The revelation by The Wall Street Journal that cybersecurity startup Tanium allegedly used sensitive data from El Camino Hospital as part of a demo the company showed repeatedly to would-be customers is the kind of thing that keeps health systems’ IT staff up at night. But it’s also a wake-up call for health IT entrepreneurs to be vigilant and overcautious with respect to their collaboration partners’ data or risk undermining the value of their business.
The WSJ article said El Camino Hospital didn’t give Tanium permission to use its data to run those demos.
For its part, Tanium responded to the article in an open letter from Orion Hindawi, the CEO and cofounder, posted on its website. Although he took issue with parts of the story, he also apologized.
In the letter, Hindawi said that because Tanium is an “on-premises deployed platform” it would not have access to their customers’ on-premises installations unless a customer explicitly provided permission for it.
Since 2015, we’ve insisted that before a customer is willing to let us demo from their environment, regardless of the access they offer us, we document that in writing and agree on what data we can show to ensure there isn’t any confusion. Other than the few customers who have signed those documents and provided us remote access to their Tanium platforms, we do not — and in fact cannot — demonstrate customer environments with Tanium.
That said, we take responsibility for mistakes in the use of this particular customer’s demo environment. We should have done better anonymizing that customer’s data. While viewers didn’t connect the demo environment to that customer for years, and we do not believe we ever put our customer at risk with the data we showed. Looking at those demos, we see there are easy things we should have done to obscure and anonymize further.
Hospitals tend to keep startups at arm’s length because of the need to conform to HIPAA requirements and the risk of a data breach putting their patient data at risk. But in recent years they’ve collaborated a lot more closely and frequently, often through the help of accelerators and incubators cultivating networks of startups and healthcare partners.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
The fallout from this news will likely be significant. This is a company whose value comes from being better than other businesses at protecting a client’s data. To then be discovered to have exposed a hospital’s data multiple times is a serious breach of trust.
Steve Barsh, Chief Innovation Officer for Philadelphia-based accelerator Dreamit, shared his perspective on the impact of the Tanium-El Camino Hospital news in an email.
“My guess is that with publicity like this, CIOs and CISO (chief information security officers) will be a bit more buttoned up on working with any vendors (not just startups) and include in their vendor agreements that the vendor contractually agrees to not disclose sensitive information about the hospital to outsiders. In today’s HIPAA business associates agreements, vendors already have to agree to be compliant with how they handle patient personal health information. But that’s about patients. Now I would not be surprised to see that hospitals make sure that they include language and have closer scrutiny to make sure the vendor is not disclosing information that’s sensitive to the hospital itself, not just patient information.”
Photo: Epoxydude, Getty Images
