The state of health care data privacy


Data privacy is a serious concern for health care providers, insurers, and their business partners. Each year, new data breach incidents add to the number of individuals whose health care data may have been exposed. To better understand the causes of these breaches, Center for Technology Innovation fellow Niam Yaraghi compiled a report based on his interviews with data privacy professionals in the health care industry. Niam recently sat down with Fred Dews, host of the Brookings Cafeteria Podcast, to discuss the findings of his report.

How did we get here?

Health records make attractive targets for hackers for a number of reasons. For identity thieves, health records are valuable because much of the personal information contained in them cannot be easily changed, unlike financial records. Credit cards are easily disabled and replaced, while information like social security numbers and addresses are much harder to modify. Hackers also target electronic health records because they are poorly secured. In their rush to digitize health records, most hospitals did not have time to develop information security protocols. The combination of valuable information and weak security leads hackers to target electronic health records.

Recently, a wave of “ransomware” attacks has denied access to computer systems at hospitals until they pay hackers in bitcoin. Now that most hospitals have digitized their records, they rely on computer systems to store and retrieve patient information. In contrast to the time and effort of selling stolen data piece by piece, ransomware attacks offer hackers a quick payout. Meanwhile, hospitals have little choice but to pay hackers so they can continue treating patients. In a previous blog post, Niam described the cybersecurity at hospitals as “small rubber dinghies in a sea of hacker sharks.”

Where do we go from here?

In his report, Niam makes several recommendations for both avoiding data breaches in the future and reducing the damage when they occur. Data breaches are reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), which sends auditors to affected organizations to ensure that corrective measures are taken. However, the information in these audits is not widely shared so that other organizations might learn lessons from previous breaches. OCR should be transparent about the breaches that their auditors investigate.

Finally, Niam advocates for giving full control of medical information to patients themselves. While patients might receive treatment from multiple doctors, it is difficult for their records to move between separate computers systems that cannot easily communicate with each other. Patient control could begin to make electronic records more portable. Additionally, notifying patients each time their information is accessed could catch potential fraud in real time. Patients could also opt in to sharing their data with pharmaceutical companies and other researchers. Besides a small financial benefit from selling their data, patients might also gain access to trials of life-saving drugs and treatments. If done properly, digitized medical records can offer better security and control for patients.

You can read the full report