Data Privacy & Security in Healthcare

Yes, it’s different

If you’ve ever discussed technology, business strategy, or your own experience with a friend who works in healthcare, you are probably familiar with this motif:

“With healthcare, it’s different.”

It is a remarkably tenable statement to make when taking into account the numerous challenges specific to the industry, or the lofty expectations set by healthcare patients (matter of life and death, anyone?). The technological and organizational demands of the healthcare industry are unique. Now, they are brought to the forefront as the healthcare industry enters an exciting period of growth — and faces spectacular challenges.

Consider the stringent legal regulatory requirements, tumultuous business environment, and the delicate nature of facilitating a trusting, fair and comfortable setting during the course of a patient’s care. All of these extraordinary variables are only found within the context of healthcare — They demand that we use a special lens to examine the different problems faced by the healthcare industry of today.

Security made (not) easy

This perspective carries over lucidly to the topic of data privacy & security in healthcare. Our health information is now widespread across numerous companies, and is rapidly becoming one of our most valuable forms of data. In addition to data, the medical devices on which we stake our lives and well-being are becoming more digitally connected than ever, putting them in the crosshairs of malicious entities and hackers.

In the world of commerce, a stolen identity can inconvenience someone for months and cost them thousands of dollars, but how does that compare to the potential damage caused by a compromised medical device? The stakes are exponentially higher when the well-being of a patient is contingent on a heart-rate monitor functioning properly. These medical devices, used to treat and diagnose patients, carry an enormous and unique risk if they are identified as an attack surface and compromised by a malicious actor.

Beyond life and limb, a patient’s relationship with healthcare services consists of another sensitive component: Protected Health Information (PHI). Exchanged between patient, provider and payer, PHI consists of personal medical information — generated throughout the course of a patient’s trajectory through the healthcare landscape. Generally, this data is handled by the medical companies with which our care is associated. This puts the onus on them to ensure that this information is confidential, accessible and remains unaltered.

This is easier said than done, but the time for saying and not-doing is over. As patients, health companies, and regulators are finding out, breaches that expose PHI may be costing as much cash as they do heartache: the most.

Side note: The issue of medical device security is one that federal regulators are beginning to address. Recently, the FDA announced their effort to strengthen medical device cybersecurity:

Link to U.S. Food and Drug Administration press announcement

Technical revolution, kind of

In the past decade, we have seen a rapid, ubiquitous migration of data and services from the analog technologies of the late twentieth century to the ethereal, technical infrastructures of the connected now. This revolution has made its way into every part of our lives, and more to the point, into the healthcare industry that underpins our well-being.

In particular, the digitization of healthcare has manifested in the adoption of robust electronic medical record systems (EMR) for cataloging health records and tracking patient care. Patient platforms available via the web are now industry standard for connecting patients to their medical information, diagnostic reports, prescription fulfillment services, and of course, payments.

The most cutting-edge examples feature integrations with telehealth systems, which allow patients to consult with their care providers via camera — eliminating the need for a trip to the doctor’s office entirely.

Though this technological advancement has been impressive, it has not been totally comprehensive in the healthcare industry — an area where faxing patient data is a common practice and doctors are still reinforcing handwriting stereotypes. As a result, most healthcare organizations’ PHI exists in an amalgam of electronic and paper states.

All of this contributes to growing the number of PHI in circulation — records passed through numerous different health systems with varying degrees of privacy and security assurance mechanisms.

Unsurprisingly, managing and securing PHI can be a huge challenge. In addition to the obvious cyber-centric security concerns (e.g. hackers, data-leaks, ransomware attacks), the physical security of health information has to be carefully considered. Many practitioners’ offices don’t rely on electronic medical record-keeping systems as much as they should. As a result, hundreds to thousands of medical records can be found in these offices piled on desks, shoved into filing cabinets, or improperly discarded in waste bins rather than shredders.

EMR systems have seen widespread adoption, but are not being utilized to their full potential. This publication details a “ceiling effect” observed in three Canadian medical practices.Link to Ceiling effect in EMR system assimilation: a multiple case study in primary care family practices, published April 20th, 2017.

Precious Cargo

Those reading are probably already familiar with the numerous security incidents that have affected consumers in recent history. The Equifax hack of September 2017 exposed the personal information of millions who found themselves scrambling to lock down their identities and lines of credit in the aftermath.

At first glance, it is easy to think of financial information as being our most precious. This may have been true in the past, but as we generate more PHI through our relationships with healthcare companies and providers, the balance is certain to shift.

In fact, the true value of PHI is already being exemplified by the financial cost to healthcare companies after a security breach:

“For the 8th year in a row, Healthcare organizations had the highest costs associated with data breaches — costing them $408 per lost or stolen record — nearly three times higher than the cross-industry average ($148).”

Link to IBM study: Hidden Costs of Data Breaches… published July 11th, 2018

Interestingly, malicious hackers and data-thieves share in this valuation when compared to cross-industry alternatives. This article details the asking prices of three stolen medical record databases, available for purchase on a dark-net marketplace. I can save you the trip — 396,458 medical records, accounting for one of three database being sold, were listed with a $405,000 asking price.

What makes these records so valuable on illicit, dark-web marketplaces? For starters, medical records can be leveraged to commit insurance fraud. Worse yet, when they are used in this manner, they will often be altered in the while in the possession of an identity thief.

These inaccurate alterations gravely impact the proper owner to whom the medical records belong. Receiving inaccurate care in an emergency situation is one of the more dire hypothetical outcomes — effecting one’s eligibility for health insurance being a more “innocuous” example.

Another factor that lends to their black-market value is the fact that these medical records often contain other private information such as social security numbers or contact information. Of course, healthcare tends to come with a cost, so financial information tends to come in this package deal as well.

Finding all of this information in one place saves an enterprising hacker a good deal of time and effort, and if the healthcare industry’s current security posture isn’t up to the task — well, that’s just another bonus.

Gulp, government

Presently, there is some security doctrine that speaks to the information security needs of a healthcare organization. Specifically, in forms of HITECH and HIPAA — two federal laws invoked to protect patients’ private information and well-being by imposing regulatory standards on any organization with a hand in healthcare.

These federal standards, though written with specificity to healthcare, may not be upgrading themselves fast enough to keep up with innovation.At the same time, the more up-to-date security frameworks, such as those published by NIST, are broad and general in scope — not speaking prescriptively to healthcare information security departments.

That being said, the rate of innovation to address privacy and security concerns by the healthcare industry is not terrific either. Especially when compared to its adoption of robotic arms — which hopefully won’t be hacked and commanded to strangle you on the operating table…

Fortunately for patients, sanctions imposed by federal organizations target companies who fail to ensure the security of patient data. They are fined at a fixed rate per private record exposed, with repeat offenders receiving harsher rates and larger fines. Numerous cases, executed by The Office for Civil Rights, can be found on the HHS web-page. Here is one such example:

Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

From the U.S. Department of Health & Human Services website

Obviously, the security of patient data presents a massive operational and financial liability to healthcare organizations. They have every incentive to continue improving their healthcare environments to offer more privacy and security to the people they serve. After all—patients, providers and payer networks all share in the cost of a data breach.

Thanks for the diagnosis, but what’s the cure?

Evidently, there is still work to be done to improve the patient data privacy situation. It is very possible that the leaps and bounds of healthcare technology could end up leaving security by the wayside. With PHI fast resembling digital gold, the attention on information privacy is only set to increase in the coming years. The question remains: are we doing enough to keep up?

The efforts being made by federal and privatized healthcare institutions are improving, so it is likely that data security practices will continue to advance in tandem. Importantly, organizations should work to engage employees, as well as patients, to adopt a cultural attention to security.

Of course, it is all of our responsibility to become educated on healthcare security. When we seek out and receive care, we should be mindful of how our data will be used, or potentially abused—and take a critical eye to our care-providers’ security behavior in addition to our own. By bringing privacy into the discussion, we can cultivate a holistic respect for our data— ensuring healthcare can offer trust along with care.

In short, there is good news: the prognosis is not terminal.

Data Privacy & Security in Healthcare was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.