We are all aware of the recent headlines about major data breaches of personal information and similar cyber incidents, from the theft of 145 million records from a major credit reporting agency to reports about ransomware shutting down businesses. But of all the data that is at risk, a breach of our health information is probably the most concerning.
- Health data is very personal and may contain information we wish to keep confidential (e.g., mental health records) or potentially impact employment prospects or insurance coverage (e.g., chronic disease or family health history).
- It is long living – an exposed credit card can be canceled, but your medical history stays with you a lifetime.
- It is very complete and comprehensive – the information health care organizations have about their patients includes not only medical data, but also insurance and financial account information. This could be personal information like Social Security numbers, addresses or even the names of next of kin. Such a wealth of data can be monetized by cyber adversaries in many ways.
- In our digital health care world, the reliable availability of accurate health data to clinicians is critical to care delivery and any disruption in access to that data can delay care or jeopardize diagnosis.
The privacy and security of health information is strictly regulated in the U.S. under federal laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but also through various state laws and laws protecting individuals against discrimination based on genetic data.
Unfortunately, health data breaches are only too common. For 2016, the U.S. Department of Health and Human Services reported a total of 450 health care data breaches affecting more than 27 million patients, with the 10 largest incidents accounting for half of the breached records alone (13 million). And, most concerning, more than half of all breaches were due to external cyberattacks, as opposed to accidental exposure due to human error or loss of devices.
Looking at recent examples of health care security incidents will show a wide spectrum of events and underlying motivation by the cybercriminal. We have seen reports of employees at hospitals browsing through medical records out of curiosity or posting information about patients on social media. There have also been cases in which an individual’s identity, financial or insurance information is stolen for personal gain ‒ for example to take out a mortgage or to receive medical services in somebody else’s name (and on somebody else’s insurance).
The incidents that have broader impact and affect more patients are the theft of medical records and attempts to extort health care organizations by threatening the release of stolen data. Also, health care institutions have been affected by ransomware, with some deciding to pay up and others not, choosing instead to accept the impact on patient services and loss of income.
For health care providers and insurers, there is typically no limitation for patients to disclose information about their health. Just as any patient can (and mostly should) share concerns about their health with family and friends, any patient can now easily share anything they want with the world via social media or join an online support group. Although these are generally positive steps that help an individual with health concerns find support and receive advice, we now need to be much more conscious about what we share and where it ends up.
How large is your social network, and who gets to see what you are sharing? Who is hosting the support group you just joined and what is their commitment to data privacy? Many sites, especially if hosted by reputable organizations, are safe. But how do you know what, or if any, of your information may get shared and analyzed for marketing or other purposes?
By no means should this advice be interpreted against sharing or seeking support online. The more we know, the better prepared we are, and the better health care decisions will we be able to make. The wealth of information we can derive from the internet has led to a more educated patient population that is much more capable of being engaged and part of the healing process.
However, concerns about your health care provider’s ability to protect your data should not lead to patients withholding information. Even in this digital age, the patient-doctor trust relationship is still the most important aspect of our health care system – and that trust goes both ways: patients need to trust their providers with often intimate and personal information, and providers need to know that their patients are not withholding anything due to privacy concerns.
We have entered the new age of digital medicine and almost universal availability of information, leading to better diagnosis and more successful treatments, ultimately reducing suffering and extending lives. However, this great opportunity also comes with new risks and we all – health care providers and patients alike – need to be conscious about how we use this new technology and share information.
The following blogs in this series will discuss these issues in more detail, specifically looking at social media, health apps and personal health and fitness devices, and review how we as patients and consumers can do a better job of protecting ourselves and our information.
About the Authors
The authors are members of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Committee:
Bayardo Alvarez, CPHIMS, is the director of information technology for Boston PainCare Center, an interdisciplinary practice focusing on the treatment and research of chronic pain. His responsibilities include overseeing Boston PainCare’s cybersecurity program and compliance. Bayardo has served in the health care industry for over a decade,and has over 30 years of experience in information technology. He is the current chair of the HIMSS Privacy and Security Committee.
Carrie McGlaughlin, CISM, has worked two decades in health care IT and is the director of information technology and HIPAA security officer at the Buckeye Ranch, a behavior and mental health organization for youth and families.
Axel Wirth, CPHIMS, CISSP, HCISPP, is a distinguished solutions architect for the U.S. health care industry at Symantec Corporation. He provides strategic vision and technical leadership within Symantec’s health care vertical, serving in a consultative role to health care providers, industry partners and health technology professionals. Drawing from over 30 years of international experience in the industry, Mr. Wirth is supporting Symantec’s health care customers to solve their critical security, privacy, compliance and IT management challenges.