In November 2019, Google acquired the wearable device company Fitbit—its third major healthcare-related headline in just a year. With Google now in partnership with both the Mayo Clinic and St. Louis-based Ascension Health, the tech company is leaving many healthcare industry observers feeling concerned regarding the future of patient data privacy.
Google and the healthcare industry
Google has been making healthcare industry partnerships for some time now (e.g., with the American Cancer Society), but largely these deals have gone undiscussed, at least relative to news of their recent Ascension deal, code-named “Project Nightingale”. This additional media attention is likely — at least in part — due to the massive scale of patient data they will now be storing on internal servers as a result.
Ultimately, Ascension is just another client for Google, paying them for access to expansive cloud storage capabilities and advanced intelligence tools. Ascension and other organizations like it are using Google and its cloud platform to manage massive infrastructure demands in scalable, private, and secure environments. In return, Google gains foothold in a market ripe for technological innovation.
The Fitbit acquisition and data privacy
Regarding the Fitbit deal specifically, Google is gaining not only the technology surrounding their flagship activewear device, but also the surplus of health data Fitbit users have consented to sharing over the years. This has left long-time Fitbit customers skeptical of Google’s intentions. Disapproving users took to social media to share their concerns, declaring plans to cut ties all together and take their business to Apple — believing the Apple Watch to be a more secure and private, albeit more expensive, alternative.
The question on everyone's mind: what does Google plan to do with all its newly obtained information regarding heart rates, breathing patterns, sleep quality, and menstrual cycles? In response, the technology kingpin has promised total transparency regarding user data, stating it will never sell personal information to anyone or use this data for advertising. Users will also have the choice to review, move, or delete their data going forward.
Savvy tech industry observers might argue this is only a jumping off point for Google — a quicker means to dive into the smartwatch game and compete with current industry leaders, Apple and Samsung. Google used a similar strategy in early 2018 when it acquired a chunk of HTC in order to produce the debut model of its Pixel smartphone. This could be seen as a reassurance to those Fitbit users wary toward what will come from their personal health data shifting ownership.
Cybersecurity in healthcare is a growing problem
Combine this Fitbit acquisition with an increasing number of major healthcare system partnerships and suddenly Google has control of huge volumes of sensitive, personal data and a foot noticeably deep into an industry currently ranked the number one victim of data breaches.
Figures are not yet finalized for this past year — but, so far, 494 data breaches of more than 500 records have been reported to the HHS’ Office for Civil Rights, and more than 41.11 million records were exposed, stolen, or impermissibly disclosed. The healthcare industry now accounts for approximately four out of every five data breaches in the U.S., and 2020 is projected to be another record-breaking year with the total cost from breaches expected to reach $4 billion.
Google has stated that any patient data shared with them has been used exclusively for the purpose of helping providers support patient care — suggesting total HIPAA compliance. Google promises that it does not utilize any of this data for itself in any way.
Each healthcare partner utilizing Google’s cloud service has their own heavily siloed and encrypted virtual cloud partition. With these safeguards in place, patient data is in no way accessible between unique stores.
There also appears to be no significant record of cloud breaches on Google’s side of operations (excluding the Google+ scandal of 2018, which was unrelated to their cloud offering). It is important to note, however, that Google claims responsibility only for the security of partner cloud data internally. Partners, like Ascension, are still responsible for securing all data access and use within their own organization.
This poses a curious dilemma for the tech company to consider. Since Google does not have any say in hospital or healthcare system security or IT investments, data breaches through malicious email schemes (the current leading cause of healthcare data breaches), for example, can still bring into question Google's responsibility over the matter.
As Google Cloud becomes an increasingly appealing option for managing and analyzing healthcare data volumes, it’s possible as well that it will become a greater target for cyberattacks.
Who is securing the other end of Google’s patient data?
Data pulled from Definitive Healthcare’s Technology Insights platform shows that the majority of security technologies within healthcare facilities are currently provided by Symantec, McAfee, and Microsoft — meaning that while Google can protect the data on its own end (where it claims sole responsibility), they are at least in part relying on these major security companies (and proper security practices within partner organizations) to keep data as secure as possible.
Current healthcare security market share metrics
Fig 1: Data taken from the Definitive Healthcare Technology Insights Search (LOGIC) platform in January 2020.
It will be interesting to see how Google approaches data privacy vs. third party security systems as more eyes begin watching how their patient data and healthcare analytics are secured. Will we start to see Google encryption and security software being pushed into the healthcare market?
If you’re looking for more information on trending healthcare tech, cybersecurity-related or otherwise, check out our article on 2019 Healthcare Technology Trends. Or, maybe you’re looking for more information on tech trends for 2020 and beyond. We’ve got you covered on that front too — watch our on-demand webinar.