Privacy and Security

Privacy-Preserving Technologies and Rights-Based Privacy Regulation Compliance

by Luna

There has been increased interest over the past decade over what to do with the growing volume of digital information collected on individuals that are potentially used or sold by companies and governments. This interest is even more heightened when health data is involved and how this data might be used in ways contrary to the interests or values of individuals. In parallel, new data protection laws have passed in many parts of the world and increasingly in several states within the United States that express the control of data privacy as a human right.

It is commonplace to merge the concepts of data privacy and security, even though each has a unique role. Data security is the step taken to prevent unauthorized access to data. A common security approach involves data encryption that requires user-specific information to decrypt the data back to its original form. Privacy-preserving technologies, or PPTs, are a newer class of technologies that support the distribution of encrypted data that can be selectively decrypted to reveal some or all of the data that is encapsulated. PPTs are especially exciting for the sharing of genomic data so that only some of the data is made available to a researcher, which presents a lower risk to the individual for subsequent data misuse.

A common data privacy policy is the right to rescind one’s consent and to have the individual’s data deleted, also known as the “right to be forgotten.”

Data privacy, in contrast to data security measures, is a set of policies that are applied to secure data. These policies typically govern the data collected, the purpose for which the data is collected, and the informed consent granted to the researcher to study the data. A common data privacy policy is the right to rescind one’s consent and to have the individual’s data deleted. This is also known as the “right to be forgotten.”

Security-based protections such as PPTs and privacy-based protections are very different in how they are implemented. With security-based approaches, data are distributed to researchers that are approved to access the data. Once access is granted, the control of the data is lost. Over time there can be many copies of the data that have been granted to multiple researchers, as shown in Figure 1A.

Figure 1A. Once permission is granted data is distributed to uncontrolled environment(s)

In contrast, privacy-based approaches maintain control of each piece of data within an environment that supports the removal of the data if an individual’s consent is withdrawn. Under the privacy-based approach, an individual has a virtual string on their data that supports the pulling back of their data at any time, as shown in Figure 1B.

Figure 1B. Use of permissive data is used within an environment that enforces privacy policies.

The question of which approach is better rests largely on the regulatory environment in which the research is being performed. In Europe, compliance with the General Data Protection Regulation, or GDPR, requires that the data rights of individuals persist when they share their sensitive personal data, such as health data. In states such as California, the California Privacy Rights Act (CPRA) that has come into law in 2023 requires similar protections for individuals. For historic datasets, databases, and biobanks that include genomic data, the use of PPTs has provided a more secure way to distribute such sensitive personal data.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

Privacy and Security

Something Exciting Happened on October 6, 2022, Concerning Your Medical Records

by Luna

Editor’s note: This article is jointly authored by Luna and Greenlight Health Data Solutions.

The Information Blocking Rule, now in effect, is a new federal regulation we should all celebrate as a big win for control over our health information, a right that we should always have had.

Let’s take a step back in time and then fast forward to today. In recognition of the importance of digital health information for advancing precision medicine, the Information Blocking Rule was a provision of the 21st Century Cures Act which aimed to modernize healthcare data interoperability and update a component of HIPAA that was oriented to paper-based medical records, not Electronic Health Records (EHRs). Part of the motivation to connect EHRs was to improve the portability of one’s health data to multiple healthcare providers and to give direct access to one’s health data using online patient portals. The Information Blocking Rule requires that all healthcare organizations give patients access to their full health records digitally (via a patient portal)–without delays or cost.

Why is this important? The new Information Blocking Rule unblocks access to Electronic Health Information (EHI), which Health and Human Services (HHS) defines as electronically Protected Health Information, or PHI. The significance of this rule has many threads–not least of which is bringing control and rights to the information much closer to the patient–the individual who the data is about, you! You can now review and research your own information to be a more informed patient. You can easily share your data with new healthcare providers if you relocate or change your insurance coverage. You can avoid time-consuming and costly duplication of diagnostic tests, which is commonplace whenever one engages with a new medical professional. You can also choose to share your data with a clinical research study or trial that is of interest to you to advance medical knowledge and health discoveries for society more broadly.

We’ve been advocates for individuals’ rights to access their health information for a long time. Greenlight Health was an early software platform specifically designed to offer patients online access to their health data. Luna has implemented Greenlight’s EHI data-sharing APIs which support connections to more than 90% of the U.S. provider market. This approach allows for the inclusion of EHR data, along with genomic and health survey data, for patient-centered research studies to understand and improve health outcomes. Gathering health information from multiple health systems, and across decades, provides convenience to individuals and their families while simultaneously providing a richness of data to researchers to unlock new insights for health improvements. Such patient-centered studies hold promise to enrich the standard of care more equally for individuals of all ethnic and racial backgrounds.

An essential aspect of inclusive clinical study participation requires that data shared by individuals is done with their informed consent and that the data is not used for other purposes outside the individual’s consent. Luna’s health data sharing and analysis platform uses rights-based data privacy measures to protect access to shared data so that a contributor (you) can remove their data from the platform and/or from any studies they joined with a simple click of a button. By implementing rigorous rights-based data protection and privacy that complies with all current privacy laws (such as GDPR in the EU), Luna provides a path to international clinical studies that can benefit from population diversity globally.

It’s no longer in the medical provider’s control to decide when to release a patient’s information. The Information Blocking Rule is really about information sharing and empowering the patient with ownership of their health data. Under HIPAA, healthcare providers are allowed 30 days to fulfill medical record requests; 60 days is permitted if the provider needs an extension. With this new rule and direct EHI access methods for patients, a healthcare provider cannot “interfere” with the flow of EHI, and it needs to flow without delay. When there are instances of interference, healthcare providers and EHR vendors are subject to financial penalties (up to $1 million per occurrence and/or reductions in Medicare and Medicaid reimbursement). Healthcare providers and vendors lobbied strongly against this rule being passed (in fact, the rule was held up for six years). Days before the rule became effective, 10 of the leading healthcare industry trade associations pushed HHS for a delay. As stated, the rule extends an individual’s right to access EHI through a patient portal. As the name implies, patient portals were designed to support functionality that allows individuals to connect to their medical records whenever needed. The intent of having immediate access to medical records through a patient portal is to provide a mechanism for sharing EHI with other healthcare providers, with family members, and for research.  

It’s no longer in the medical provider’s control to decide when to release a patient’s information.

This rule is one more step toward providing you with a comprehensive understanding of and access to your own healthcare information and, more importantly, control of how your health records are shared.

Taking the power of your health records to the next level, Greenlight Health and Luna combine capabilities to enable you to consolidate your records in one place and safely share your health records and other unique experiences in research studies that are of interest to you. You are in the driver’s seat now. The steps you take next could make a big difference in finding treatments and cures for those who need them most.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

data rights
Privacy and Security

Know your Rights Around Health Data Privacy

by Scott Kahn

Evolving privacy regulations, changing legal interpretations, and security breaches make it hard to keep up with our rights and risks these days. People are looking for resources to help them cut through the technical jargon regarding personal health data protection. Many simply want to use the technology they have come to enjoy while keeping their health information safe and secure. 

What are health data rights?

To unpack these questions, it’s helpful to review where your health information was first accessed and what your rights are currently. When individuals in the United States consider their health information,  they may be aware that the law regulates how healthcare providers (also known as “covered entities”) use their data. First passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) limits third-party access to personally identifying information stored within the healthcare system. 

Many people may not be aware that this information is used outside the healthcare system for research and other uses beyond medical care. Eighteen data types were established as protected health information (PHI) in the HIPAA Privacy Rule, finalized in 2000. PHI includes types of data such as names and addresses, but it also covers “any other characteristic that could uniquely identify the individual.” However, the HIPAA Privacy Rule only applies to healthcare settings. HIPAA does not protect the privacy of our data held by app providers, government bodies, biotech companies, and other entities that don’t provide healthcare services.

“Health discovery relies on health data. Luna advocates that the most reliable, representative health data comes directly from people. This is why, from Day 1, we’ve built privacy-by-design so that we can protect people and accelerate better health interventions.”

Scott Kahn, Chief Privacy and Information Officer

Since the passage of HIPAA, the amount of information that can be gathered about us has increased exponentially, and data science has advanced significantly. Remember, we just started using email in 1996! Today, computer science methods can combine non-identifying information—as few as two to three pieces of data—into very accurate assignments of a person’s identity. Put differently, the privacy protections that HIPAA gave us two decades ago were not designed with today’s information and science in mind. 

This simple observation has motivated some states and federal legislators to enact data privacy laws that focus on a set of rights for individuals, not institutions.

Read “How Modern Data Privacy Laws Enables Research
Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

You have a right to data privacy

Today, as health and tech consumers, we have rights to data privacy. Modern laws define a person’s rights when it comes to data. They require companies, governments, and organizations to respect these rights when collecting and analyzing data about consumers. We can give permission, known legally as informed consent, for the use of our data, and we have a right to know who is using our data for what, such as a clearly defined public benefit.  

In general, these newer laws require that we are provided the purpose, such as the kind of research being done, for why our data is being collected. One example of these laws in practice is the numerous cookie notifications you receive on practically every website you encounter on the internet. You have the right to change your mind about sharing your data—also known as revoking consent—and the right to confirm that the company destroyed your data. 

We live in a time where data creation is incredibly astounding. Suppose we can use that data to advance causes that matter to us. In that case, we can change the quality and velocity of health interventions. 

At Luna, we appreciate the evolution of these consumer data privacy laws and have operated since Day One to exceed their requirements.

Read about Luna’s Data Protection Impact Assessment.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.

data security mobile phone
Privacy and Security

The Evolution of Data Privacy: A Q&A with Bojil Velinov, Head of DevOps & Automation at Luna 

by Luna

Bojil Velinov, Head of DevOps & Automation at Luna, talks about the evolution of data privacy and how Luna is addressing privacy and data security at the company.

From your perspective, how has the conversation on data privacy evolved, and how are you addressing it at Luna?

Data privacy is moving more and more into mainstream conversation, from breaches of social media sites and data leaks to ransomware attacks at medical institutions. Some of our utmost personal information is stored in these places, so it becomes very intimate when such information falls outside of our control. 

Bojil Velinov
Bojil Velinov, Head of DevOps & Automation at Luna

On the professional side, at the last Amazon Web Services annual re:Invent conference, the people I met with and the talks I attended combined my interests in healthcare, regulatory compliance, and data governance. The apparent perspective is that the industry is increasingly focusing on protecting the data subject, which is the technical term for whom the collected data is about. I want to see this topic continue to get more attention.

How are you addressing data privacy at Luna?

We address data privacy and security in multiple ways. We operate by embedding “privacy-by-design” as part of our core values, and we recognize that online privacy needs to be built upon a foundation of data security measures. 

For example, one best practice we have is conducting yearly penetration tests, a type of security test that ensures our application stack is well protected against some of the most common attacks on the internet. It’s one of the ways we work to secure our platform. 

We also assess the risk(s) for every software feature, such as a login button, entry for one’s username, file uploads, and such. As part of our development process, we ask ourselves: “How do we prevent this feature from being vulnerable to attack?” Implementing detection, prevention, and recovery pieces into each assessed feature is part of our development life-cycle. By exercising due diligence in our design, development, and release processes, we keep the application stack more secure–and ultimately guard privacy.

How do you operationalize privacy-by-design at Luna?

It’s good to think outside the box, such as what possible future attacks on the software could occur. For example, how do we architect a way to be resilient to future vulnerabilities? One way is to utilize continuous integration and deployment (CI & CD) coupled with monitoring tools, security brainstorming sessions and vulnerability scans. 

We’ve taken privacy and security into account very seriously, and from the inception of the platform, one approach we utilize, for example, is envelope encryption–it’s a way to encrypt something in multiple layers. You can envision this as putting a box within a box, but imagine if each was locked within each one, and they have separate keys to unlock them. 

Another approach we have taken is not storing the data in the same location. We keep data fragmented. This way, if one particular location is compromised, it doesn’t reveal the complete picture of what the data represents. 

People who contribute to the Luna platform see how their data is utilized and to some degree magnified. That starts with our language and how we talk about it, it goes through how we implement the guards of that data and finishes with the granular controls of the data we give to each individual. All this establishes trust and demonstrates transparency. 

People have become increasingly aware of the importance of data security and how it affects data privacy. The volume of personal data people generate on the internet pertains to their privacy and their ownership of that particular data. I think what we do often try to put ourselves in the user’s perspective. People who contribute to the Luna platform see how their data is utilized and to some degree magnified. That starts with our language and how we talk about it, it goes through how we implement the guards of that data and finishes with the granular controls of the data we give to each individual. All this establishes trust and demonstrates transparency. 

Can you share more about the penetration test?

There are various ways of having a good posture from a security perspective. For example, how do we ensure our domain or company email is not used by a third party for spoofing? 

Pretend that a bad actor is phishing, for example. In phishing, a technique of fraudulently obtaining private information, email is the most common media. Nowadays there are some “geeky” mechanisms at our disposal, such as using specific signatures in the domain name system (DNS) records. Historically, DNS are the servers that help us find things on the internet. They are the ones knowing where you need to “land” when typing a website name in your browser’s address bar. Now, the same system is utilized to protect us from spam and phishing by allowing the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. This is technically known as DomainKeys Identified Mail (DKIM).

Here’s how it works:  You send an email from lunadna.com to a recipient using Gmail, for example. Upon receiving that email, the Gmail server checks for a setting in the lunadna.com  domain system. It says, “I am receiving this from this particular email service/server, can you confirm the server is authorized to send emails on your behalf?” Simple, yet powerful. I highly recommend any engineer involved with their company’s email and DNS to set this up. 

Many sites today use multi-factor authentication. What are the concepts here?

The concepts are evolving in multi-factor authentication. The tools around them are evolving. At Luna, we try to balance the impact of “extra steps” the member must take and their overall sign-in experience. At the same time, be upfront in explaining why we are putting such controls in place. In short, it’s because we really care for your data security, and we want to ensure that the person entering the platform is indeed you.

Take, for example, the case of ransomware attacks. The breaches in most of these security incidents, at various companies or individual accounts, happen because the password was compromised. That’s really the weakest link in the chain. It’s best not to reuse your passwords! Try using password manager technology to be most data safe. If one of your accounts gets compromised, bad actors can try it on other sites. If you did not reuse your password, you’d be less vulnerable. If you did, then you are out of luck.

Multi-factor authentication, in some cases referred as 2FA, can be leveraged in different ways, such as using email verification, text message, etc. It’s that additional control you put in place that, to some degree, provides another layer of protection. It also has its vulnerabilities, though. 

A practical way to think about multi-factor authentication is to balance the work required for authenticating the user to keep the bad guys out while keeping the process user-friendly. You don’t want to annoy your new participants with a slew of controls before they can see the benefit of your application. A little friction goes a long way, and it’s certainly better than the pain associated with sensitive data loss. 

Read about Luna’s Data Protection Impact Assessment.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

phone security
Privacy and Security

The Role of Cybersecurity in the Management of Data Privacy

by Scott Kahn

The focus on data privacy from the general public has surged over the past few years. A large cohort of individuals with little to no experience in informatics now needs to understand the digital environment at a level of detail beyond their expertise or experience.

The intersection between privacy and the much more common issues concerning data security and data breaches has resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

The differences between data security and data privacy

Data security features are measures that allow an individual or an organization to exert control over a digital asset. Security is typically implemented in overlapping layers to minimize the likelihood that control or access to a digital asset will be lost. End users most obviously experience security through password-mediated access control, possibly with a second level of identity verification such as a code sent to a mobile phone via text for identity confirmation. There are also many security safeguards put in place at the infrastructure level to avoid unauthorized access by programmatic “hacking.” Collectively, all these cybersecurity features provide a foundation for control of a digital asset.

In contrast, data privacy is a set of policies layered on top of controlled digital assets. Data privacy can be expressed as a set of rights guaranteed to an individual to access, correct, share, un-share, restrict, transport, and delete their digital assets. Data privacy equally requires a level of transparency around the processing or use of data so the individual can exercise those rights in an informed manner. Absent data security measures to exert control, data privacy policies cannot be implemented.

The intersection between privacy and the much more common issues concerning data security and data breaches have resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

Data privacy policies need to persist over the lifetime of a digital asset whereas data security features are temporal. Once access is given by satisfying all security safeguards, all control of the data asset by the owner is lost. Data privacy rights require a persistent environment that provides data security to prevent external access while allowing agreed use of the data asset for approved purposes. 

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Playing in the sandbox

The use of such securely isolated environments called “sandboxes” supports independence between the individuals (i.e. data users) gaining access to digital assets in the sandbox and the inclusion of digital assets in the sandbox by the data owners. This effectively maintains a level of control over the data asset by the data owner even as the asset is being used or processed within the sandbox by the data users.

There are many new data privacy policies being enacted into law around the world that, to a greater or lesser extent, confer data rights to data owners. The European Union has enacted the General Data Protection Regulation (GDPR), which serves as an exemplar for many countries outside of the EU and for several states within the U.S. But regardless of the data privacy policies in place, all privacy controls are built upon a cybersecurity foundation of data security measures that support control of data assets within a digital environment.

The interplay between security control and an implemented set of privacy policies takes center stage within the Luna platform. 

Security controls are reviewed via SOC 2 protocols that are documented and audited on a regular basis. Data privacy policies are reviewed regularly and assessed with regard to the data rights conferred to individuals and to the potential risks to these individuals incurred by sharing their data. 

Data privacy impact assessments (DPIAs) are performed for the Luna platform and for the sandboxes employed by researchers. It’s noteworthy that within the Luna platform the full spectrum of research inquiry is supported while simultaneously supporting the data privacy rights of all individuals willing to share their health data to advance medical science.

Read about Luna’s Data Protection Impact Assessment.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.