How well do you think your patient data, wherever it is located, is being secured? How well do you think your healthcare providers (doctors, nurses, hospitals, clinics, etc.) and health insurance companies are securing your patient information?
The fact is, with the increasing occurrences of patient data breaches, and more use of patient data for purposes beyond the provision of healthcare, most people are worried about patient data security.
People care about the security of their patient data
People may seem like they don’t care based upon what is posted to social media sites. But keep in mind that the core concept of privacy is being in control of how your personal information is collected, used, shared, accessed and secured. As shown in Figure 1, most responding recently to a poll I provided throughout October and November indicated they are concerned about the security of their patient information.
Figure 1 – October November 2015 Patient Data Security Poll Results
It was interesting to see that the distribution of answers remained constant from the beginning of the poll to the end; with some interesting results.
- The bulk of those participating, 62 percent being not confident at all, or only slightly confident, that their provider was appropriately securing their patient data.
- A significant portion, 22 percent, don’t trust the business associates (BAs) of their healthcare providers, even though they trust the providers themselves. This will impact the providers; they will share in the liability for anything breaches that occur through the BA. This was demonstrated earlier in November when the Connecticut Attorney General applied a HIPAA fine and penalty to BOTH the BA and the covered entity (CE) that hired them for a breach that was caused by the BA.
- That 7 percent had already experienced a breach of their patient data entrusted to their providers is disturbing but not surprising given 85 percent of healthcare providers allow their physicians and staff to connect their personally owned mobile devices to the hospital network, and two-thirds of hospital workers use mobile apps to view patient data.
Patient data is used for other purposes
Most folks I speak with are amazed at the growing ways in which patient health data that has historically only been used by healthcare providers is now being collected by a very wide number of organizations through the many fitness wearables, medical devices and mobile apps in new ways that were never imaged. Consider just a few of these ways that what has historically been considered to be patient data are now being collected and used for more than treatment purposes:
- A large pharmacy recently launched an app that will give deeper discounts for more health data you share with them. However, they indicate in their terms that they could take that data and share with a variety of others, not specifically named.
- A car insurance company got a patent in June 2015 for a “driving-behavior database that it said might be useful for health insurers, lenders, credit-rating agencies, marketers and potential employers.” The patent specifically mentioned “the recording and evaluation of driver physiological data, such as heart rate, electrocardiograph signals and blood pressure.” For example, “electrocardiograph signals can be recorded from steering wheels with built-in sensors.”
The data is going to continue to proliferate exponentially in the coming years. Just consider fitness tracker wearables. Currently 10.2 percent of the U.S. population (25.1 million) uses them. It is projected that by 2019 over 33 percent of the U.S. population, from newborns to those over 100 years old, will be using them. That is a lot of health data being sucked up on a continuous basis. And most of those fitness wearable vendors will be sending that data to many others beyond the cloud service that the wearers are using to give them their fitness diagnostics.
Patient data breaches are increasing
Concerns about the security of patient data are not unfounded. Consider the following:
- There have been at least 175,924 patient records breached (this number doesn’t include breaches involving less than 500 records, which are not posted on the site) just since Sept. 29, when a snapshot of the Department of Health and Human Services (HHS) breach website showed 1,338 breaches impacting 153.8 million victims.
- The largest of these breaches occurred at a community hospital and involved the breach of patient data records for more than 84,681 individuals.
- But there have been much larger patient data breaches. For example, earlier this year a breach at healthcare insurer involved nearly 80 million individuals.
- And the increasing numbers of medical devices are, for the large part, not sufficiently secured. Medical device security is more than a decade behind the overall security
- Lack of security is putting patients are real physical risk. Case in point: in August of this year the FDA issued a letter warning hospitals and patients that a pump commonly used to ration out proper dosing of medicine in IVs could be vulnerable to attack.
The range of breach sizes illustrates that any size of organization with healthcare data, from a 1-person business to a gigantic healthcare insurer with over one hundred thousand employees, is susceptible to a privacy breach of patient data. And the small to midsize organizations are likely more at risk given 77 percent of them do not have formal, written information security policies for employees to follow, and 41 percent do not have necessary security technologies implemented.
It is no wonder considering patient data is much more valuable than other types of personal data. Recent research shows that patient health data is ten times more valuable than credit card numbers.
Improving patient data security
There are many security and privacy concerns for patient health data. Four primary concerns include:
- The organizations collecting the data may decide to sell that data to third parties, such as banks, employers, health insurers, marketers, and others who could then use that information to make decisions detrimental to the lives of those associated.
- Health insurance companies will use the data to raise rates. A study of global health insurance executives earlier this year found that 63 percent of them believed that the data from fitness wearables of their insureds will be a benefit to their business profitability.
- Employers may decide to use such data to make hiring, firing and job advancement decisions. A 2014 Nielsen survey showed 61 percent of employers are aware of wearable technology for tracking and monitoring medical conditions use fitness bands. The concern is that such data could be used by employers to determine employee locations, activities, impending health problems, and what they deem as inappropriate behaviors.
- Criminals want health data. A recent study showed that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of health data breaches. Breaches of such data could lead to criminals using that data to track and commit cyber crimes as well as physical crimes against those seen as most weak and vulnerable.
If your organization collects health and patient data, not only do you need to comply with all applicable legal requirements, such as those within HIPAA CEs and their BAs and subcontractors, but you also need to ensure you have a strong privacy and security program. And always remember, people care about the security of their patient data
For more information about strengthening your privacy and security program to better protect patient data, see the following:
- How businesses can reduce wearables security & privacy risks
- Data Collection Must be Limited for Internet of Things Privacy
- Privacy HIPAA and Hacking Medical Devices
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.