October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.
Follow us this month as we engage our health IT community in cybersecurity awareness.
This is week 4 and the theme is Cybersecurity First. We have engaged Cotiviti to share insights on this week’s theme.
The healthcare system represents one of the most significant parts of the United States’ economy—one that is very personal to everyone who engages with it. Yet, the story of the healthcare system is also the story of healthcare data: its creation, sharing, and use to improve health for individuals and populations. Unfortunately, the rapid innovation in healthcare and data use has been matched by organizations looking to exploit that repository of information. Here are three rapidly emerging new healthcare data threats that will require ingenuity and focus in the immediate future and beyond.
1. The Shift from Data Theft to Data Manipulation
The Department of Health and Human Services Office of Inspector General, tasked with oversight for healthcare data breaches, has been busy. Data breaches increased 55% from 2019 to 2020 according to one report, impacting more than 26 million people last year alone.
Healthcare organizations have historically focused on the technical, logistical, and social engineering concerns required to keep intruders out of their health data. While preventing data theft has remained a significant concern, the next major data protection initiative will focus on data manipulation. Increasingly, bad actors may infiltrate organizations’ platforms with the intent of changing available data—and leaving changed data and records intact within the system. This can be a particularly nefarious form of data security risk—for example, it could lead to hospital records being changed so that patients receive incorrect treatments, or clinical trial results being changed and impacting drug approval decisions.
Cases of data manipulation have been increasing, with one recent example reported in January 2021 of hackers leaking manipulated COVID-19 vaccine data. But with this emerging threat has also come more strategies to combat. One approach to counter data manipulation attacks is with file integrity monitoring (FIM) solutions, which can issue alerts when data manipulation occurs and also determine what data in particular was manipulated. Organizations should also have procedures in place to identify “endpoints” or target areas, meaning they can recognize what data a hacker is targeting if they happen to get by the systems in place.
2. Few Privacy Protections for Healthcare Data Shared with Consumer Technology Apps
The Health Insurance Portability and Accountability Act (HIPAA) laid the foundation for protocols, penalties, and reporting related to healthcare data by ensuring that appropriate data use and data sharing agreements exist for entities needing to transfer health data. It is the primary safeguard for data housed within the traditional healthcare system—individual healthcare providers, hospitals and facilities, health plans, pharmacies, and related supporting organizations. But that framework for thinking about health data security was conceived before the widespread adoption of the internet. Its authors did not conceive of the volume of consumer-oriented healthcare apps that would exist two-and-a-half decades later.
The amount of data entrusted to consumer healthcare technology companies has grown exponentially. This information could include diet, exercise, menstrual cycles, mental health concerns, and biometric data, just to name a few. Yet, there is no meaningful security protection for this information: these companies are not subject to HIPAA and so the information they receive, use, transfer, and maintain is not protected by HIPAA. Several oversight organizations may have some responsibilities for certain types of infractions, but it is a patchwork at best.
For example, some states have passed laws such as California’s Consumer Protection Act to protect consumers, giving individuals more control over their information, while others have not. At the federal level, the Federal Trade Commission (FTC) has authority to guard against unfair and deceptive practices and may scrutinize companies for being misleading about how they use consumer data, but not directly for mishandling or reselling data. In short, we need a regulatory framework at the federal level that protects consumers’ data in the extended, consumer technology-enabled healthcare system, as it does in the traditional healthcare system.
3. No Standard for Public Health Data Sharing
The COVID-19 pandemic brought to light the degree of data silos and lack of interoperability that exist in American healthcare. Data is fragmented, oftentimes residing wherever it was created—that could be in a hospital’s electronic health record system, in a physician’s office, or countless other places. The data may be capturable by a retail pharmacy’s systems, or it might only be residing with the home health provider who entered the information into the system. Current legal and regulatory guardrails seek to protect data by locking it down, and only recently have they begun actively encouraging data sharing via the 21st Century Cures Act, which also lays the foundation to give patients control over their data.
Without detailed protocols for when and how information may be shared to improve public health, the healthcare system is forced to rely on ad hoc efforts. Those efforts, built in the midst of a crisis, may not provide the full breadth of data security protections. By continuing to build upon data sharing protocols to benefit public health, we may work towards centralized healthcare data that benefits the public good, even if we do not have a centralized healthcare system. Cloud-based solutions, especially those coupled with advanced AI, are already helping some healthcare organizations break down data silos and curate more unified data ecosystems to support public health initiatives.
A More Secure Digital Future
Data threats have long been present in healthcare, but the relatively recent digital shift is sparking a change in how the industry handles security and privacy concerns while also advancing innovation. While HIPAA has been a core guiding principle in managing patient data, healthcare leaders must ensure that the regulations, technology, and attitudes surrounding data privacy are evolving along with the patient data landscape and consumer expectations for data availability and protection. As more data is generated and made available across healthcare and third-party apps, the industry must remain vigilant about emerging security threats and uphold the delicate balance between protecting and democratizing health data.