Tag Archives: health

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)

Have You Been Falsely Accused of NPE Use? You May Be Entitled To Compensation.

(From imgflip)

Yes, I broke a cardinal rule by placing an undefined acronym in the blog post title.

99% of all readers probably concluded that the “NPE” in the title was some kind of dangerous drug.

And there actually is something called Norpseudoephedrine that uses the acronym NPE. It was discussed in a 1998 study shared by the National Library of Medicine within the National Institutes of Health. (TL;DR: NPE “enhances the analgesic and rate decreasing effects of morphine, but inhibits its discriminative properties.”)

From the National Library of Medicine.

But I wasn’t talking about THAT NPE.

I was talking about the NPEs that are non-person entities. 

But not in the context of attribute-based access control or rivers or robo-docs

I was speaking of using generative artificial intelligence to write text.

My feelings on this have been expressed before, including my belief that generative AI should NEVER write the first draft of any published piece.

A false accusation

A particular freelance copywriter holds similar beliefs, so she was shocked when she received a rejection notice from a company that included the following:

“We try to avoid employing people who use AI for their writing.

“Although you answered ‘No’ to our screening question, the text of your proposal is AI-generated.”

There’s only one teeny problem: the copywriter wrote her proposal herself.

(This post doesn’t name the company who made the false accusation, so if you DON’T want to know who the company is, don’t click on this link.)

Face it. (Yes, I used that word intentionally; I’ve got a business to run.) Some experts—well, self-appointed “experts”—who delve into the paragraph you’re reading right now will conclude that its use of proper grammar, em dashes, the word “delve,” and the Oxford comma PROVE that I didn’t write it. Maybe I’ll add a rocket emoji to help them perpetuate their misinformation. 🚀

Heck, I’ve used the word “delve” for years before ChatGPT became a verb. And now I use it on purpose just to irritate the “experts.”

The ramifications of a false accusation

And the company’s claim about the copywriter’s authorship is not only misinformation.

It’s libel.

I have some questions for the company that falsely accused the copywriter of using generative AI to write her proposal.

  • How did the company conclude that the copywriter did not write her proposal, but used a generative AI tool to write it?
  • What is the measured accuracy of the method employed by the company?
  • Has the copywriter been placed on a blocklist by the company based upon this false accusation?
  • Has the company shared this false accusation with other companies, thus endangering the copywriter’s ability to make a living?

If this raises to the level of personal injury, perhaps an attorney should get involved.

From imgflip.

A final thought

Seriously: if you’re accused of something you didn’t do, push back.

After all, humans who claim to detect AI have not been independently measured regarding their AI detection accuracy.

And AI-powered AI detectors can hallucinate.

So be safe, and take care of yourself, and each other.


Jerry Springer. By Justin Hoch, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=16673259.

Determined Perpetrator of Healthcare Violence

I don’t know that Oosto or even Evolv could have prevented this determined hospital attack in York, Pennsylvania.

“A man carrying a handgun and zip ties took hostages inside a Pennsylvania hospital on Saturday, fatally shooting a responding police officer and wounding five others before he was killed by police, officials said.

“The gunman entered UPMC Memorial hospital in York, Pennsylvania, on Saturday morning and went directly to the intensive care unit, where he took staff members hostage…”

https://www.reuters.com/world/us/gunman-takes-hostages-pennsylvania-hospital-one-officer-killed-2025-02-22/

An Apple a Day Keeps the Doctor Busy

(Imagen 3)

Like Google Glass before it, Apple Vision Pro truly shines in vertical niche applications—not the mass market. Take healthcare:

“Apple Vision Pro’s price and weight are of no concern to doctors in the operating room, as the spatial computing platform helps replace expensive monitors and stiff necks.”

From “300 doctors attended a summit on Apple Vision Pro’s applications in surgery”

https://appleinsider.com/articles/25/01/31/300-doctors-attended-a-summit-on-apple-vision-pros-applications-in-surgery

Clean, the Cleanest I’ve Been (EtO)

There’s a critical difference between biometrics for identification and biometrics for health. Well, MOST biometrics for identification; what I’m about to say doesn’t apply to DNA.

When you capture biometrics from people, you don’t really care about cleanliness. If the person’s fingernails are dirty, you capture the fingerprints anyway. If the eye is infected, you capture the irises anyway.

But when you get into the healthcare arena, cleanliness is next to you-know-what.

And there are technologies for that.

Ethylene Oxide (EtO) gas is one of the most common ways to sterilize medical devices, a safe, tightly controlled, highly regulated process which is critical for preventing infections and ensuring patients have safe surgeries and medical treatments.

And in some cases, EtO is the ONLY way to sterilize some medical devices.

So great! Use it all the time! There’s just one teeny problem

EtO is a human carcinogen. It causes cancer in humans. Scientific evidence in humans indicates that regular exposure to EtO over many years increases the risk of cancers of the white blood cells, including non-Hodgkin lymphoma, myeloma, and lymphocytic leukemia. Studies also show that long-term exposure to EtO increases the risk of breast cancer in women.

Workers who use EtO as a part of their jobs and people who work, live, or go to school or daycare near facilities that use EtO may breathe in EtO at levels that can increase cancer risk.

So there are companies (I won’t name them here, but you can find them) who specialize in mitigating EtO risk to humans.

And these companies need content, proposal, and analysis services.

But let’s get on to the important part: the song I quoted in the title of this post.

From https://www.youtube.com/watch?v=h1mD-_DKHc0.

Can an AI Bot Decipher Medicare?

(Imagen 3) 

I’m not the only person interested in AI applications in health. Kerry Langstaff is exploring various AI applications in a series of LinkedIn articles, and her recent article is entitled “How AI Became My Caregiving Superpower: Managing Medical Tests, Doctor Visits, and More.”

Langstaff explores six possible applications. I’m not going to delve into all of them; read her article to find out about her success in using generative AI to understand medical tests, take appointment notes (with consent), understand terminology, organize medications, and figure out how to fold a wheelchair to fit in a car.

Understanding a health insurance plan

But I will look at her fourth application: navigating Medicare and medical equipment.

Medicare, or any U.S. health insurance plan (I can’t speak to other countries), definitely needs navigation assistance. Deductibles, copays, preventive, diagnostic, tiers, or the basic question of what is covered and what isn’t. Or, as Langstaff put it, it’s like solving a Rubik’s Cube blindfolded.

Such as trying to answer this question:

“How do I get approval for a portable oxygen concentrator?”

The old way

Now if I had tried to answer this question before reading the article, I would find a searchable version of the health plan (perhaps from the government), search for “portable oxygen concentrator,” not find it, finally figure out the relevant synonym, then confirm that it is (or is not) covered.

But that still wouldn’t tell me how to get it approved.

Langstaff was warned that the whole process would be a “nightmare.”

The new way

But generative AI tools (for example, NotebookLM) are getting better and better at taking disparate information and organizing it in response to whatever prompt you give it.

So what happened to Langstaff when she entered her query?

“AI walked me through the entire process, from working with her doctor to dealing with suppliers.”

But we all know that generative AI hallucinates, right? Weren’t those instructions useless?

Not for Kerry.

“I got it approved on the first try. Take that, bureaucracy.”

But wait

But I should add a caution here. Many of us use general purpose generative AI tools, in which all the data we provide is used to train the algorithm.

Including any Protected Health Information (PHI) that we feed into the tool.

Imagine if Langstaff had inadvertently included some PHI in her prompt:

“Here is the complete prescription for Jane Jones, including her diagnosis, date of birth, Social Security Number, home address, and billing credit card. The prescription is for a portable oxygen concentrator. How do I get it approved?”

Oh boy.

Most medical providers freak out if you include PHI in an email. What happens when you submit it to Stargate?

Be careful out there.

Apple Watch is a Passive Verb

(Imagen 3)

When Woz was building computers 50 years ago, he didn’t realize his successors would build medical devices that would receive FDA approval.

I touched on this earlier in my Thursday post about H.R. 238 and its proposal to use AI tools to write prescriptions.

But just in passing. Here’s a deeper, um, dive from May 2024.

“The FDA created the Medical Device Development Tools (MDDT) program to reduce uncertainty in device development.…Through MDDT, the FDA has created a portfolio of qualified tools that sponsors know the agency will accept without needing to reconfirm their suitability for use in a study.”

And now the Apple Watch is one of those qualified tools.

“Apple applied to get its AFib history feature qualified as a MDDT in December (2023). It is the first digital health technology qualified under the program.”

The advantage of using an Apple Watch to gather this data?

“Officials said the wearable can help address the challenges ‘by allowing for passive, opportunistic AFib burden estimation in a wearable form that is already familiar to Apple Watch users.’”

Medical measurements are often skewed by stress from the health experience itself. But if you’re already wearing an Apple Watch, and you always wear an Apple Watch, the passive nature of AFib data collection means you don’t even know you’re being measured.

Your LMM Pharmacy

On Threads, Dr. Jen Gunter called our attention to the newly-introduced H.R. 238, “To amend the Federal Food, Drug, and Cosmetic Act to clarify that artificial intelligence and machine learning technologies can qualify as a practitioner eligible to prescribe drugs if authorized by the State involved and approved, cleared, or authorized by the Food and Drug Administration, and for other purposes.”

Ultra-modern healthcare?

Presumably these non-person entities would not be your run-of-the-mill consumer generative AI packages, by rather specially trained Large Medical Models (LMMs).

Kinda like my “Dr. Jones, NPE.

Even so, don’t count on this becoming law in the next two years. For one, Rep. David Schweikert introduced a similar bill in 2023 which never made it out of committee.

Why is Rep. Schweikert so interested in this and related topics? Because medical bills are too damn high:

““How do I make sure we’re embracing technology and using it to bring disruptive cures to market, or other opportunities to market?” Schweikert asked. “And does that also now help lower drug pricing?””

Before you reject this idea entirely, Rep. Schweikert cited one example of technology decision-making:

“Schweikert noted that the FDA last month approved Apple Watch’s atrial fibrillation feature for use in clinical trials — the first such digital health tool approved for inclusion in the agency’s Medical Device Development Tools program.”

But before anything like this will ever happen with prescriptions, the FDA will insist on extremely rigorous testing, including double-blind tests in which some prescriptions are written by currently-authorized medical professionals, while other prescriptions are written by LMMs.

And even when the ethical questions surrounding this are overcome, this won’t happen overnight.

On Animal Health Privacy

(All images Imagen 3)

I’ve discussed identity and privacy regarding people.

I’ve discussed identity and privacy regarding non-person entities.

But I missed something in between.

Earlier this week I was discussing a particular veterinary software use case with an undisclosed person when I found myself asking how the data processing aspects of the use case complied with HIPAA, the U.S. Health Insurance Portability and Accountability Act.

Then I caught myself, realizing that HIPAA (previously discussed here) does not apply to dogs, cats, cows, or other animals. They are considered property, and we all know how U.S. laws have treated property in the past.

So you can violate an animal’s privacy all you want and not run afoul of HIPAA. 

But you could run afoul of some other law. As Barb Rand noted back in 2013, 35 states (at the time) had “statutes that address the confidentiality of veterinary patient records.”

And when animal records are commingled with human records—for example, for emotional support animals—protected health information rules do kick in.

Unless the animal is intelligent enough to manage their own prescriptions without human assistance.

Bredemarket’s Three (So Far) Industry Pillar Pages

Since I started creating (sort of) pillar pages in April 2022, I’ve built more, including three devoted to particular industries.