Given the ubiquity and utility of analytics in all facets of the modern health-care delivery system, it is not surprising that many organizations would be tempted to use these tools as marketing aids on their websites. Recent articles by privacy researchers at Princeton University’s Center for Information Technology Policy (CITP) underscore the need, however, to be careful when deploying analytics software in this manner.
In particular, thought leaders at Princeton’s CITP detailed how “session replay” scripts possess the capacity to record a consumer’s entire use of a website and to pass that information to third-party servers as if “someone is looking over [the consumer’s] shoulder.” Session replay script software, as its name implies, permits website owners to “replay” user interactions with their website. It is used on many of the Internet’s most visited websites including, as detailed by the CIPT, on the consumer-facing website for one of the country’s largest retail pharmacy chains, in ways that should alert health care providers to the need to ensure compliance with HIPAA and other privacy and data security requirements.
What is a Session Replay Script?
Most commercial websites employ third-party analytics tools to record basic user behavior – such as a consumer’s searches and pages viewed (e.g., Google analytics). Session replay script software goes farther and records keystrokes, mouse movements and scrolling behavior along with the entire contents of the pages visited. Session replay scripts are provided by numerous technology companies, such as Yandex, HotJar, FullStory or SessionCam. Consumer usage data is transferred from the site to the script providers’ servers, where individual user sessions can then be replayed by the website owner. The intended purpose of these tools is to gather more detailed intelligence regarding how users interact with websites, discover broken or confusing pages, and, perhaps, learn when a consumer abandons the sales process.
In multiple articles published in recent months, the Princeton authors identified two major failings of these session replay script services – (1) the services’ failure to thoroughly and automatically redact sensitive personal information; and (2) the disconnect between website owners and the providers of these technologies.
Session replay script services ostensibly allow for sensitive personal information to not be collected from the consumer through instructions to the software to redact particular fields from the recording. This redaction can occur both manually, through the website development team instructing the software to not collect certain fields, and automatically, as a feature of the session replay script software. While sensitive information can be excluded from the recordings manually, for this redaction to work, the website owner would need to carefully check each page of the site and designate by hand the fields to be redacted. In addition, the process may need to be repeated each time the site is updated. The services are also, in theory, designed to automatically redact certain information, such as credit card numbers. However, unless all fields entered by a consumer are redacted, the Princeton authors found that automatic redaction would frequently fail due to the website not being structured to be compatible with the services’ finicky redaction settings.
In addition, the authors note that website owners may be unaware of the full scope of information collected by these services on their own websites. In some instances, the website owners may not even have a direct relationship with the script provider. Instead, the website owner may use an ad network or other third-party vendor who, in turn, employs the session replay script on their site.
Consumer Pharmacy Site
The Princeton researchers specifically described the collection of information from the pharmacy section of a popular consumer-retail website, which embedded the FullStory session replay script. While this website apparently used manual redaction, the authors found that sensitive personal information including medical conditions and prescriptions were still leaked to FullStory along with the names of users.
Time to Check is Now
Given how common these scripts are in commercial websites, we expect that numerous health care organizations are being advised by their marketing consultants to employ these technologies on their own websites. Session replay scripts can drive insights about how websites are being used to enhance the consumer’s experience. The findings of Princeton’s researchers, however, underscore the need to use these technologies with proper controls in place.
© Copyright 2018, American Health Lawyers Association, Washington, DC. Reprint permission granted.