31.8.09

Follow Up to PHR Access Post and GTUG Campout "Breach": Google Health, Ringful, and the Asthma Journal App Experience

To all who have requested updates on my adventures earlier this month exploring Google Health's architecture, sharing/linking permissions, and access of my PHR by Ringful and the Asthma Journal application (which I thought had granted unauthorized access to my PHR at Google Health via an unknown organization called 'Axial Exchange'), here's a lengthy update. 

My apologies for the delay - as you'll see from the transcript of events it's taken a bit of time to detail what happened and figure out what to do about it (and proffer a solution I hope will help prevent this from happening to anyone else using PHRs).

Please note as you read I'm happy to respond to individual requests for more information, but am working on the final stages of an app for Contagion Health (unrelated to my work with the Google GTUG Student Summer Health Project and Chief Medical Officer Development) so may be a bit slow getting back to you.

First, I want to compliment (again) Roni Zeiger, Google Health Product Manager and Jason Cooper of Google, who was onsite at the GTUG Campout earlier this month.

I also want to complement Michael Yuan, CEO of Ringful (the maker of iPhone app 'Asthma Journal' which is/was connected to Axial Exchange at healthcare-exchange.appspot.com). 

Everyone has responded with alacrity and an appropriate level of concern and proactivity to help clarify my understanding of Google Health profile linking permissions vs. sharing profile permissions to ensure something like this does not happen again.

Background: Now for further details on what I believed to be a breach of my Google Health PHR, but turned out to be a linked profile share enabled via my download and use of the Ringful Asthma Journal iPhone app (prepare yourself for a meaty read)...

Here's what happened:
1. The second night of the GTUG Campout, I read about Ringful, Michael Yuan, and the company's Asthma Journal iPhone app, believed to be the first mHealth app rolled out (ie available in the iTunes store) that built on top of Google Health's PHR. 
2. Since the GTUG Student Group with which I am working is working to develop the open-source Chief Medical Officer app to help users update conditions in Google Health via smartphones, I downloaded the Asthma Journal app to play around with it, and accessed it on my iPhone.
3. In the process of exploring the app, I granted the app permission to access my Google Health profile (see below for more details on the language used...I'm also including some screenshots). 
4. I took a look at the rest of the Asthma Journal app, but since I do not suffer from asthma (thank goodness) I did not add any information via the Asthma Journal application or interact with my Google Health profile via the app. 
5. The next morning at the GTUG Campout I signed into my Contagion Google Health PHR profile, which I created to support the GTUG team's work on the Chief Medical Officer application.
6. I noticed a strange (to me) looking addendum at the bottom of my profile that showed an unknown app/organization linked to my profile. I did not recognize the organization nor the Appspot extension. 

Here's how everyone responded:
1. I freaked, totally and completely. I had never seen this Axial Exchange link, hadn't heard of the company or organization despite significant research into mHealth. When I clicked through (via copy and pasting the Appspot exchange link into my Safari web browser), I found only a very generic description of Axial, which worried me. 
2. I Googled Axial, and didn't like what I saw; a very small online 'footprint' consisting of a website I'd never heard of and a few blog mentions.
3. I immediately went back to my Google Health PHR profile, and checked my "Share this profile" link on the lower left hand menu frame of my Google Health PHR, which showed I had NOT elected to share my profile with any individual or company. 
4. I freaked again, thinking some unauthorized org was accessing my PHR. 
5. I started talking to folks at the GTUG Campout to try and find out if this had happened to anyone else (it hadn't, because no one else was using Ringful's Asthma Exchange app).
6. I tweeted about it using my @jensmccabe handle, and asked if any of the health/medical folks I know using Twitter had experienced a link/access by Axial or 'healthcare-exchange' (no one had, again because no one else had downloaded Ringful's Asthma Journal app).
7. Lawrence Wong, an organizer and leader of the GTUG (Google Technology User Group) heard my frustration (he was onsite at the GTUG Campout) and recognized immediately the potential seriousness of the issue. He found a Google staff member to speak with me personally onsite about the issue (Jason Cooper). Jason of Google sat down with me, talked through my concerns, looked at the app and my profile (with my permission - I used my laptop to show him what I was worried about), and placed a very high level request for assistance.
8. Roni Zieger of Google Health responded, sending me a direct message via Twitter and even calling my mobile phone (from his home, on a Sunday afternoon). 
9. Roni and I talked through my concerns, and I mentioned where I thought the issue occurred; by this time someone on Twitter sent me a screenshot of the Axial Appspot logs, which I used to identify Michael Yuan (thank goodness I recognized his name from reading about Ringful the day prior). 

NOTE: In the Appspot logs it is important here to note that neither the name 'Ringful' (the app maker) nor the app name itself ('Asthma Journal') that was linking to my Google Health profile appeared anywhere on my Google Health PHR page nor on the Appspot description page for Axial. 

In other words, there was no way to discern a connection between the org linking to my Google Health PHR profile, Ringful, nor the Asthma Journal OTHER than Michael Yuan's name appearing on the logs. From corresponding with Michael, I know this was not a malicious effort to 'hide' the connection, but rather a simple oversight that resulted in a great deal of confusion on my end.

How the issue was solved:
1. Through tweets and help onsite at GTUG Campout (Lawrence Wong the GTUG organizer and Jason Cooper of Google), I discovered that Axial, the appspot that linked to my Google Health profile (after I opted to allow a link with the app during the "Asthma Journal" install process) is linked to Ringful, an iPhone application development shop and maker of the "Asthma Journal" app. 
2. Once I could connect Ringful, the Asthma Journal app, Michael Yuan, and Axial, it was just a matter of contacting Michael (via Googling him and looking up his email). Again, Ringful is the maker of iPhone app "Asthma Journal," which I downloaded and installed on my iPhone the night before the Axial 'healthcare-exchange' appspot link appeared on my Google Health profile. 
3. Michael and I corresponded with Roni Zieger of Google Health via email to address the issue, detail exactly what happened, and get the language of the Appspot page for Axial updated to make the link to Axial and the Asthma Journal and Ringful transparent.
4. I became determined to create a recommended 'blueprint' (optional) detailing user-protective best practices for mobile health applications accessing PHRs, ie a "universal terms of service" that organizations and developers could adopt at will.

Before I go into detail about the granular level of access and permissions I'm working on for the Universal mHealth App TOS, I'll detail what happened from a process/UX perspective, and what I saw as a user (excuse me if there's redundancy here):

1. When you download and install Asthma Journal, you have the option to connect to your Google PHR (Google Health).
2. I did this, and was redirected to the web interface for Google Health. This action serves as consent for unlimited access to your entire PHR (ie no granular level sharing permissions, it's 'all or nothing') under the Ringful/Axial/Google Health process. 
3. If you'd like to see the language used, download Asthma Journal from the iTunes store, and click on the "Tools" tab at bottom nav. Next click on Google Health (Connect text will show up as title of tab). NOTE: You must have a Google Health PHR to perform this action. 
4. Here's the consent/permissions language used in Asthma Journal, the version I downloaded, verbatim... 
A screenshot is available here:
http://files.posterous.com/hmrx/rM4EUKDsqXlOTnMhBEpRfoLm7AyPRF3DE0ozwRCz0p7h93KHPGE3dRxVXZLx/2009-08-09_1248_at_12.48pm_PDT.png.scaled.1000.jpg?AWSAccessKeyId=1C9REJR1EMRZ83Q7QRG2&Expires=1250188465&Signature=AgwDpQfrSh95aiNmdTN2Zs5To68%3D (NOTE: At this point Ringful, at the behest of the Google Health group, has made very beneficial language changes on the web interface, so by the time you download the Asthma Journal app, changes have been made to the app permissions language as well.)
5. Here's what I saw: 
"Now, please click on the link below to log into Google and link this iPhone app to your Google Health account. You might be asked to login twice (first for Google and second for Google Health). Once the linking is done, you will see health-exchange.appspot.com as an app with access to your Google profile. Link this iPhone to your Google account Privacy Policy." 
6. As I've blogged about previously here (and detailed above), the next day I noticed a linked appspot account, healthcare-exchange.appspot.com, and incandescent fury ensued. 
7. See screenshots above and my previous Posterous posts to view what the healthcare-exchange.appspot.com language said when I accessed it. 

And, to demonstrate the positive power of patient advocacy and epatient involvement, here's the NEW healthcare-exchange.appspot.com language that Ringful and Google Health now offer (NOTE: GREAT changes Michael!): 

"Ringful Health Information Exchange: The Health Exchange currently provides services to multiple mobile personal health monitoring apps from Ringful. It allows mobile users to propagate their data to any EHR or PHR system of their choice, including Google Health, Microsoft HealthVault, and consumer portals of major hospital EHR systems."

Why did this happen? Egotistically, I wondered how in the h*&^ something like this could happen to me. How could I be so confused by an eHealth and mHealth application and data exchange permission language?

Working in the field of Health 2.0 for over 2 years and and reveiwing TOS's (Terms of Service) at a granular level is an integral part of my work as an analyst, consultant, and blogger. I am *very* careful to read TOS's thoroughly and exhaustively, and often comment on what I like/don't like about them. This is the reason I never blogged for Wellsphere (a story for another time), and why I talk frequently about Patient's Like Me's terms of service. 

The irony here is that there are very simple, rational, non-malicious reasons for what happened, and why I was so confused. I believe now that these are related to the following factors:

1. The field of mHealth's baby-faced newness...standard workflows for mobile health applications accessing web-based PHRs like Google Health have yet to be established.
2. A lack of attention to the UX (user experience) in PHRs design in general (not many people use PHRs and those who do tend to be experienced in the field of healthcare).
3. The inherent bias (by just about everyone - PHR vendors, mHealth application designers working to build on top of PHR APIs, doctors, patients themselves) that users of mobile health and eHealth sites and services will not be able to use nor understand granular permission-based sharing of health and medical data. As such, Google Health and Ringful have adopted an 'all or nothing' sharing policy that provides either 'complete' access to ALL of my PHR for ALL time to Ringful or provides 'no' access to ALL of my PHR for ALL time. 
4. A lack of commitment to 'plain language' terms of service and sharing/data exchange details and explanations in eHealth TOS. 
5. My inability to think very critically that day, which is unusual; The GTUG Campout was my second hackathon in a 10 day period, and I got less than 3 hours of sleep for the duration of the 2.5 day event. Looking back it's amazing I was able to read logs and remember Michael Yuan at all. 

Let's look particularly at the number 2 reason why this happened...

One of the central reasons I was so confused is related to where linked profile information (ie where my Google Health profile was telling me Axial was sharing my profile) is stored in Google Health's interface. 

It is NOT stored in the "Share this Profile" link on the lower left nav tab. 

Now let's look at number 3...

It's important to note that I hadn't SENT or transmitted any user-entered data from Ringful's Asthma Journal app to my Google PHR (I hadn't entered any data because I don't have asthma).

Just opening the Asthma Journal application on my iPhone and opting to share my Google Health PHR profile with Ringful caused the link to occur. 

Why is a detailed understanding of the user experience (UX) and granular permission sharing for PHR data so vital moving forward? 

This is a vital important micro-issue moving forward with mHealth app design when you take into account several factors:

1. The attrition rate for app users - if I don't EVER USE the health app to transmit data (or never update my health app records, or uninstall the app) should an app maker still have access to my personal health records? As a result, I was shocked to see Axial access that did NOT appear under my shared permissions in Google Health (read on: it WAS there, but not where I expected to find it). 
2. Given DHHS's new cooperation with the FTC to compose an 88 page breach notification rule for PHR vendors and associates to communicate details about any breach or unauthorized access with users, the issue of 'how much information' is shared with PHR associates and when this permission expires (currently, it doesn't) takes on new meaning.
NOTE: I'll be blogging for the rest of the week about the FTC breach notification rule in detail. Posts will include business practice recommendations for PHR vendors and associates, including mHealth developers working to exchange data with web-based PHRs.   

Taking off my Health 2.0 analyst and Contagion Health startup founder hats for a moment, my essential concerns are related to these issues, which I'll describe very generally here: 

1. It was challenging for me to connect the Axial appspot access back to Ringful and Asthma Journal. I can only imagine what would have happened if an 'average' PHR user tried to figure out what happened. I would like to see more user-friendly language telling me what company and individual is accessing my health data on Google Health, and for use with which specific app (and I want to be able to give permission for that app info ONLY, not broad access to my entire PHR). For example, I should be able to set my Google Health preferences to allow Asthma Journal (Axial app engine) access ONLY to the condition of relevance in my condition listing - Asthma - unless I choose otherwise. 

2. I couldn't find information about Axial and how it is connected to Ringful and Asthma Journal anywhere on Ringful's homepage. 

3. If it took this much time and effort for me to dig through this information and find out what was going on, the 'average' Middle 80 healthcare consumer doesn't have a snowball's chance in hell of getting this untangled before they call a reporter with news about a PHR breach (our sector's equivalent of Judgement Day). 

It is VITAL to the future health of the integrated PHR, EMR, and EHR ecosystem that application developers think VERY carefully about user-centric language and adopt easy to read opt-in permissions structures that make relationships between organizations and applications crystal clear. We're treading on quicksand here. 

So, I'm going to my Patient Advocate hat back on now.

I don't want to be associated with all talk and no action. 

Policy recommendations (and process criticisms) look great on paper, but if they're never integrated into current practice they're a spectacular waste of time and blog/tweetstream real estate. I don't want to preach about what to change from the pulpit and then not woman-up. 

Moving forward, here's what I plan to do about the issue (other than just blog and tweet), with corresponding timelines and requests for assistance - ie, how YOU can help: 

1. Work with Google, Microsoft, Ringful, and any individual/organization willing to participate to create a template recommended "MY HEALTH DATA - universal user friendly TOS (terms of service) for mHealth (iPhone, Android, Palm, etc.) applications accessing personal health records. Contagion Health apps, and any mobile health apps I participate in building, will adhere to this #myhealthdata TOS as a minimum baseline. 
TIMELINE: 2 months to release of #myhealthdata TOS for mobile health applications to wider health community. 
NEEDS: Help composing if you've got strong feelings on the matter, or a twinkle in your eye, or both. The community's feedback when a draft is ready. 

2. Designing future Contagion Health apps, I'd like to provide users with the option to grant expiring 'test' access of a specified time period to see if they like the app/find it useful, after which they essentially lock the app out of their record. I'd like to see this kind of opt-in protection become sector standard best practice. 
TIMELINE: Concurrent with rollout of apps in which I (and Contagion Health) are involved in bringing to fruition (winter 2009). 
NEEDS: Developer assistance to see if this is possible to add to mHealth data exchange workflows when accessing web-based PHR or other health data stored/accessed online. 

3. We need to find out if there is a way to delink app/PHR integration/link/content sharing *automatically* if a user uninstalls an app. This sounds like a great idea in theory but we're shooting way out from potential practice here. We'd need plenty of permission screens, especially since IF the mobile health app has real-time update functional integration to the PHR, any changes made by the app would be entered and stored in the PHR, even if you uninstall the app. This could be sort of like having your PHR essentially act as the backup server or hard drive for your mHealth app data. 
TIMELINE: Take a look at this issue through fall and winter.
NEEDS: Developer assistance to see if this is possible. 

CHALLENGES RELATED TO THESE GOALS: 

1. Can PHRs currently available on the market handle this amount of granular data flow/input from apps? 
2. Are PHR designed, and are their workflows organized, to take these inputs and return search results in n=1, consumer/patient-friendly ways? (I'd argue not currently - all PHR platforms in my estimation miss the mark with this, which is why our open-source work on Chief Medical Officer and the work Contagion is doing is so important). 
3. How would a user uninstall the app and reflect that uninstall/delink on the PHR interface? 
4. What language would you use to remind users that they are uninstalling a health app and some data may be lost? Tech-wise, how do you try to ensure this data is NOT lost, but rather stored on the PHR?
5. mHealth application building is still a very small, tight field, essentially still wet and squawking in the birth sac. Will these sorts of permissions and programming requirements scare potential developers away from an already difficult to enter field? 

As you can see, I'm doing a major brain dump here. If anyone wants to help sort out these issues, time, feedback, haranguing vigorously welcomed. 

I've learned an extremely valuable lesson here as both an interaction designer and a PHR user. This episode has changed the way I view PHR access and mobile health application integration, and instilled a commitment to KISS design and opt-in sharing. Contagion Health has a significant interest in designing and building user-friendly, safe mHealth applications, so this kind of episode couldn't have arrived at a better time if it was heaven-sent (and I'm not entirely sure it wasn't). 

Now, back to building...to your health - 

Jen S. McCabe
@jensmccabe

CEO/Founder: Contagion Health 
CoFounder: NextHealth (NL)

Consulting/Chief Patient Advocate (social media): 
aaaa

Posted via email from Jen's Posterous

No comments: