Data security is one of the most sensitive issues of our time. Especially when it comes to healthcare. Who is responsible for keeping a patient’s medical information safe these days?
If you’ve ever discussed technology, business strategies or your own experiences with a friend who works in health care, you’ve probably heard the phrase, “It’s different with health care.”
And that’s a perfectly reasonable statement, given the many challenges inherent in the industry and the high expectations of patients (a matter of life and death, after all). The technological and organizational demands of health care are special. They now come to the forefront as the healthcare industry enters an exciting period of growth – and inevitably faces serious challenges.
Strict regulatory requirements, a turbulent business environment, the sensitive nature of management, and the exercise of humanity during patient care-all of these extraordinary variables are found only in the healthcare context. They require that we use a special lens to examine the various challenges the industry faces today.
Safety is (not) easy
This perspective redirects us to the topic of privacy and data security in healthcare. Patient medical data is now widespread among numerous companies and is quickly becoming one of the most valuable forms of data. In addition to data, the medical devices we entrust our lives and health to are becoming increasingly digital, consequently exposed to threats in the form of hackers and malware.
In the world of commerce, identity theft can cause great inconvenience and cost thousands of dollars, but what is that compared to the potential damage caused by a compromised medical device? The stakes go up when a patient’s well-being depends on a properly functioning heart rate monitor. Medical devices used to treat and diagnose patients carry a huge risk because they can become a target for attack by malicious hackers.
In addition to life and health, there is another important component of the patient’s relationship with the healthcare system: Protected Health Information (PHI). Transmitted between patient, provider and payer, PHI consists of personal health information that is generated throughout a patient’s interaction with the healthcare system. Generally, this data is handled by the health care companies with which our health care is associated. Thus, the onus is on these companies to keep the patient’s health information confidential, available, and unchanged.
Of course, it’s easier said than done, but the time for “saying but not acting” is over. As patients, medical companies and government regulators have already learned, breaches that occur in PHI can not only be costly, but also cause tremendous inconvenience.
A technical revolution, in a sense
Over the past decade, we’ve seen a rapid and ubiquitous migration of data and services from late twentieth century analog technology to over-the-air, tech-enabled “connected now” infrastructures. This revolution has permeated all areas of our lives and, indeed, the health care industry, which is at the core of everyone’s health and well-being.
In particular, the digitization of health care has manifested itself in the adoption of a robust Electronic Medical Record (EMR) system, which enables the recording of medical records and the monitoring of the patient. Internet-accessible patient platforms are now the industry standard for connecting patients to their medical information, diagnostic reports, prescription services and, of course, payments.
The most advanced examples include integration with telehealth systems that allow patients to consult with their health care providers via camera, eliminating the need to visit a doctor’s office altogether.
While this technological advancement has been impressive, it has not been comprehensive to the healthcare industry. There are still enough organizations where patient data is still transmitted via fax and paperwork is filled out manually. As a result, much of the protected information exists in both electronic and paper form. All of this contributes to the increased circulation of private information – records go through many different healthcare systems with varying degrees of privacy and security mechanisms.
In light of this, it’s no wonder why PHI security can be a headache. In addition to the obvious cybercentric security concerns (e.g., hackers, data breaches, advanced attacks, etc.), the physical security of health information must be carefully considered. Many practitioners do not rely on electronic medical record systems as much as they should. As a result, one can find hundreds and thousands of medical records chaotically stacked on desks, stuffed in file cabinets, or mistakenly thrown in trash cans.
The electronic medical record system has been widely used, but not fully utilized.
At first glance, it is financial information that seems to be the most important and “precious.” That may have been the case in the past, but as we generate more and more PHI through our relationships with medical companies and providers, the balance will undoubtedly change.
By the way, the true cost of medical data has already been illustrated by the financial losses that companies have suffered after security issues.
It is also interesting that hackers and data thieves are realizing this value versus cross-industry alternatives. This article details the asking price for the 3 stolen databases available for purchase on the darknet marketplace.
What makes these records so valuable on illegal black markets? To begin with, medical records can be used to commit insurance fraud. And when they are used in this way, it is very easy for thieves to modify them.
These improper alterations seriously affect the real owner who owns the medical records. Receiving irrelevant and untimely medical care in an emergency is one of the most severe hypothetical consequences – the impact on health insurance eligibility is a more “harmless” example.
Thanks for the diagnosis, but what’s the cure?
Of course, there is work to be done to improve patient data privacy. It’s entirely possible that the rapid evolution of health care technology will eventually leave security somewhere by the wayside. With PHI slowly becoming “digital gold,” the focus on information privacy will only increase in the coming years. One question remains: are we doing enough to keep up?
Efforts by federal and privatized health care institutions are paying off, so it’s likely that data security practices will continue to evolve and improve. It’s important to note that organizations should be trying to get the attention of not only employees, but patients as well – it’s important for all parties.
Remember that we all have a responsibility to be educated about health care security. As we receive services, we must understand how our data will be used (and what might happen to it if it is leaked) and we must critically and carefully evaluate health care providers. By touching on the topic of privacy, we begin to cultivate respect for our data and make sure that healthcare is not just about care, but also about trust.