The planets are aligning against the privacy of every individual who uses a healthcare system; those planets being complexity and new technologies.
Modern medicine has to deal with massive numbers of patients and the routes taken by patient data are often highly convoluted, complex and open to error. As the system currently stands, patient information is shared between what amounts to, a small eco-system of associated actors. These include: employers, lawyers, insurance companies, general practitioners, pharmacies and hospitals. The image below shows some work carried out to quantify the complexity of the data sharing eco-system – this shows the pathway of data when a simple blood test was ordered by a general practitioner.
This study, Communication Systems in Healthcare, was carried out back in 2006 by Enrico Coiera and since then the complexity has increased as new technologies such as Cloud systems and mobile devices have entered the arena.
The types of data flowing through the healthcare eco-system are also highly varied. Often the data capture mechanisms used varies across the system and results in data that is difficult to aggregate and analyze. This non-standardization is compounded by the era of big data. Healthcare data is now, on the whole, digitized and the volumes of digitized data are massive. This has both positive and negative connotations for the healthcare industry. On the plus side, it is expected the use of big data can save the industry billions. McKinsey & Company predicting a $100 billion increases in annual profits with the use of big data. On a more negative note, the complexity of the healthcare data eco-system may well be one of the reasons healthcare is a prime target for cyber-crime. In 2014 one of the biggest security breaches ever, involving personally identifying information (Pii) occurred against healthcare insurer Anthem. This breach resulted in the theft of almost 80 million records containing personal details, including social security numbers. In addition, cyber-crime against healthcare providers is not surprising when you consider that a healthcare record is worth more than any other data record on the black market, figures from the Ponemon Institute setting the price of the average stolen healthcare record at $363. But it’s not just the big breaches that are a worry for patient data privacy; even small breaches can result in loss of privacy. The HIPPA Breach Notification Rule requires that any healthcare industry member has to reveal a breach that affects more than 500 individuals. The resultant notification list can be seen on the website of the U.S. Department of Health and Human Services. If you generate a report for January 1st 2015 to 22nd September 2015, it pulls up 190 incidents ranging from laptop thefts, to unauthorized access of electronic healthcare records and spans the range of the extended family of healthcare provision. HIPAA should never be used as a coverall for privacy protection. HIPPA is a set of guidelines for security best practice. Healthcare privacy is a much more diffuse concept that cannot be simply achieved by applying encryption to a database, as exemplified by one of the well published Target privacy breaches, where the company sent out baby coupons to a teenage girl, identifying her, to her parents, as being pregnant.
Making a complex system even more so
New technologies, which are adding new routes of data vulnerability, do bring patient benefit. The use of electronic healthcare records (EHR) within an integrated platform brings greater efficiency, allowing disparate units, such as consultancy, documentation and pharmacy to more easily share information on a given patient. A 2013 study by RAND showed that the USA could save around $78 billion by moving to a fully EHR system. However, the advent of ‘data driven medicine’, which is enabled by the use of EHR and Cloud based platforms, will open up new challenges for data protection and privacy of information.
Mobile devices or mHealth, which offer advanced data collection and sharing opportunities, are also becoming ubiquitous in healthcare, with an estimated 87% of physicians using a mobile device for work and 50% of those using an iPad in their practice. The use of mobile devices to generate and share data is not, of course, confined to the professional. Patients are starting to use mobile apps. A report by mobile analyst, Flurry Insights in June 2014, saw a 62% increase in the use of health apps by the public and there is a move for the data generated using these apps to be shared with doctors, so much so, that the FDA are currently exploring how to regulate these apps.
Then there is the advent of the Internet of Things (IoT). The benefits of IoT in healthcare can be substantial as research identified in a report by MacAfee on The HealthCare of the Internet of Things, shows the use of IoT in healthcare provides a saving of $63 billion in the next 15 years. However, as an extended family of Internet connected devices enter the patient data eco-system, we will see even more complexity and more pathway extensions that open up areas where privacy and security are at risk. The same report also stated that privacy violations are one of the expected downsides of the use of IoT in healthcare and that the use of encrypted data transmissions between devices is crucial to remediate this issue.
Where do we go from here?
Efficient data sharing is a vital part of modern medicine. Add to this the need to share these data across different device types, often using Cloud technologies, within a context of an increasingly sophisticated cybercrime landscape and you create a can of worms as far as ensuring that patient data privacy is upheld.
Organizations such as the U.S. Health IT Policy Committee provide standards and certifications that provide a framework for health record privacy, particularly EHR. They have embedded the HIPPA privacy and security requirements into the U.S. Medicare and Mediaid EHR incentive programs, requiring providers to reach certain levels of attainment in the use of EHR’s.
The Center for Democracy and Technology (CDT) in partnership with the California Healthcare Foundation, have developed a set of privacy principles in healthcare use of data that cover off the main areas of consent, notice, security and choice. The bottom line outcome of the review is that patients should have more choice in how their information is collected and used; the fundamental principle being that patients have rights to their own data. The CDT recognizes that patient data is needed for research, for example, but it should be used in an environment of transparency and user choice. The CDT is currently running a series of consultative workshops with stakeholders looking at the impact of big data on patient privacy and how to resolve these issues. One of the areas they wish to focus in on, is how to interpret the Fair Information Practice Principles or FIPPS-based HIPPA rules. The outcome they are hoping for is to create privacy principles that will encompass both traditional and emerging healthcare applications.
But principles and guidelines are not enough; you need technical innovation that can apply these principles. There are a number of groups working in the technology area of healthcare data sharing, including the Kantara Initiative. Here a working group, known as User Managed Access or UMA, is working on an open standard Internet protocol that will allow users to manage their consent to share data within a healthcare context. It is the use of technologies like the UMA protocol that will enable the use of wide scale EHR platforms with an extended IoT/mHealth framework, to be utilized in a more transparent, consented and privacy enhanced manner.
[su_box title=”About Avani Desai” style=”noise” box_color=”#336588″][short_info id=”64735″ desc=”true” all=”false”][/su_box]
[su_box title=”About Jeanmarie Loria” style=”noise” box_color=”#336588″][short_info id=”64736″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.