This week on DigitaLee, David Shifrin and Lee Aase talk about digital security in two forms. First, the general trend of hackers and scam artists constantly finding new ways to snag your info…and money. These days it’s a cryptocurrency scam on LinkedIn costing people tens of thousands of dollars. The second thing is the recent news that many hospitals have tracking pixels placed not just on their websites but on their patient portals. That’s bad news and a bad look when it comes to healthcare marketing and, most importantly, patient privacy.
Listen and subscribe to the podcast, or read the transcript below.
David Shifrin: All right. So a brand new topic today, Lee, something that nobody has ever talked about before, ever. We were digging under rocks and found this. No, it’s not true. I wish it was true, but it’s not. Conversation today about cybersecurity and protecting our own personal information, and this really started with an article that we found – I think it’s from CNBC – talking about a LinkedIn scam where people are creating fake profiles and then pulling people into cryptocurrency scams while they pose as financial advisors and bilking people out of a lot of money.
So that kind of raised the issue of you always have to be wary about what you’re dealing with online, and then led into sort of a wider conversation about just personal information online in general, which brought up this other new problem that has been revealed recently, where tracking pixels have been placed on not just hospital websites, but in some cases on patient portals. And that is allowing for the transfer, the sale of private health information and other personal information from patients to be sold.
Lee Aase: Yeah. the LinkedIn article – the article about using fraud on LinkedIn, people setting up fake accounts and enticing others into investing in cryptocurrency – and then the story the one person featured was that that they had been directed into Crypto.com, a reputable site, and then building that relationship and then over time having it being migrated or being encouraged to migrate into another site owned by the other, by the bad guy. So I think it’s just good for us to know that people who are wanting to do us ill are restless. Restless. They do not rest and they’re very eager to exploit opportunities.
I see it all the time with text messages that I get saying “an AT&T message: your bill has been paid and please accept your gift” with a link to click, there’s all sorts of just shady things like that are happening. And just I guess eternal vigilance is the price of liberty, as the old saying goes, or the price of yeah, economic liberty. Because the person in this particular case had lost $280,000, had been swindled out of that. And I guess what we’re seeing with these digital platforms is just a lot more opportunity for people to have a broader, for the bad guys to have a broader range, broader scope in terms of an audience that they can try to exploit.
DS: What’s interesting about that article too, I thought, was that it highlighted that LinkedIn is a good place to scam people because people look at LinkedIn as a relatively safe professional place to go. And I think your point is exactly right. They just have to be wary and can’t, frankly, can’t trust anything.
LA: Yeah. They also post that they work at a given institution or for a given company. And there isn’t any verification of that. That’s they’re alleging that. And I’ve had that back before, in my days working with Mayo Clinic, somebody would say they were a Mayo Clinic employee, and they were reaching out to me, and I’d look them up in the directory, in our online directory, employee directory to say, so is this even really a…I don’t recognize this person, is this a Mayo person? But it’s so easy to just say, oh this is somebody who works with me. Yeah, I’ll accept them, whatever.
DS: And then I don’t know if you want to talk about this here, Lee, but you had mentioned too that you had a recent experience with some bots and spammers that fits in with this.
LA: Yeah, it was just crazy. It was right along these lines. And speaking of AT&T, I got a call from AT&T that someone was trying to purchase a phone using my phone number and they had, they were calling to confirm that it wasn’t me, or to check that it wasn’t me. And I said, no, that’s not me.
And when I hung up, I opened my email and I had about 200 different email list subscription things that were coming in saying thank you for signing up for the Indiana Department of Labor list and for the US Agency for Economic Development. And so I did a Google search and said, so why am I getting all these emails for subscription lists?
And I guess this is a scam that’s happening now, where people do some kind of a hard, they were trying to get a free phone, and what they’ll do then is use your email address to subscribe to email newsletters that don’t have a captcha on them, you know, prove-that-you’re-human kind of thing, so then the idea is that when that, AT&T notification comes that it’s swamped by all these other emails that you’re getting as well, and you end up deleting it and not recognizing that it’s happening.
They’ve harvested the lists of all these places where they can push one button and put in your email address and subscribe you to all of them through a bot, and then it’s just a matter of creating chaff, creating counter measures that prevent you from seeing what’s going on. So yeah, that’s just one new wrinkle about the relentlessness and restlessness of the bad guys in terms of figuring out new ways to cover their tracks.
DS: Lee, let’s flip this then from sort of our responsibility – it’s always our responsibility to be vigilant – but to think about this in terms of what we actually give permission for and our expectations around privacy. Our information, as everybody knows, is out there everywhere; we sign up for Facebook, we sign up for Twitter, we sign up for anything, and with cookies we’ve just signed our whole lives away. And yet at the same time, there’s still an expectation, right, that certain elements of our life should be private, particularly when it comes to health.
And so that is a concern now with these, the exposure of tracking pixels being placed on provider websites and on patient portals. So talk a little bit about how social media is collecting information, how these pixels work and why it is possible.
LA: Yeah. When a pixel gets placed on a website and whether in this case that we’re talking about here, you’re talking about patient portals, I think that’s just amazing to me that someone would think that was an okay thing to do. It’s one thing when it’s a regular hospital website, when you’re into the patient portal, then you’re looking and you do events that trigger capture of information.
And they were talking about that; the name of the patient, the time of the appointment and the doctor…so if it’s a specialist in gynecology or in other, whatever specialist, whatever specialty it is, it can be pretty revealing of what kind of interest or condition that the patient might have.
I think hospitals and health providers that are dealing with pixels at all on their sites are really setting themselves up for pretty a big privacy concern blowback, that there will be some episodes like this that will come in the future where information gets disclosed, that somebody will raise a major issue and people and organizations that are using these within their sites are going to be not in a good spot. They’re going to have reputational risk. And I just don’t think…they have reputational risk now, they will suffer reputational damage and there will be concern about it that’ll be hard to erase.
So I would really recommend that hospitals and other providers be super reluctant to engage in that and maybe be very careful. And I don’t know, there was the old Ronald Reagan saying “trust but verify”, but I don’t know, you know, I don’t think you should trust. I think it’s just, it’s playing with fire to be messing with that.
DS: So it does put a little bit of a crimp on marketing plans, because if you just say, look, we’re not going to mess with this at all, we’re not going to mess with pixels, then that does – and talking on the main website, not talking about patient portals, that should just be a given – but if you say we’re not going to even go near the fire much less play with it, then yeah.
That could have potential implications for how you’re doing retargeting, how you’re setting up your advertising campaigns. But I think that the challenge then is, or the call then is just to find other ways to reach people, use other tools. But don’t put yourself in a situation where you’re unwittingly violating all kinds of patient confidentiality.
LA: If you’re the gateway for information getting out about your patients, and even your prospective patients, getting shared with others and sold to others, that’s just not…marketing is something that’s done in healthcare, obviously needs to be done, but that needs to be put in and it needs to be in a very circumscribed place so it’s not doing harm to the people that we’re trying to serve.
DS: So then Lee, for the tip, I think that kind of is it, but more specifically, what are a couple of things digital teams should, after listening to this, should go and check, or that an executive should ask their team to make sure everything’s okay?
LA: Yeah, they should just be definitely finding out what the organization is doing and has done with pixel placement and use of these, and if they’re going to go into it, going with eyes wide open and really understanding in what limited respect they might consider using something like this, but it is playing with fire and likely to get burned.
DS: Okay. And then the other piece of this, again flipping it back towards the patient then, is so often we’ll get emails from different service providers saying whatever, “Xfinity will never call you requesting your password or your social security number,” something like that. And I think that ends up in the material that we get from hospitals or doctors’ offices in that sheaf of papers that we always have to sign in the privacy practices. But I think it’s also important just to, it’s one more responsibility on the providers, but to take the time to explain to your patients how you collect information, how you ask for information, what you’re doing, and to really give them the resources that they need to protect themselves and their personal health information.
LA: And in a way it’s like the survey fatigue that we all have because you get this “American Express wants to know what your experience was like with your most recent person” or Delta airlines or whoever. And with all these disclosures of privacy practices as the consumer, it is bewildering.
It’s just, it’s a snowball. And so finding ways to, as healthcare providers, to be clear about that and eliminate the jargon and try to be plain English communication. But mainly don’t do bad things. Use the mom test: what would you want happening with your mom’s information? And golden rule: doing unto others is you’d have them do unto you, that if you wouldn’t want your information used in that way, you probably ought to not be doing it. Especially given that many of our, many if not most, of our healthcare providers are nonprofits, so you’re supposed to have a charitable public service orientation. I think that weighs very heavily on the level of caution that you should be exercising when engaging in any of this kind of stuff.