The following guest post on patient privacy was submitted by Avery Phillips.
In many industries, the proliferation of mobile, cloud, and data collection technology is far outpacing the ability of regulatory bodies to keep up. This is especially true in healthcare, partly due to the sensitive nature of patient records and partly due to widespread adoption of mobile health tracking by both practitioners and the general public.
Consumer-generated data is one significant challenge in legislation and education related to privacy, as it isn’t yet protected. Additionally, the long-term impact of tracking and sharing one’s health data through social networks isn’t fully understood.
Data breaches in the healthcare field have already proven that people’s medical histories, social security numbers, and addresses are vulnerable. Cloud technology paired with monitoring devices is giving healthcare providers access to real-time data, and a lot of it. This improves the quality of care, but comes with severe breach risks. While legal understanding catches up to the reality of big data, healthcare providers need to go above and beyond legal requirements to protect patient privacy.
The risks of consumer-generated data haven’t been fully explored, but what we do know is that sharing health data online is “a digital tattoo.” That data follows users, is unregulated, can be sold to third parties, and used by hackers or identity thieves.
Platforms like Fitbit and Facebook are just the tip of the iceberg for providers. Wearable technology is allowing patients to receive real-time information and communication from professionals and gives providers access to a constant flow of actionable health information. That relationship evolves with each new innovation, but responsibilities concerning its collection and use haven’t been explored.
In September of 2013, Advocate Medical Group suffered one of the largest data breaches in history. Four million records, including names, addresses, and social security numbers were taken by hackers.
As new services are introduced, and hackers develop new ways to subvert security, it can be difficult to keep employees up-to-date. An improperly trained employee might fall for a phishing email, accidentally use an unsecured app or cloud service with their personal mobile device, or share login information that enables access to private records. In 2016, 60 percent of all patient information breaches were due to hacking, but not all hacks are the direct cyber attacks we tend to think of. An employee opening the wrong email and clicking the link is a far easier way for a hacker to gain access than, for example, a brute force password crack.
Refusal to Share
Many patients may not realize it, but one threat to their security can occur if a healthcare provider refuses to share their information. Information blocking can come in many forms, such as prohibitive pricing, contracts that block users from accessing their information, and business practices intended to exclude competitors and prevent referrals.
These alleged practices put additional financial burdens on patients and compromise their privacy by restricting access to their own records. Many of America’s biggest vendors and healthcare providers have signed onto a pledge to combat this practice, but it has yet to be put into law.
The advent of rapidly evolving mobile technology is presenting new possibilities in data collection and improving the quality of patient care. On the other hand, the sparks of innovation are vulnerable to attack and mismanagement by unscrupulous business practices. It’s important for healthcare providers to invest in data security and breach recovery contingencies, as well as develop best practices to prevent misuse.
Avery Phillips is a freelance human who loves all things nature (especially humans!). Comment down below or tweet her @a_taylorian with any questions or comments.