Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Are You Investing Enough in IT Security?

Posted on July 20, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Would you put a $ 10 fence around a $ 100 horse?

Does it make sense to put a $ 100 fence around a $ 10 horse?

For the right security, you need to know what your horse is worth.

The same concepts apply to protecting your data. What is your data worth?

Ask Cottage Health , which had two data breaches, totaling 55,000 records., and settled a $ 4.1 million lawsuit with patients, then paid a $ 2 million California penalty. They were sued by their insurer, which wanted the $ 4.1 million settlement money back, after it discovered Cottage Health had not consistently implemented the security controls it claimed on its insurance application. The $ 6.1 million in the settlement and penalty does not include its costs for legal fees, credit monitoring, notifying patients, public relations, or recovering the business lost from patients who moved to another provider.

One of our clients was audited for HIPAA compliance by the venture capital firm that wanted to invest in their company. Another client had us do a compliance assessment on a healthcare company they wanted to purchase. In both cases, HIPAA compliance was worth millions of dollars.

We asked a client how much the financial impact would be on their business if they lost the sensitive personal data they collected about business partners, and had to notify everyone. The owner said they would be out of business, costing millions of dollars.

Breaches result in lawsuits, with settlements in the millions. If you are a licensed or certified professional, you can lose your license or certification if you are breached.

Federal HIPAA penalties in 2014 – 2015 were $ 14 million. In 2016 – 2017 they tripled to $ 42 million. In 2018, they have already reached $ 7.9 million.

Data is worth more than gold.

Instead of words and images in a computer, think of your data as a pile of gold bars that is worth protecting.

When we work with our clients, we help you identify the types of data you have, where it is located, and how it is protected. We recently worked with a client that came to us for help protecting their patient information. They were shocked when we showed them that they had bigger risks related to the data they stored about workforce members, and job applicants they did not hire, than the people they served.

  • What data do you have that is regulated, that you must protect to comply with laws and other regulations?
  • What fines and lawsuit judgments might you face if your data is breached?
  • Beyond HIPAA that protects patient information, do you know your state data breach laws that apply to employee data?
  • Do you know the regulations that protect credit card data?
  • Do you have enough of the right type of insurance to protect your finances if you are breached?

Everyone has unregulated data that is sensitive or proprietary, that could hurt your business if it is lost, stolen, or accessed by a competitor or someone who wants to hurt you? Salaries, trade secrets, employment records, pricing models, merger and acquisition plans, lawsuit files, have all been stolen.

As part of our assessments, we search the Dark Web (the criminal side of the Internet) to see if our clients have employee passwords for sale by hackers. Over 90% have had at least one employee’s credentials stolen and offered for sale.

Most of our clients start out not knowing the value of their risks. They hadn’t approved IT security purchases, because the costs were high, and they didn’t know if security was worth the investment.

So, how much should you invest in protecting your data?

The recently-released 2018 Cost of a Data Breach report shows, through research of actual breaches, that in 2017 the average cost to a breached organization for a single lost healthcare record was $408. Across all industries the cost was $ 233 per record. Only a third of the cost was for the direct response to the breach – notifying patients, hiring lawyers and IT security experts, and paying for credit monitoring. Two-thirds of the $ 408/record was the financial effect on the healthcare organizations, by losing patients after violating their trust.

Here is a calculation you can use to estimate the value of protecting your patient data.

Number of Patient Records x $ 408 (cost per record of a breach) = $ ________________ in risk.

Example: 25,000 records x $ 408 = $ 10.2 million. (If this number startles you, imagine if your costs were only 25% of the total, which is still $ 2.5 million.)

Other ways to put a dollar value on your risk

  • How much would a breach affect the market value of your business?
  • How much investment capital do you need for expansion?
  • Personally, what will your retirement look like if you had to pay $ 1 million, $ 2 million, or more, to cover the costs of a breach?
  • What would your life be like if you went out of business?

Know the value of your cyber security risk. Do the math.

Ask your IT department, or an outsourced independent IT security consultant, to assess your risks, and recommend what you need to be fully protected. Our assessments calculate your risks based on dollars, and provide ‘under the skin’ data about the current status of your security. Don’t settle for guesses.

Base your security investment on the value of your risks, not just the general idea that your data needs to be protected.

And, if you own a $ 100 horse, upgrade your $ 10 fence.

Is Amazon Ready To Protect Patient Data?

Posted on July 6, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Late last month, a Connecticut woman found out that a third-party Amazon vendor she had done business with had exposed her personal medical data to the world, including her medical conditions, along with her name, birthdate and emergency contact information.

The story suggests that Amazon engaged in a bit of bureaucratic foot shuffling when called on the privacy lapse. According to the woman, an Amazon call center rep told her it would investigate the issue, but a further email told her they would not be able to release the outcome of this investigation. It’s little wonder she wasn’t satisfied.

Ultimately, it appears that she was only able to get immediate action once she contacted the third-party seller, which took the photos containing the information down promptly upon her request.

Though no small matter for the woman involved, the episode means little for the future of Amazon, in and of itself. However, it does suggest that the marriage of Amazon technology and healthcare data may pose unexpected problems.

For those who have been sleeping under a rock, in late June Amazon announced that it had acquired online pharmacy PillPack for what reports say was just under $1 billion. PillPack, which competes with services delivered by giants like CVS, lets users buy their meds in pre-made doses. News stories suggest that Amazon beat out fellow retail giant Walmart in making the buy, which should close the second half of this year.

Without a doubt, this was a banner day in the history of Amazon, which has officially stamped into healthcare in 10-ton boots. The deal could not only mark the beginning of new era for the retailer, but also the healthcare industry, which hasn’t yet seen a tech company take a lead in any consumer-facing healthcare business.

That being said, perhaps a more important question for readers of this publication is how it will manage data generated by PillPack, a store likely to grow exponentially as Amazon integrates the online pharmacy into its ecosystem.

While there are obviously many good things its staggering fulfillment and logistics capabilities can bring to PillPack, Amazon’s otherwise amazing systems weren’t built to protect patient health information.

When it comes to most any other company, I’d imagine these problems could be addressed by layering HIPAA-compliant technologies and policies over its existing infrastructure. However, given the widely distributed nature of its retail network, it’s not just a matter of rethinking some architecture. Sealing off health data could require completely transforming its approach to doing business. Just about every retail transaction could prove a chink in its armor.

Since it wasn’t itself required to meet HIPAA standards in this instance, Amazon won’t get any flack from regulators over the recent PHI exposure. Still, issues like this could undercut the trust it needs to integrate PillPack into its core business successfully.

If nothing else, Amazon had better put a strong PHI protection policy in place on its retail side. Otherwise, it could undermine the business it just spent almost $1 billion to buy.

MD Anderson Fined $4.3 Million For HIPAA Violations

Posted on June 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

An administrative law judge has ruled that MD Anderson Cancer Center must pay $4.3 million to the HHS Office of Civil Rights due to multiple HIPAA violations. This is the fourth largest penalty ever awarded to OCR.

OCR kicked off an investigation of MD Anderson in the wake of three separate data breach reports in 2012 and 2013. One of the breaches sprung from the theft of an unencrypted laptop from the home of an MD Anderson employee. The other two involved the loss of unencrypted USB thumb drives which held protected health information on over 33,500 patients.

Maybe — just maybe — MD Anderson could’ve gotten away with this or paid a much smaller fine. But given the circumstances, it was not going to get away that easily.

OCR found that while the organization had written encryption policies going back to 2006, it wasn’t following them that closely. What’s more, MD Anderson’s own risk analyses had found that a lack of device-level encryption could threaten the security of ePHI.

Adding insult to injury, MD Anderson didn’t begin to adopt enterprise-wide security technology until 2011. Also, it didn’t take action to encrypt data on its devices containing ePHI during the period between March 2011 and January 2013.

In defending itself, the organization argued that it was not obligated to encrypt data on its devices. It also claimed that the ePHI which was breached was for research, which meant that it was not subject to HIPAA penalties. In addition, its attorneys argued that the penalties accrued to OCR were unreasonable.

The administrative law judge wasn’t buying it. In fact, the judge took an axe to its arguments, saying that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” noting that its leaders “not only recognized, but [also] restated many times.” That’s strong language, the like of which I’ve never seen in HIPAA cases before.

You won’t be surprised to learn that the administrative law judge agreed to OCR’s sanctions, which included penalties for each day of MD Anderson’s lack of HIPAA compliance and for each record of individuals breached.

All I can say is wow. Could the Cancer Center’s leaders possibly have more chutzpah? It’s bad enough to have patient data breached three times. Defending yourself by essentially saying it was no big deal is even worse. If I were the judge I would’ve thrown the book at them too.

Alexa Voice Assistant Centerpiece Of Amazon Health Effort

Posted on June 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I had thought of the Amazon Echo is something of a toy. From what I saw, it seemed too cute, too gimmicky and definitely too expensive for my taste. Then I had a chance to try out the Echo my mother kept in her kitchen.

It’s almost embarrassing to say how quickly I was hooked. I didn’t even use many of Alexa’s capabilities. All I had to do was command her to play some music, answer some questions and do a search on the Amazon.com site and I was convinced I needed to have one. Its $99 price suddenly seemed like a bargain.

Of course, being a health IT geek I immediately wondered how the Alexa voice assistant might play a part in applications like telemedicine, but I was spending too much time playing “Name That Song” (I’m an 80s champ) to think things through.

But I had the right instincts. It’s become increasingly clear that Amazon sees Alexa as a key channel for reaching healthcare decision-makers.

According to a story appearing on the CNBC website, Amazon has built a 12-person team within the Alexa voice-assisted division called “health & wellness” whose focus is to make Alexa more useful to healthcare patients and providers. Its first targets include diabetes management, care for mothers and infants and aging, according to people who spoke anonymously with CNBC.

Of course, this effort would involve working through HIPAA rules, but it’s hard to imagine that a company like Amazon couldn’t buy and/or cultivate that expertise.

In the piece, writers Eugene Kim and Christina Farr argue that the mere existence of the health & wellness group is a clear sign that Amazon plans to bring Alexa to healthcare. As long as the Echo can share and upload data in a secure, HIPAA-compliant fashion, the possibilities are almost endless. In addition to sharing data with patients and clinicians, this would make it possible to integrate the data with secure third-party apps.

Of course, a 12-person unit is microscopic in size within a company like Amazon, and from that standpoint, the group might seem like a one-off experiment. On the other hand, its work seems more important when you consider the steps Amazon has already taken in the healthcare space.

The most conspicuous move Amazon has made in healthcare came in early 2018, when it announced a joint initiative with Berkshire Hathaway and J.P. Morgan focused on improving healthcare services. To date, the partnership hasn’t said much about its plans, but it’s hard to argue that something huge could emerge from bringing together players of this size.

In another, less conspicuous move, Alexa took a step towards competing in the diabetes care market. In the summer of 2017, working with Merck, Amazon offered a prize to developers building Alexa “skills” which could help people with diabetes manage all aspects of their care. One might argue that this kind of project could be more important than something big and splashy.

It’s worth noting at this point that even a monster like Google still hasn’t made bold moves in healthcare (though it does have extraordinarily ambitious plans). Amazon may not find it easy to compete. Still, it will certainly do some interesting things, and I’m eager to see them play out. In fact, I’m on the edge of my seat – aren’t you?

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

The State Of Healthcare Cybersecurity (Part 1)

Posted on May 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare data has never been under more outside threats than it is today. For a number of reasons, this data has become more attractive to cybercriminals and can be sold on the dark web for a pretty penny. Not only that, emerging threats like ransomware attacks are hitting home and wreaking havoc with the institutions they target.

Unfortunately, according to a new study by Black Book Market Research, healthcare organizations don’t seem to be adequately prepared for this onslaught.

The survey, which collected responses from more than 2,464 security pros working at 680 provider organizations, found that health IT leaders aren’t confident they can defend themselves against cyberattacks. In fact, 96% of IT professionals who responded said that the attackers are significantly ahead of them and could probably cut through the protection their organizations have in place.

Given that stat, it’s not surprising that over 90% of healthcare organizations have seen a data breach since Q3 2016. Worse, almost 50% reported that they had more than five data breaches during this period. Not only that, more than 180 million records have been stolen since 2015, a staggering haul which affects roughly one in every 12 healthcare consumers.

On the surface, it might seem surprising that healthcare organizations haven’t toughened their defenses given the number of threats they face. Actually, they are, but they’re being outgunned. It’s not that they’re not making cybersecurity investments, but both the level of investment and their strategy for deployment may be inadequate.

In a surprisingly frank set of disclosures, one-third of hospital executives that bought cybersecurity solutions between 2016 and 2018 said they did so blindly without much vision or understanding of what they were getting for their money. Respondents said that 92% of data security product and services buying decisions were made at the C-level, and the process didn’t include any users or affected department managers.

One reason that C-level executives with little relevant knowledge are making security investment decisions because they don’t have anyone senior to consult – and the problem is extremely common.

The survey found that 84% of hospitals responding had no dedicated security executive in place. Most say that it’s difficult to recruit a qualified chief security officer, which is why they’re going bare on data security and stumbling through the buying process as best they can.

Some organizations are responding to the shortage of C-level tech talent by outsourcing the function. Twenty-one percent said they outsource security to partners, consultants or selected security-as-a-service options as a placeholder.

Given this interest in outsourcing, healthcare organizations are signing deals with security services and outsourcing companies five times more often than they’re buying cybersecurity products and software. Vendors, in turn, are responding by diversifying the portfolio of services they offer. Still, that’s unlikely to be enough over the long term.

All of this suggests that the healthcare industry is in a security crisis. I’ll offer more details on the situation in part two of this series.

Why You Shouldn’t Take Calculated Risks with Security

Posted on May 9, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

Calculated risks are often lauded in innovation.  However, with increasing security breaches in the tech industry, it is time to reassess the calculated risks companies take in healthcare.

Time and again, I have advised technology companies and medical practices to invest in security and yet I am often met with resistance, a culture of calculated risk prevails.  To these companies and practices, this risk may make sense to them in the short term. Resources are often limited and so they often believe that they needn’t spend the time and money in security.  However, the notion that a company or a practice can take this chance is ill advised.

As a recent study conducted by HIMSS (and reviewed by Ann Zieger here) warns, “significant security incidents are projected to continue to grow in number, complexity and impact.” Thus in taking the calculated risk not to invest in security, companies and practices are creating greater risk for in the long run, one that comes with severe consequences.

As we have seen outside of healthcare, even “simple” breaches of user names and passwords as happened to Under Armour’s MyFitnessPal app, become relatively important use cases as examples of the impact a security breach can have. While healthcare companies typically think of this in terms of HIPAA compliance and oversight by the Office for Civil Rights (OCR), the consequences reach far wider.  Beyond the fines or even jail time that the OCR can impose, what these current breaches show us is how easy it is for the public to lose trust in an entity.  For a technology company, this means losing valuation which could signal a death knell for a startup. For a practice, this may mean losing patients.  For any entity, it will likely result in substantial legal fees.

Why take the risk not to invest in security? A company may think they are saving time and money up front and the likelihood of a breach or security incident is low. But in the long run, the risk is too great – no company wants to end up with their name splashed across the headlines, spending more money on legal fees, scrambling to notify those whose information has been breached, and rebuilding lost trust.  The short term gain of saving resources is not worth this risk.

The best thing a company or practice can do to get started is to run a detailed risk assessment. This is already required under HIPAA but is not always made a priority.  As the HIMSS report also discussed, there is no one standard for risk assessment and often the OCR is flexible knowing entities may be different sizes and have different resource. While encryption standards and network security should remain a high priority with constant monitoring, there are a few standard aspects of risk assessment including:

  • Identifying information (in either physical or electronic format) that may be at risk including where it is and whether the entity created, received, and/or is storing it;
  • Categorizing the risk of each type of information in terms of high, medium, or low risk and the impact a breach would have on this information;
  • Identifying who has access to the information;
  • Developing backup systems in case information is lost, unavailable, or stolen; and
  • Assessing incidence response plans.

Additionally, it is important to ensure proper training of all staff members on HIPAA policies and procedures including roles and responsibilities, which should be detailed and kept up to date in the office.

This is merely a start and should not be the end of the security measures companies and practices take to ensure they do not become the next use case. When discussing a recent $3.5 million settlement, OCR Director Roger Severino recently emphasized that, “there is no substitute for an enterprise-wide risk analysis for a covered entity.” Further, he stressed that “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Though this may seem rudimentary, healthcare companies and medical practices are still not following simple steps to address security and are taking the calculated risk not to – which will likely be at their own peril.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.

Barriers to Better Healthcare Cybersecurity

Posted on May 4, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We often say in healthcare that we need to learn from other industries. We try to do that as much as possible on this blog and this is one of those cases. HIPAAEx recently shared this image that illustrates many of the barriers that local governments face to better cybersecurity. Many of them are money issues like paying high prices cybersecurity salaries and hiring and training cybersecurity staff, but the largest barrier is lack of support. See the details below:

Does this sound like some of the same issues that we have when it comes to barriers to effective cybersecurity in healthcare? It does to me.

While healthcare does deal with these same challenges, I have to admit how drastic the change has been when it comes to support for cybersecurity efforts from healthcare leaders. It used to not even be an after thought. That’s still sadly true in many healthcare organizations. However, I’m seeing more and more healthcare organizations that have seen cybersecurity as a strategic priority.

Healthcare organizations know the damage that’s caused when they have a massive breach occur that shouldn’t happen. They’re finally starting to wake up to this fact. Most are taking a two fold approach: how do I prevent a breach from occurring and what’s my process when a breach occurs?

The problem with cybersecurity is that it’s never done. You can’t look at cybersecurity as a project that’s complete and now you can move on to something else. Cybersecurity is always changing and has to become part of the culture of your organization if you want to have any hope of keeping up and avoiding any major cybersecurity disasters.

How does this chart stack up with your experience? What are your barriers to healthcare cybersecurity? Please share your thoughts and experiences in the comments and with us on social media @HealthcareScene.

Privacy Fears May Be Holding Back Digital Therapeutics Adoption

Posted on May 3, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Consumers were already afraid that their providers might not be able to protect the privacy of their health data. Given the daily news coverage of large data breaches and since the Facebook data scandal blew up, consumers may be even less likely try out new digital health approaches.

For example, a new study by innovation consultancy Enspektos has concluded that patients may be afraid to adopt digital therapeutics options. Many fear that the data might be compromised or the technology may subject them to unwanted personal surveillance.

Without a doubt, digital therapeutics could have a great future. Possibilities include technologies such as prescription drugs with embedded sensors tracking medication compliance, as well as mobile apps that could potentially replace drugs. However, consumers’ appetite for such innovations may be diminishing as consumer fears over data privacy grow.

The research, which was done in collaboration with Savvy Cooperative, found that one-third of respondents fear that such devices will be used to track their behavior in invasive ways or that the data might be sold to a third party without the permission. As the research authors note, it’s hard to argue that the Facebook affair has ratcheted up these concerns.

Other research by Enspektos includes some related points:

  • Machine-aided diagnosis is growing as AI, wearables and data analytics are combined to predict and treat diseases
  • The deployment of end-to-end digital services is increasing as healthcare organizations work to create comprehensive platforms that embrace a wide range of conditions

It’s worth noting that It’s not just consumers who are worried about new forms of hacker intrusions. Industry CIOs have been fretting as it’s become more common for cybercriminals to attack healthcare organizations specifically. In fact, just last month Symantec identified a group known as Orangeworm that is breaking into x-ray, MRI and other medical equipment.

If groups like Orangeworm have begun to attack medical devices — something cybersecurity experts have predicted for years — we’re looking at a new phase in the battle to protect hospital devices and data. If one cybercriminal decides to focus on healthcare specifically, it’s likely that others will as well.

It’s bad enough that people are worried about the downsides of digital therapeutics. If they really knew how insecure their overall medical data could be going forward, they might be afraid to even sign in to their portal again.

Is Health Data Privacy On Its Way Out?

Posted on April 30, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As healthcare providers gradually improve their HIPAA data security and privacy compliance, one might think that the odds of a breach occurring are getting lower. Maybe that’s true within the provider organizations themselves, but there are forces outside of healthcare which will make it impossible to protect personal data in the future, according to a post on Axoblog.

The piece argues that the notion of data privacy is dying. “To the extent that emails and other communications meant for designated recipients are analyzed, scraped aggregated and stored it is the opinion of this author that the protection of PHI is illusory,” the article says.

As the piece correctly notes, unscrupulous companies and can learn a great deal about consumers by analyzing their Internet search history. And of course, there are social media stalkers like Facebook, which monitors Internet activity even when the subscriber is logged off. (It’s hard to believe that other Internet companies aren’t doing the same thing in a less public manner.)

By using a rich source like Facebook user data and aggregating it with information from other social media networks, outsiders can pull together a personal profile of users. This database could easily expose medical information that should be protected under HIPAA and HITECH.

And it’s not just Facebook data that is of concern. By buying available data from all the social media networks, then matching that data with commercial databases offering details such as address, phone number and location, it’s possible to develop an astonishingly detail portrait of individuals.

So what should providers do in the age of minimum privacy? Be aware of emerging threats, the author suggests:

  • Be aware that social media outlets aren’t subject to the legal requirements providers are when compiling health information.
  • Keep your eye on data aggregators, which are selling data to everyone you can think of, plus others you wouldn’t even have considered, including marketers, advertisers and researchers.
  • The government has only now begun trying to understand how social media networks handle privacy and how well they explain their practices to consumers
  • In the wake of Facebook scandals, social media giants might develop protocols for managing sensitive data, but they may fail at doing this, in which case the government is likely to step in
  • Though Facebook has been asked by regulators how the company manages and shares data, it seems that no one’s asking about the aggregation of data and how it is stored and protected

Now, I’d like to think the article described above is a bit too pessimistic. If nothing else, I’m not sure that the aggregation of other forms of data means that medical privacy will become impossible to defend. Still, the piece makes it clear that we have a long way to go before we can sure PHI is protected by companies like Facebook.