Is your healthcare data safe? That’s not something most people think about on a regular basis. We take for granted that our medical records, family histories, insurance coverage and the rest of the data associated with our health is protected carefully by those who create and store it.
But the truth is that we are struggling right now as a society to figure out how to secure digital information–both legally and against the threat of data hacking, theft or loss.
The United States’ recent adoption of new healthcare laws and procedures includes requirements for hospitals and other care providers to digitize medical records. Digitization of health data is cost-effective, efficient and offers a wealth of benefits. Eventually, patients will be able to log in and access their entire medical history in one place, helping them become more informed consumers of healthcare. Some states, like Massachusetts, have already taken major steps in this direction.
But having our healthcare data readily available for positive purposes online means it’s also readily available for those who are interested in exploiting or misusing the information.
Recent technological advances have made medical data both richer and more valuable–and thus more dangerous in the wrong hands.
For example, the mapping of the human genome and resultant medical advances like genetic testing have made it so that patient information will remain highly sensitive even beyond a patient’s lifetime. While Obamacare has made it illegal for U.S. insurers to deny coverage due to preexisting conditions, it’s entirely possible that people could be discriminated against in the hiring process if employers were able to learn about their genetic predispositions. Genetic discrimination is technically illegal in the U.S. and some other countries, but it is very difficult to enforce these regulations and to prevent misuse of data.
Additionally, if our healthcare data isn’t well-protected, biological crime could become a serious problem. Criminals could target patients with specific conditions, leak sensitive information to the press or tamper with medical devices like pacemakers (famously dramatized in a recent season of “Homeland”), for example.
We also need to consider who we are giving our health data to and why. Today it’s not just hospitals or doctors who can access our health data; we readily hand it over to many other organizations. Wearable technologies that measure, transmit and analyze data about our health are on the rise today, and while they offer a host of benefits, they have also opened the door to a whole new set of medical security issues.
Moreover, genetic testing companies like 23andme and other bioinformatics startups collect some of the most personal health information that exists. Before you sign up for a health monitoring app, purchase a fitness tracking device or send in your saliva sample, it’s important to find out how these companies secure their data and what assurances you have that your information will be kept safe and private–both now and in the future.
In both the United States and Europe, there are now strong penalties for loss of customer personal and medical data by companies or organizations. At a minimum, they must comply with HIPAA privacy and security regulations, train all employees on how to protect sensitive information and notify customers — and in some cases local media — of any data breaches. Providers have a strong incentive to prevent breaches, moreover, since they cost an average of $130 to $136 per lost record according to the 2013 Ponemon Data Breach Report.
However, one thing that many people–including lawmakers–may not realize is that medical records do not just need to be protected today. Cyber criminals will soon be able to hack messages that were sent in the past, rendering even years-old data vulnerable. Information could even be intercepted today and then stored until a computing device is available that can decrypt that data. And new computers are being developed today that will render many of the mathematics-based security protocols that we rely on obsolete. All organizations that collect, store or analyze consumer healthcare data need to consider how they will respond to this imminent sea change in data security.
The best way to protect our data is to be honest about where security vulnerabilities lie and to begin implementing failsafe protocols that will protect us against the technology of the future. We also need comprehensive legislation that addresses these concerns and establishes common data protection standards, and we need consumers to educate themselves and make careful decisions about how and when they share their health information. If we don’t take action to protect our healthcare data now, it may soon be too late.
Grégoire Ribordy is the co-founder and CEO of network encryption company ID Quantique, which is based in Geneva, Switzerland.