Verily’s Baseline Platform: Investing in Security and Privacy
Verily’s Baseline Platform: Investing in Security and Privacy
The public health crisis
We are in the midst of the most significant health crisis in over a century. COVID-19 has been declared a global pandemic, and we have yet to understand how it will affect us today and in the future. The more we know, the better and sooner we can respond. At Verily, we are doing everything we can to assist in developing smarter COVID-19 testing to inform public health. In March, we launched the Baseline COVID-19 Program to expand availability of COVID-19 screening and testing, beginning in California.
Verily’s Baseline platform has been in development for almost five years and was envisioned as a new approach to bridge clinical research and clinical care. The platform is designed to benefit from the profound improvement in computing and the new digital environment, often referred to as the Fourth Industrial Revolution. A much more interactive approach to discovery is now achievable. Furthermore, a modern health data and clinical research platform can deal with the vast amount of data that must be stored and analyzed to develop new treatments and to understand which medicines, devices, digital tools, and care delivery are best for which people.
Privacy and data minimization
A primary goal of Baseline is to make it easier for people to engage in research so that we can ensure better representation in clinical studies, more comprehensive data collection, and faster evaluation and time-to-market for innovative tools and therapeutics. We understand that privacy and confidentiality of people’s data is critical to building the trust of the community we serve.
Verily has done extensive work over the past few years to develop private and secure platforms, and has published Verily’s privacy commitments. The Baseline platform has been employed in clinical research for years and hardened to protect data and users. Our privacy practices specific to Baseline are informed by the following frameworks:
- FDA: The Baseline platform is Part 11 compliant, a key component of privacy and security in dealing with sensitive research data regulated by the Food and Drug Administration.
- ISO 27001: The Baseline platform is ISO 27001 certified to ensure compliance with leading security standards.
- CCPA: The Baseline platform supports compliance with the California Consumer Privacy Act (CCPA), which enhances privacy rights and consumer protections. Verily is applying the protections of CCPA across our operation of the Baseline COVID-19 Program.
- HIPAA: The Baseline platform supports HIPAA compliance, depending on partner needs. With regard to the Baseline COVID-19 Program, Verily is not acting as a covered entity or business associate within the context of HIPAA. Verily employs security controls that map to the HIPAA Security Rule (for more, please see the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework). Verily strives to go above and beyond the requirements of individual regulatory frameworks to appropriately safeguard user information and to help in this public health emergency.
For the Baseline COVID-19 Program, we have committed to minimizing the data we collect for the purpose of enabling this testing and only collecting what is necessary to enable people to get tested. We are committed to deleting this data once the public health emergency is over, except where individuals provide their explicit consent for additional uses of their data, such as clinical studies. To provide context, current expert projections are that this public health emergency will last at least 18 months; because COVID-19 is a new disease, we expect to retain the data throughout this time period to assist public health.
Authentication with google accounts
As we build products that are used for clinical research or healthcare delivery many people have asked why we require that a person have a Google account. As part of the sign-up flow for all Baseline clinical studies, including the Baseline COVID-19 Program, our platform requires individuals to link to an existing Google Account or to create a new Google Account (which can be done with any email address) for authentication purposes. This is important for two reasons:
Data Security: We need world class authentication to protect people’s information. We are protecting health information, ordering tests, and returning health results. Without a strong authentication procedure, unknown people could send or receive information with serious consequences for health or well-being, and bots or fraudulent attacks could be made on the platform.
Proven Solution: Verily uses Google for cloud services, including data storage, computing infrastructure and authentication services, as do many other organizations. Google provides best-in-class authentication and has a world-class team of security and privacy experts dedicated to building, maintaining and evolving defense for the Google ecosystem. Features such as two-factor authentication, account recovery, fraud/bot detection, and phishing protection are important. This authentication system enables clinicians, researchers and healthcare systems to securely and privately contact individuals and transfer information during the screening, testing and research process. Google’s access to data is strictly limited to the purpose of providing such services. All the data provided by Baseline COVID-19 Program users for screening is stored separately and not linked to a user’s Google Account, which is used for authentication purposes. Data will never be used for advertising purposes.
We are dealing with a crisis in the midst of a pandemic. This will take considerable work in a shorter period of time than “business as usual,” and there are many priorities vital to the public health. Given that the Baseline COVID-19 Program was built on Verily’s pre-existing Baseline platform to secure health information, it enabled us to quickly develop a reliable, secure and authenticated site. We feel fortunate that the Baseline platform was ready to go and fit for this public health purpose.
We appreciate the opportunity to help people, patients, health departments, clinicians, and researchers deal with this pandemic. We take our responsibility to protect data seriously and will continue to explicitly inform people as we take this journey together.