Big data is making big promises to improve our health. But should consumers believe them? The rise in healthcare provider data breaches, not to mention the sale of medical data to third-party brokers, suggests consumers aren’t wrong to be skeptical. But is there anything they can do to protect themselves and their data? To be a security-conscious consumer, The Stroke Recovery Foundation shares what you need to know.
Medical Data Breaches and Ransomware Attacks Multiplying Rapidly
- “New research estimates, after all the breach data, is tallied, that by the end of 2019, healthcare-related data breaches will cost the industry $4 billion, and respondents to a recent survey expect those numbers to only increase in the year ahead,” notes Security Boulevard.
- The Center for Internet Security explains that “breaches are widely observed in the healthcare sector and can be caused by many different types of incidents, including credential-stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops or other devices. Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII). Therefore, there is a higher incentive for cyber criminals to target medical databases, so they can sell the PHI or use it for their own personal gain.”
Which Companies Have Access to My Personal Health Information?
- Search Health IT Tech Target explains that “under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and revisions to HIPAA made in 2009’s Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities — which include healthcare providers, insurers and their business associates — are limited in the types of PHI they can collect from individuals, share with other organizations or use in marketing. In addition, organizations must provide protected health information to patients if requested — preferably in an electronic PHI format.”
- Even Google is getting in on the action with its recently-revealed Project Nightingale: “The project, which reportedly began last year, includes sharing the personal health data of tens of millions of unsuspecting patients … Google says it is operating as a business associate of Ascension, an arrangement that can grant it identifiable health information, but with legal limitations.”
- On the other side of the coin, if you own or manage a business you should also be concerned about cyber security, if not more so because you’re responsible for protecting others’ private information. As ZenBusiness notes, one security breach that affects the personal information or records of employees, patients or clients can bring your company down fast.
How can I Protect Myself? What Can I Do if My Medical Records Are Stolen?
- Dark Reading: Connie Schweyen, managing principal of healthcare at Verizon, suggests that you “provide insurance identification only to those who offer medical services, and don’t let anyone borrow your insurance identification or Medicare card … There’s an increase in the number of people approaching Medicare individuals or others, asking to use their medical information so they can go out and purchase medical services. It’s an emerging scheme, she said, that follows an old pattern.”
- ProPublica recommends: “If you have had a medical imaging scan (e.g., X-ray, CT scan, MRI, ultrasound, etc.) ask the health care provider that did the scan — or your doctor — if access to your images requires a login and password. Ask your doctor if their office or the medical imaging provider to which they refer patients conducts a regular security assessment as required by HIPAA.”
- “If you find that you’re a victim of medical identity theft, there are several steps you need to take. They include asking for copies of your medical records from any provider where your identity may have been fraudulently used and, because you’re the victim of a crime, filing a police report where you live,” according to LifeLock.
What Medical Practices are Doing to Protect Patient Health Information
- “A constant evaluation of security practices has become imperative for healthcare organizations hoping to avoid the possibility of a breach. Introducing practices such as application control and privileged access management can help organizations take a step in the right direction, protecting their data in ways where basic encryption might fall short,” asserts Health Tech Magazine.
- Health IT Outcomes explains that “although the prevalence of HIPAA has created a certain standard degree of security to protect the amount of confidential patient data that is in the cloud today, HIPAA compliance alone is no longer enough to protect that data long term. Today, the best way to ensure patient data in the cloud is secure is through HITRUST certification.”
When it comes to businesses storing and sharing medical data, consumers aren’t wrong to be wary. Unfortunately, there’s little the individual consumer can do to protect their medical data outside monitoring records and choosing their providers carefully. As such, it’s incumbent upon medical providers, insurance companies, and the organizations they do business with to step up to modern security challenges and place patient privacy at the top of their priority lists.