Blog Post

The frightening truth about the security of our healthcare data

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Is your healthcare data safe? That’s not something most people think about on a regular basis. We take for granted that our medical records, family histories, insurance coverage and the rest of the data associated with our health is protected carefully by those who create and store it.

But the truth is that we are struggling right now as a society to figure out how to secure digital information–both legally and against the threat of data hacking, theft or loss.

The United States’ recent adoption of new healthcare laws and procedures includes requirements for hospitals and other care providers to digitize medical records. Digitization of health data is cost-effective, efficient and offers a wealth of benefits. Eventually, patients will be able to log in and access their entire medical history in one place, helping them become more informed consumers of healthcare. Some states, like Massachusetts, have already taken major steps in this direction.

But having our healthcare data readily available for positive purposes online means it’s also readily available for those who are interested in exploiting or misusing the information.

Recent technological advances have made medical data both richer and more valuable–and thus more dangerous in the wrong hands.

For example, the mapping of the human genome and resultant medical advances like genetic testing have made it so that patient information will remain highly sensitive even beyond a patient’s lifetime. While Obamacare has made it illegal for U.S. insurers to deny coverage due to preexisting conditions, it’s entirely possible that people could be discriminated against in the hiring process if employers were able to learn about their genetic predispositions. Genetic discrimination is technically illegal in the U.S. and some other countries, but it is very difficult to enforce these regulations and to prevent misuse of data.

Additionally, if our healthcare data isn’t well-protected, biological crime could become a serious problem. Criminals could target patients with specific conditions, leak sensitive information to the press or tamper with medical devices like pacemakers (famously dramatized in a recent season of “Homeland”), for example.

We also need to consider who we are giving our health data to and why. Today it’s not just hospitals or doctors who can access our health data; we readily hand it over to many other organizations. Wearable technologies that measure, transmit and analyze data about our health are on the rise today, and while they offer a host of benefits, they have also opened the door to a whole new set of medical security issues.

Moreover, genetic testing companies like 23andme and other bioinformatics startups collect some of the most personal health information that exists. Before you sign up for a health monitoring app, purchase a fitness tracking device or send in your saliva sample, it’s important to find out how these companies secure their data and what assurances you have that your information will be kept safe and private–both now and in the future.

Online Health - doctors - medicine

In both the United States and Europe, there are now strong penalties for loss of customer personal and medical data by companies or organizations. At a minimum, they must comply with HIPAA privacy and security regulations, train all employees on how to protect sensitive information and notify customers — and in some cases local media — of any data breaches. Providers have a strong incentive to prevent breaches, moreover, since they cost an average of $130 to $136 per lost record according to the 2013 Ponemon Data Breach Report.

However, one thing that many people–including lawmakers–may not realize is that medical records do not just need to be protected today. Cyber criminals will soon be able to hack messages that were sent in the past, rendering even years-old data vulnerable. Information could even be intercepted today and then stored until a computing device is available that can decrypt that data. And new computers are being developed today that will render many of the mathematics-based security protocols that we rely on obsolete. All organizations that collect, store or analyze consumer healthcare data need to consider how they will respond to this imminent sea change in data security.

The best way to protect our data is to be honest about where security vulnerabilities lie and to begin implementing failsafe protocols that will protect us against the technology of the future. We also need comprehensive legislation that addresses these concerns and establishes common data protection standards, and we need consumers to educate themselves and make careful decisions about how and when they share their health information. If we don’t take action to protect our healthcare data now, it may soon be too late.

Grégoire Ribordy is the co-founder and CEO of network encryption company ID Quantique, which is based in Geneva, Switzerland. 

11 Responses to “The frightening truth about the security of our healthcare data”

  1. Hillary

    My mother and my husband are both nurses and this is something we often discuss. It’s definitely something to be concerned about.

  2. tld systemsny

    HIPPA Security Solutions

    In Indiana a woman’s privacy was violated by Walgreen’s pharmacy when her prescription records were given to her ex-boyfriend. The jury awarded the customer, Abigail Hinchy, $1.44 million. Indianapolis Star reported this story.

  3. Bob Hobson

    One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags ( let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.

  4. civil westman

    The author’s concerns regarding misuse of medical information all pale in comparison to the one abusive entity he omits completely: the government. New legislation simply exempts itself from HIPAA whenever the feds want your health information. None of the entities the author fears has bayonets, assault rifles, drones & hellfire missiles. Guess who does and guess who will have unfettered access to you most intimate information – everywhere & all the time?

  5. Gordito Mojito

    To me it begs the question; Who owns our records and who’s responsible for protecting them?

    I personally think that I should own them and grant temporary access to others. I should also be allowed to share them on a single or multiple user basis much like a software license.

  6. Dorothy Myers

    Asserting that computerized medical records save money is just that — an assertion. The costs of developing the software, installing it, upgrading equipment and other related costs make computerized records very expensive. Protecting the records from unauthorized access is difficult, as is known widely. It’s not only doctors and hospitals who have access; it’s clerks, nurses, physical therapists, ancillary personnel. Think all those people change their passwords regularly? How about counting the cost of requiring the provider to enter the data on the EMR? Used to be that providers would dictate a report, which takes a lot less time than entering the data unless the doctor is a fast typist. Doctor time is more valuable than a transcriptionists’ time, last time I looked. But, many hospitals are penny wise and pound foolish and require doctors to enter their own data or use voice recognition which requires them to edit their own work because transcription was a loss — but doctor time is a more expensive loss.

    This author thinks that magically the records generated in various venues will be readily available. Right now, that’s not happening. Hospitals don’t necessarily have the capability to access another hospital’s records. The use of the fax machine is still necessary. Doctors don’t necessarily have the capacity to access the hospital’s system and review records while the patient is in the office. Sometimes, even computerized machines don’t talk to each other, such as different manufacturers of CT scanners and MRI machines.

    It’s not necessarily just the content of the record that has to be protected, it’s the whole system. Hackers just love to bring down systems. The black hat guys haven’t retired. What if your whole system goes down with date being destroyed through a black hat attack? What if you can’t recover the data (unless you back it up offsite, which in itself is very expensive)?. Obama has magical thinking because he thinks if he dictates a deadline for something to be done, that it will automatically be done. So, he dictated that the EMR would be implemented by 2015. Sebelius suffers from the same disease; she dictated that the implementation of ICD-10 will occur on October 1, whether people are ready or not. Just because some executive dictates some order doesn’t mean it will happen. We see the result of dictating that the ACA website would be running last October 1. It still isn’t running right. Does anybody trust that the EMR will be implemented 2015? I don’t.

  7. Healthcare professionals should not be storing “our” data, just accessing as necessary and as permitted by the patient. Distributed data managed by the individual–any standard short of this is ripe for corruption.

  8. Can someone please explain to me what this article is about? “We have data in digital form”, yeah, we know that. “That data must be protected”, yeah, we know that. “Hackers can steal the data”, we, we’ve been around this barbecue a few times. “Let’s be honest and have legislature” – mutually exclusive paragraphs detected.
    Okay, so what was the point, again?