Most patients think of hospitals as fairly safe places. While nobody looks forward to a stay in a medical facility (with a few possible exceptions), hospitals aren’t a place to worry about privacy. Physicians carefully control patient information, and laws like the Health Insurance Portability and Accountability Act (HIPAA) protect against unwarranted disclosures.
That’s the conventional wisdom, anyway. The truth, unfortunately, is a bit more complicated.
“In terms of privacy risk in a digital health ecosystem, there is no question that it exists,” Pam Dixon, executive director of the World Privacy Forum, tells HealthyWay. The World Privacy Forum is a non-profit public interest group that analyzes privacy issues, including medical identity theft. In fact, Dixon coined the term “medical identity theft” when testifying before the National Committee on Vital and Health Statistics (NCVHS) in 2005.
There are new ways that health data are escaping the boundaries of HIPAA.
As we discovered, health care providers are struggling with new threats—and in many instances, they’re woefully under-prepared. For instance…
1. Smartphones have opened up new vulnerabilities.
In 2015, former nursing assistant Taylor Waller pleaded guilty to voyeurism after she took a photo of a patient’s backside and sent it through Snapchat. While disturbing, it wasn’t an isolated incident; ProPublica collected 47 incidents since 2012 in which healthcare workers at nursing homes and assisted-living centers shared inappropriate photos of residents via social media.
These types of incidents probably aren’t widespread, but they do expose a problem: While illegal, many of the events weren’t technically violations of HIPAA, since the patients couldn’t be identified from the photos alone.
“There are new ways that health data are escaping the boundaries of HIPAA, which is a major complication for the privacy of health data, for example, non-HIPAA covered health apps, social media health groups, etc.,” Dixon says. “This movement is related to the larger issues of how our culture is moving toward large digital ecosystems, and is a question that goes far beyond the issues of HIPAA.”
Some hospitals have responded by banning smartphones, but that can create issues, too, since healthcare professionals might use their smartphones for scheduling and other essential tasks. Ultimately, healthcare professionals may need to install special technical controls on their phones.
That’s easier said than done, since…
2. Many hospitals’ IT systems are extremely underprepared for modern threats.
You’d be forgiven for assuming that hospitals have complex computer networks safeguarded against computer hackers and identity thieves. Unfortunately, that’s rarely the case.
“Many hospitals don’t have big IT departments,” says Ben Carmitchel of Datarecovery.com, a company that specializes in data privacy testing for healthcare providers. “They’re just like any other small business; they might think they’re treating data safely, but they simply don’t have the resources to recognize that they’re making mistakes.”
Carmitchel has helped a number of hospitals recover after crippling ransomware attacks. As he explains, ransomware is a growing threat for all businesses, but healthcare providers are particularly at risk.
“A hospital employee will click on a link in a very official-looking email, maybe from a vendor or other trusted source,” Carmitchel tells us. “That will download a payload, which will infect the hospital’s entire computer network very quickly. Then, all of the computers will be unusable, and the hospital will have to pay a ransom to restore access to the data.”
“These malicious users target hospitals, because they know that the healthcare providers will have to pay,” Carmitchel says. “It could be a life-or-death situation.”
If they’re not legally required to report these incidents, they typically won’t.
Dixon says that healthcare providers are taking the threat seriously, but she also notes that the scale of the problem is difficult to estimate.
“We don’t track ransomware, as we discovered early on that many ransomware incidents are not made public,” Dixon says. “I have personally spoken to HCPs who are actively working to prevent ransomware attacks, and my perception is that this threat is being taken very seriously. My guess is that the trend is going to continue, but HCPs will be increasingly hardened against this kind of attack.”
Carmitchel is more pessimistic. He notes that ransomware isn’t the only threat, and without proper security controls, healthcare providers will remain susceptible.
That’s a real problem. In June 2017, a global cyberattack infected hospitals in Pennsylvania, causing the postponement of at least one surgery. One month earlier, a crippling cyber attack took down systems at the U.K.’s National Health Service. Carmitchel says that many attacks don’t make the news.
“[Hospital administrators] don’t want to expose their security vulnerabilities, so if they’re not legally required to report these incidents, they typically won’t,” Carmitchel says.
3. Some states are pushing biometric systems, which might cause more problems than they solve.
Biometric controls—like fingerprint, iris, or palm vein scanners—might seem like improved security measures.
I urge caution before a person gives a biometric to a health care provider, for a lot of reasons.
“One of the major risks there is biometric spoofing, a well-known security risk in the industry, but one that many HCP appear to be unprepared for,” Dixon says. “Spoofing can create what is called ‘biometric template takeover,’ a very sophisticated problem for a patient to try to find and correct. A false sense of security can arise if risk assessments are not thorough and frequent.”
In other words, patients and physicians might see the biometric controls as sufficiently protective, and as a result, they may neglect other threats. If a patient gives biometric information to a healthcare provider, they could risk exposing that data to unauthorized sources.
“I urge caution before a person gives a biometric to a health care provider, for a lot of reasons,” Dixon says. She also notes that some healthcare providers require mandatory biometric scans or driver’s license scans for patients, which create ethical issues that will need to be addressed.
Carmitchel notes that biometric systems don’t solve fundamental problems with hospital computer systems. He notes, for example, many healthcare providers have computers that utilize remote desktop protocol (RDP), which allow remote control of systems. By leaving RDP ports open, they leave key systems exposed.
“The standard of yesterday was to leave all ports open,” Carmitchel says. “That’s no longer necessary. By blocking some ports, you can greatly limit your vulnerabilities. But every healthcare provider runs their IT a different way, and there aren’t really standards.”
4. Politicians are pushing hospitals toward digitization, so the problem’s not going away.
That trend started with an executive order issued by President George W. Bush, according to Dixon. His 2004 order released funding for “digitization and other modernization” projects, which led some healthcare providers to digitize potentially sensitive records. The Affordable Care Act continued the trend, compelling digitization without establishing security standards.
“Digitization was going to happen, but the key is that it needed to happen with much more attention to patient data protection and privacy, and that needed to begin in the early 2000s,” Dixon says.
Granted, hospitals aren’t operating in a free-for-all. Under HIPAA’s security rule, health care providers must implement certain “reasonable and appropriate safeguards for electronic protected health information (ePHI). However, the definition of “reasonable and appropriate” can vary quite a bit depending on a hospital’s size and capabilities. The rule doesn’t dictate any specific technical security measures, but merely establishes guidelines for risk assessments and penalties for rule violations.
Still, Dixon doesn’t see more legislation as the answer.
Digitization was going to happen, but the key is that it needed to happen … in the early 2000s.
“I am reluctant to recommend legislation that would standardize actual technical controls in a field as highly diverse as health care is, and as fast-moving as information security is,” she says.
“That being said, I would like to see even more data protection and privacy enforcement by the HHS Office of Civil Rights, which does HIPAA enforcement, and I would like to see requirements for higher-level and higher quality risk assessments,” Dixon continues. “I would also like to see a version of enhanced privacy impact assessments, ones that include ethical data uses, be practiced.”
5. You can protect some of your information, but it’s not easy.
Given these potential threats, can patients do anything to protect their personal data? Yes, but it requires a bit of research.
“Patients should check to see if their information is being shared in a Health Information Exchange,” Dixon suggests. “Some exchanges are mandatory, some allow opt out. Some patients may want to opt out.”
“Patients who have sensitive genetic tests to conduct may want to pay cash—there is a new right under ACA that allows for restriction of disclosure. It is complicated, but it is an option,” Dixon says. She provided this link for patients interested in taking that approach.)
“It is always important for people to get regular copies of their health care file,” she adds. “This is one of the few things we can all do to help find identity theft affecting us in the healthcare system. Even for people who are not affected, it is important to have baseline copies for all sorts of reasons.”
Carmitchel says that healthcare providers are ultimately responsible for security issues, and they should establish active firewalls on all computer systems that control sensitive data. Mandatory training can help to limit risks from hackers and ransomware.
“Digitizing health records has certainly created new risks for both data protection and patient privacy, with those risks increasing beginning in the early 2000s,” Dixon says. “Can the risks be mitigated? Yes. But it will take a lot of effort from all parties.”