infrastructure and very importantly, the legal framework follow? We wonder if there is enough demand and bandwidth in the current challenged system. Release. RWJF ‘Data for Health’ page with links to study PDF, executive summary which adds details to the recommendations below, more.[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/04/Data-For-Health-Advisory-Committee-RWJF.png” thumb_width=”400″ /]

What happens when a medical app…vanishes?

You have just entered The App Twilight Zone…. Our readers know that concussion and diagnosis have been a focus of this Editor’s, and validating apps a focus of Editor Charles’, who brought this to my attention. The app’s name: The Sport Concussion Assessment Tool 2 (SCAT2). The news report states: “It contains all the essentials you would want in a concussion app: a graded symptoms checklist, cognitive testing, balance testing, Glasgow coma scale, Maddocks score, baseline score ability, serial evaluation, and password protected information-sharing via email.”  The plot: it was deactivated without warning or notice by the developer, Inovapp (link to sketchy CrunchBase profile) yet still listed on the iTunes store.

What happened? There was a modified standard (SCAT3) developed in 2012, which updated SCAT2 with non-critical additions: indications for emergency management, a slightly more extensive background section, a neck exam and more detailed return-to-play instructions. SCAT3 is only available on (inconvenient) paper. No word from Inovapp on why it discontinued the app nor any plans for updating.

The SCAT2 had gained, in a short time, a following among coaches and sports medical professionals because it was the first app based upon the international standard (Zurich, 2008, 3rd International Conference on Concussion in Sport) transferring a paper assessment tool to an easy to use app. In fact, the NHL (National Hockey League) has its own version. The revised 2012 standards  Users have a right to be upset, but moreover, this points to a glaring shortcoming of medical apps–their developers vanishing into the night without a by-your-leave. And read the comments by (mainly) doctors on securing patient information after the app is used (HIPAA standards) and one physician’s criticism of apps such as this as a ‘crutch’.  A Pointer to the Future we don’t want to see. The authors Irfan Husain and Iltifat Husain, MD are to be congratulated. Popular app being used to manage concussions fails, failing patients (iMedicalApps)

Eye feels the pain of Google’s Brin and Page

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/02/gimlet-eye.jpg” thumb_width=”150″ /] Oh, the discomfort that Sergey and Larry must be feeling being grilled interviewed by “billionaire venture capitalist Vinod Khosla” (grudgingly respected in TTA 30 May) at one of his eponymous Summits. Here they are with Google Glass in all sorts of adaptations from Parkinson’s to gait improvement to surgery [see multiple TTA articles here], a ‘moonshot on aging and longevity’ dubbed Calico [TTA 19 Sept 13] and even a contact lens to measure blood glucose in tears [TTA 17 Jan]. All good stuff with Big Change potential. Instead they whinge on about how the health field is so regulated, and all the cool stuff you could do with the data but for that privacy thingy (those darn EU, UK regulations and in US, HIPAA). Page to Khosla: “I do worry that we regulate ourselves out of some really great possibilities that are certainly on the data-mining end.” Brin to Khosla: “Generally, health is just so heavily regulated. It’s just a painful business to be in. It’s just not necessarily how I want to spend my time.” Gee. Whiz. What is apparent here is a lack of personal respect for us ‘little folks’ privacy and our everyday, humdrum lives.

Advice straight from The Gimlet Eye: My dear boys, you’ll just have to get people’s data with that old-fashioned thing, permission. (And you’d be surprised that many would be happy to give it to you.) Or if it’s all too painful, Sergey can play with his superyacht, latest girlfriend and follow his estranged wife Anne Wojcicki’s 23andme‘s ongoing dealings with the FDA. At least she’s in the arena. Google leaders think health is ‘a painful business to be in’ (SFGate) Mobihealthnews covers their true confessions, with an interesting veer off in the final third of the article to Mr Khosla’s view of Ginger.io’s surprising pilot with Kaiser and then to WellDoc’s Bluestar diabetes therapy app–the only one that is 510(k)Class II and registered as a pharmaceutical product [TTA 10 Jan].  Also interesting re the Googlers’ mindset is a SFGate blog piece on Larry Page’s attitudes towards leisure and work in a Keynes-redux ‘vision of the future‘. < work + > people may= >leisure, but certainly<<<$£€¥ for even the well-educated and managerial!

BlackBerry’s investment: what’s in it for NantHealth

This week’s news of BlackBerry Ltd’s minority investment in the Dr. Patrick Soon-Shiong eight-company combine called NantHealth has generally focused on BlackBerry. Across the board, BlackBerry is depicted as the party badly needing a raison d’être. Down for the count in both retail and enterprise mobile phone markets it dominated for years, BB’s six-months-in-the-saddle CEO is now going back to those same enterprises singing the wonders of their QNX operating system and upcoming BBM Protected communication platform to highly regulated verticals which need max security: healthcare, finance, law enforcement, government. Although FierceCMO inaccurately reported that BlackBerry was acquiring NantHealth (Reuters/WSJ reports to contrary), it’s generated yawns from former tea-leaf readers such as ZDNet as yet another flail of the Berry as it sinks beneath the waves. Add to this the bewilderingly written CNBC ‘Commentary’ under BlackBerry CEO John Chen’s byline–who should fire the ghostwriter for inept generation of blue smoke and mirrors–and you wonder why the very smart Dr. Soon-Shiong even desires the association with a company most consider the equivalent of silent movies. It is certainly not for the investment money, which the doctor has more than most countries–an expenditure carefully considered at BlackBerry, undoubtedly. 

Cui bono? NantHealth first, BlackBerry second is your Editor’s contrarian bet. Consider these three factors:

  1. Way down the column in most coverage is that BlackBerry and NantHealth are developing a healthcare smartphoneIt will be optimized for 3D images and CT scans but fully usable as a normal smartphone. Release date: late 2014-early 2015 (Reuters). (more…)

Box.com’s odd swerve into healthcare cloud storage and PHRs

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/02/gimlet-eye.jpg” thumb_width=”150″ /] Both The Gimlet Eye (filing from a remote island) and Editor Donna have been pleased users of the Box.com file storage site for storing all sorts of files in the ‘cloud’ (a/k/a Somewhere Out There On A Whole Bunch Of Internet Servers), sharing and collaboration. It’s simple to use, it works and, for our needs, actually free. However founders Aaron Levie and Dylan Smith, who look barely old enough to shave (but smartly have A Touch of Grey in their management team), have their eyes set on far bigger prizes than our mediocre needs. Now they have added ‘special advisers’ Aneesh Chopra, first US CTO, and Glen Tullman, former CEO of Allscripts. Mr. Tullman certainly does add major luster (and connections) and Mr. Chopra, despite the Eye’s consideration of him as hyperbolic and politically, not technically, qualified for his previous positions in the Government and the state of Virginia, adds the inevitable political ones. Having them on the roster also adds heft to their imminently rumored IPO (TechCrunch; update, filed 24 March) and ultimately acing out other file sharers Dropbox in the enterprise area. Expectations are high; Box has $414 million in funding from a roster of investors (including Telefónica and Australia’s Telstra) through a Series F (CrunchBase) with a valuation of $2 billion (TechCrunch) and undoubtedly they’d like some of it back. Soon. (The completely overheated Castlight Health IPO only whets the appetite.)

Healthcare one key to a rich IPO. Box’s healthcare moves point in the enterprise direction. (more…)

VA Department data breaches soar (US)

If after the Healthcare.gov debacle, there’s still any confidence that centralized Federal systems are secure and trustworthy, please read this HealthcareITNews tally of the multiple data breaches and HIPAA violations taking place at the US Department of Veterans Affairs (VA).

From 2010 through May 2013, VA department employees or contractors were responsible for 14,215 privacy breaches affecting more than 101,000 veterans across 167 VA facilities, including incidences of identity theft, stealing veteran prescriptions, Facebook posts concerning veterans’ body parts, and failing to encrypt data, a Pittsburgh Tribune-Review investigation revealed.

The two-month investigation by the Pittsburgh Tribune-Review published this weekend found that the VA led the way in HIPAA violations–17 in the past few years–for reasons centering on lack of accountability, shoddy safeguards, sloppiness in handling data and failure to encrypt data even after the 2006 theft of a laptop put records of 26.5 million veterans in danger. There are few firings, disciplinary actions or HHS fines.

This should put telehealth and telemedicine providers on notice that their encryption will have to be ‘stronger than the VA’, as both they and Department of Defense (DOD) are the single largest users of telehealth in the US.