Data Privacy & Security: We have reached the point of insanity!

Written by Mary Beth Chalk | Originally Posted on LinkedIn

In a November 6th article in MIT Technology Review entitled, “It’s shockingly easy to buy sensitive data about US military personnel” the author cited that “for as little as $0.12 per record, data brokers in the US are selling sensitive private data about active-duty military members and veterans, including their names, home addresses, geolocation, net worth, . . . religion, and information about their children and health conditions.”

Based on a recently published study by Duke University’s Sanford School of Public Policy, Duke researchers examined the practices of 12 US data brokers and highlighted a chronic issue with data privacy and security practices, finding “inconsistent controls when purchasing sensitive, non-public, individually identified data about active-duty members of the military and veterans, including even when they are selling this information outside of the US.”

While the brokers claim to have strong vetting processes to prevent data from being sold to criminal or other dangerous parties and to ensure that the data is used responsibly, Duke’s research demonstrated that this was the exception and not the rule.

As someone who has worked in a regulated data industry for over 25-years I was stunned at the lack of protections for personally identifiable information (PII) (including protected health information (PHI)), the absence of consideration of the potential harm that is likely to fall on military personnel (including veterans) and their families, and the lack of consideration for the potential impact to our national security.

Sadly, this lack of security diligence appears to be widespread. BeeKeeperAI recently worked on a federal level grant for infrastructure to enable computing on healthcare data. The request from the government lacked any emphasis on the requirement for data security and privacy protection in the proposed solutions. This was surprising given two Executive Orders addressing data security including the “Improving the Nation’s Cybersecurity” and the “Safe, Secure, and Trustworthy Artificial Intelligence”.

In addition, according to research published by the Journal of the American Medical Associationthe number of attacks on US hospitals has more than doubled from 2016 to 2021 and resulted in exposing data from nearly 42M patients.

When is enough, enough?! Why is it that the out-of-date security paradigms including data de-identification (which has been shown to be unreliable protection of privacy) remain acceptable when individual, organizational, and national security are at risk? Bottom line, the status quo is unacceptable.

One part of the solution is privacy enhancing technology (PET), as called out in the Executive Order for Safe, Secure, and Trustworthy Artificial Intelligence. The objectives of PET include:

• Personally identifiable information (PII, including PHI) remains protected and is never exposed.
• Data security policies are enforced in software.
• Policy adherence is audited and reported.

BeeKeeperAI takes PET a couple of steps further:

• In addition to protecting the data, third-party models, including AI (Artificial Intelligence), ML (Machine Learning), and queries, are also protected at rest, in transit, and during use.
• The PII/PHI data never leaves the environment of the organization responsible for its protection, even during use.
• The Trusted Execution Environment (TEE), with confidential computing, ensures that the compute environment is fully encrypted using hardware generated keys and is isolated from root and hypervisor access.
• The blast radius of any malicious code embedded in a third-party application is contained to the confines of the TEE.
• PII/PHI does not leave the TEE.

The use of TEEs with confidential computing as PET delivers the optimal security for privacy-protected data and intellectual property. Given the acceleration of cyber-attacks on individual, organizational, and national data, it is imperative that those responsible for safeguarding protected data adopt a solution that will help to stop the insanity.