How Headspace Built a Privacy Operations Center

The issue of privacy is of critical importance to every enterprise when considering brand reputation and financial loss, but it threatens some industries more than others. As Shobhit Mehta, security and compliance director of Headspace puts it, “We truly believe privacy is an existential risk to healthcare companies.” Speaking last month at the RSA Conference in San Francisco, Mehta and former Headspace CISO Puneet Thapliyal described the work the company has done to improve data privacy, including establishing a privacy operations center.

Headspace started simply as a mobile app offering guided meditation exercises. Now it has expanded to offer “Headspace Care”-- a platform for mental health coaching, therapy, and psychiatric services. The service even works with businesses’ EAP programs and medical insurers.

Therefore, Headspace must comply with the Health Insurance Portability and Accountability Act (HIPAA) in addition to the increasingly rigorous privacy regulations demanded by app stores, and other global laws. (The company operates in 190 countries.) Further, the HIPAA Privacy Rule treats mental health clinical notes somewhat differently than other medical data, which adds extra complexity to Headspace's challenges.

The FTC fines companies for malpractice regarding secure data, with the largest being Anthem’s $16 million payout to settle a case involving violations of the HIPAA Security Rule.

Related:Repeat Offenders: Black Basta’s Latest Healthcare Cyberattack

Legal and regulatory requirements are another layer for enterprises to consider for staying California Privacy Rights Act (CPRA), GDPR, and HIPAA compliant. Being available in 190 countries, Headspace needs to comply with various requirements in these countries.

Compliance is only part of the challenge, though. “We can have all the amazing controls and privacy requirements within the application,” said Mehta, “but if we don’t build the trust with our members and consumers, it will erode all the financial incentives.”

The Four Pillars of a Privacy Operations Center

Though Headspace took several measures to ensure compliance, this wasn’t enough to achieve their ultimate security goals. The company struggled to eliminate silos between privacy, security, legal, compliance, and product engineering teams.

This led Headspace to come up with a Privacy Operations Center (POC) with a single goal to bring all privacy, security, and compliance initiatives together. Data classification is incomplete without inventory, but complete data inventory is extremely difficult to have, explained Mehta.

Related:Tracking Pixels and Another Big Health Care Breach

“A [security operations center (SOC)] provides dashboard alerts, where you may need to check an application’s status. We have a similar dashboard that provides data retention alerts within our POC,” he said.

Through the POC, Mehta said, they have made it more efficient and cheaper to respond to data subject access requests (DSAR), which could typically cost thousands of dollars apiece.

The company has also embedded privacy into their secure development lifecycle, and conducts privacy impact risk assessments before products are developed. “We spend a lot of time shifting security left,” said Mehta. “What about shifting privacy left?”

According to Mehta, these are the four pillars of Headspace’s POC: Governance and management; partnerships across different teams; tools and processes; and both an internal and external awareness of privacy practices.

Understanding Vault Architecture

Underpinning the POC is Headspace's privacy-focused data storage “vault” architecture. Thapliyal said as part of Headspace’s privacy initiatives, the company realized that the data stored in its databases is extremely sensitive, more so than most organizations.

“For example, we store psychotherapy notes, which are very sensitive. We had to do something special to protect that. There are extreme privacy requirements for mental healthcare data because it’s not meant to be shared; because it’s for clinician’s eyes only.”

Related:RSAC 2024: Lighting Dark Places, Ted Lasso Lessons, and Alicia Keys Closer

Vault architecture is critical when mitigating malicious insider threats. This helps prevent curious peeking and poking by privileged users inside the enterprise such as DevOps, system admins, and developers with SQL access – especially as it pertains to high-profile and celebrity clients.

“If a celebrity started tweeting about using Headspace for therapy, this would lead to heightened curiosity within the organization. From a security and privacy standpoint, we want to prevent the possibility of peeking into sensitive data. We don’t want to be reactive by using monitoring to find out what happened, we would rather prevent it from happening,” he said.

Thapliyal made it clear that vault architecture is not for everyone. While it is a boon to security and privacy, it does require investment and it does limit some functionality that might be essential to your organization. According to Thapliyal, before considering designing a Headspace-like vault architecture, IT leaders must ask themselves whether their use case meets these requirements:

These concepts, he said, are critical for mental healthcare use cases but may not be required in all applications.

Building an Architecture to Prevent Mass Exfiltration of Psychotherapy Notes

On the front end, clinicians interact with Headspace’s homegrown EHR web app. As they record their session notes, and as that data is saved, their work is uploaded into an app server which is then stored in a vault database on the backend.

First, Thapliyal said Headspace’s priority was to build capabilities to do encryption and decryption on the browser site as the clinicians work on their laptops. To do that, they needed the encryption keys to be generated on the browser site as well.

Most importantly, Headspace trained its clinicians to use a password manager. (“Believe me, that was the hardest part,” Thapliyal said.) The key would be used to encrypt any data put into the application.

“That encrypted data would go into the backend and eventually be stored in the database in an encrypted manner. Any of the internal privileged users do not get to see that data because it’s encrypted by the keys, which are held by the clinicians. Once encrypted data reaches the browser, it gets decrypted and shown. It’s very transparent to the clinician on the frontend but is completely protected on the backend.”

However, this is not enough, according to Thapliyal. If you put on your InfoSec hat, you’ll start finding all the corner cases that need to be accounted for within the process. What if the clinician loses their encryption key or if the authorities come looking for patient records to aid an investigation?

“We can’t say that it’s encrypted, and we don’t have it because we must provide it. How do we handle disaster recovery? As we built the vault architecture, we also had to account for these situations and build a secure enclave,” he said.

Secure Enclave is a separate macro-segmentation to store a copy of the sensitive data in an off-line database. Every time that a clinician saves their data, it also posts it to the secondary system, or secure enclave. You can’t have the vault itself without the secure enclave.

In short, providing lifelong mobile mental health support heavily depends on data privacy.