What healthcare can learn from Facebook’s privacy-focused vision
Mark Zuckerberg recently wrote a blog post detailing Facebook’s future plans around privacy and product direction. In his post, Zuckerberg drops some keywords that also show up in healthcare, especially in the new ONC and CMS rules—interoperability, security, and safety.
I previously used Facebook as an example of what we should not do in healthcare. I thought Zuckerberg’s post was a good opportunity to contrast social media and healthcare, since we aspire to the same principles.
Zuckerberg lays out six principles from which the future of Facebook, Instagram and Whatsapp will be driven. Three of these principles don’t really apply to healthcare—secure data storage is already highly regulated in healthcare; reducing permanence doesn’t really apply (you don’t want your lab results to disappear); and private interactions are typically the default (but I’m sure we could dig into that more). Right now, I want to focus on encryption, interoperability and safety.
End-to-end encryption (E2EE) is not as widely deployed in healthcare as it should be. The idea is at the core of the Direct Project. Essentially, each person who can share or consume healthcare information should have a set of keys that allows them to either read messages only intended for them or send messages only intended for others.
Direct was included as part of Meaningful Use, and with the time restrictions and distributed nature of healthcare in America, organizations called HISPs moved in to help providers meet regulatory requirements. HISPs are not necessarily good or bad, but it does mean that we are falling short of true E2EE. At best, we can describe it is a HISP-to-HISP encryption. What would a future look like that enables E2EE?
Social networks and healthcare have some key infrastructure differences that make E2EE in healthcare a challenging prospect. Whatsapp already has E2EE. What makes this possible is that Whatsapp has control over the application used to send data on both sides. This isn’t strictly necessary, but it makes the user experience so much better.
Many Redox developers use GPG to sign our Github commits. It’s fun and cool for developers to do cryptography, but asking doctors and patients to go through the same rigmarole is impractical. The simplicity of downloading Whatsapp (or just using iMessage) is what we’re missing. This is all theoretically possible if enough people buy in. One way to think about this buy-in is interoperability.
Interoperability to Zuckerberg is different from the healthcare interoperability we talk about frequently. For one thing, there are varying definitions of interoperability in healthcare—see the recent HIMSS definition. Zuckerberg is talking about intra-Facebook interoperability—in other words, the ability to do E2EE from Whatsapp to Instagram. There are two key differences in healthcare—the fragmentation of the market (there are way more than three messaging apps), and the nature of data being exchanged.
Fragmentation is a huge problem that is unlikely to go away soon. In the Facebook case, all three systems are controlled by Facebook and can, in all likelihood, use the existing Whatsapp infrastructure. In healthcare, we have rival vendors trying to connect through multiple middlemen. The equivalent for Facebook would be trying to join a “network” where Twitter, iMessage, Line, for example, could all do E2EE with the Facebook products.
The scale is much different in healthcare as well–instead of 10 messaging platforms, we have hundreds of diverse products. Getting them all on board, even with the current government carrots and sticks, naturally takes more time.
Data is another dimension in which healthcare is vastly different from the problem that Facebook has to solve. Pictures and text are primary what is exchanged on social media networks. These are well-defined standards that are primarily human readable. Healthcare has the opposite type of content—flexible standards like HL7 FHIR® which are expected to be machine-readable. In my opinion, this inversion has led us down a path where we’re intensely focused on making the data interoperable when we don’t really have the infrastructure in place to move it.
Safety is the final principle, and it offers perhaps the starkest contrast with healthcare. To Zuckerberg, safety is about the misuse of the platform for “truly terrible things.”
In healthcare, we need to worry about misuse, but we also need to worry about patient safety. For example, if a patient shows up to an emergency department unconscious, we need ways to get potentially life-saving data about them into the hands of caregivers.
At some point, we may be able to learn from Facebook. Keeping bad actors off messaging platforms is not dissimilar to the problem of allowing good actors access to data they normally wouldn’t have access to. As Zuckerberg points out, Facebook has a lot to figure out as they roll out E2EE across their platform.
Encryption, interoperability and safety are issues that healthcare must think about differently than Facebook. There are many more players in our ecosystem, and we fundamentally deal with different kinds of data. There are also modes of communication (such as queries) we need to support to enhance patient care. Despite those differences, however, we aspire to the same goals, and we should look to learn from Facebook as they go about working towards these principles.