Editor’s Desk: Apple’s changing encryption story, patient data access

Apple's Health app icon

A news story at the beginning of the week shows a very changing position for Apple, which has focused for years on customer data access freedom and privacy but appears to have changed its tune when it comes to encryption. There’s also news from the electronic medical records (EMR) industry, which may get shaken up this year thanks to new rules imposed by a federal government agency that oversees how medical records are maintained.

Did Apple bow to government pressure on encryption?

A bombshell report made the rounds early in the week that Apple may have put the brakes on end-to-end encryption in iCloud backups at the behest of the FBI.

End-to-end encryption does exist in various parts of Apple’s cloud services, but not with iCloud backups. And in fairness, Apple has a good customer-forward reason not to do end-to-end encryption: If you, the user, lose the encryption key, Apple would have no way to unlock your backup, meaning you’d lose it forever. This makes it possible for Apple to still unlock it, since it has a copy of the key itself and can unlock it once it’s verified your identity, or if it’s ordered to by law enforcement.

It’s disturbing to think that Apple would have stopped this by government request, especially after saying that it was looking into how to do it. It’s also a bad look for a company that makes customer data security such a central part of its message – one that it’s often willingly to publicly combat the government on when pressed.

The good news is that if you do need encrypted backups of your iPhone or iPad, it’s still possible to connect them to a Mac (or PC) and back it up – either with iTunes, or in the case of iTunes-free Catalina, directly from the Finder.

TIP: How to sync your iPhone with a Mac in macOS Catalina

Patient data access should be sovereign, but isn’t

A new report from CNBC says that Epic Systems, one of the largest makers of electronic health records software, opposes proposed legislation that would make it easier to share medical records more broadly. On the surface it’s easy to roll your eyes and say, “well, no kidding.” But it’s also really important to understand what’s at stake here, because the issue of “information blocking” is something that affects literally everyone in the country touched by the health care system.

The Electronic Medical Records (EMR) industry has been pegging double-digit growth from year to year, with revenues predicted north of $38 billion globally by the end of 2025. Those business are interested in maintaining the status quo. Right now, the businesses managing this technology have little incentive to make it easy to make information interchangeable, thanks to a patchwork of ineffective legislation.

So it’s possible for patients to view records through a web site portal or using an app, but actually using that data is a different story – even exporting it to a tab-delimited file can be impossible. This has been an ongoing issue for years, and this was to be the year that new “information blocking” rules proposed by the U.S. Department of Health and Human Services (HHS) would help.

Under the proposed legislation, healthcare providers and health info system makers have to make their data more portable, to help patients exchange, access, or otherwise use their own medical records. They’d have to use standarded APIs (application programming interfaces) to make that data accessible. Epic Systems’ CEO believes the rules may put patient privacy at risk by potentially making info available without their consent. On the other hand, Cerner – one of Epic’s biggest rivals in the EMR space – has expressed support for the new rules.

I think Epic’s CEO is on the wrong side of this, and I’ve expressed my disappointment with the current state of health care record access before. Ultimately, patient data should be in the hands of patients, to do with as they will. I’m sure that making patient data more portable raises the possibility that Epic’s CEO sees – that people or businesses may unintentionally share information they’d rather keep personal. But I’d still rather be allowed to make that mistake rather than have that option taken away from me altogether.

I know Apple’s worked hard to integrate iOS with medical information systems whenever they can. Apple supports Epic, Cerner, athenahealth and other companies with what little open API support already exists in this realm. But it’s still in its infancy. If Epic’s top concern is making sure that patient data stays as private as they can make it, maybe they should take a page from Apple and do whatever they can to maintain that data privacy and security, while still acknowledging that it’s the patient’s data to do with as they will, not Epic’s.

Are you concerned about access to your own data, either by encrpytion (or lack thereof) or through closed systems like what Epic Systems’ CEO wants to see? Let me know what you think in the comments.