Think US health data is automatically kept private? Think again.
Health care systems do their best to safeguard against breaches. But all of us could be doing more to protect our confidential health data. That starts with understanding when this data is most at risk.
When a patient called to ask if she could email me a CT report and imaging, I wanted to help. But I heard the loud whirring of a smoothie or espresso machine and figured she was at a public café. She confirmed that she was calling from a coffee shop.
I asked her to use our hospital portal from home to protect her privacy. She said she wasn’t sure she remembered her login details and didn’t want to wait. She also didn’t understand why her records wouldn’t be protected under the Health Insurance Portability and Accountability Act of 1996.
“I’m not surprised,” says Nichole Sweeney, general counsel and chief privacy officer for Chesapeake Regional Information System for Patients, a nonprofit health information exchange for several US states.
“The public may not realize that consumer-generated data is not protected. What she does with her own information is not secure. The federal government doesn’t regulate the health data itself. It’s the actual facility, medical office, or hospital—under HIPAA, a covered entity under that designation.”
Many of us also have devices at home that collect and store personal data about our health. I asked Sweeney if that data is covered if my doctor asked me to use the device.
She explains, “If I get my blood pressure taken at a clinic or any medical office, that is covered, and your personal data is protected. But if you take readings at home, this is not HIPAA. It’s not regulated. Those new wearable trackers? Those are not covered either. You’re on your own.”
So what else is not regulated? People. Any person using their own data is not covered under HIPAA.
Matt Fisher worked as a health care corporate and regulatory attorney. He is now general counsel for Carium, a virtual care platform. He believes people need more education about HIPAA and its limitations.
“It works effectively for what it was designed to do within the traditional health care industry. The issue is the assumption that it protects all information regardless of setting,” he says. “The fact is, as an individual who holds their own information HIPAA does not apply at all.”
Beyond hospitals and private medical offices, who is actually covered? Subcontractors. These include third-party associates, health plans, insurance companies, and individual physician providers. Labs, clinics, and any other medical offices that bill for their services are also expected to be HIPAA-compliant. Notably, this does not include social media businesses.
Even doctors, notoriously busy and working long hours, don’t always have the luxury of using patient portals to communicate effectively. They’re more likely to text or email colleagues with potentially sensitive information, all on personal devices that may or may not be locked down. But their goal is fast and efficient patient care, not necessarily data security.
Zubin Damania, who is a doctor and goes by ZDoggMD on social media, uses satire on his YouTube channel to educate viewers and poke fun at the health care system. His more than 488,000 YouTube subscribers no doubt include health care employees, but you don’t have to be one to appreciate parodies like “EHR State of Mind” (EHR is short for electronic health records), which is set to Alicia Keys’ hit “Empire State of Mind,” or “Readmission,” a play on R. Kelly’s “Ignition.” Damania hopes to inspire change in the health care tech sector so, as he puts it, “doctors can just be doctors.” Another target of his satire? Massive health data portals like Epic. He and other physicians believe the design of these systems can actually hinder security if medical personnel find it more restrictive than care-focused.
“Epic and others like it were not designed for use by clinicians on the front line trying to help patients,” he says. “These systems are giant billing platforms. It’s varying fields of data to be walled off.”
Sadly, Epic and others like it are all we have when it comes to storing patient data safely, and despite their flaws, these portals are still the safest available option for doctors and patients. Health care facilities are strictly regulated to receive federal government funding, and they must pass safety certifications, including security protections for patient data. They also seek to maintain industry recognition in order to stay credible and competitive. Want to make a hospital exec nervous? Tell them the Joint Commission is coming by for a visit. They need those gold star approval ratings.
Some patients are under the misconception that these systems are not really that secure. But in the past few years, data breaches have been rare (though they do happen). Hackers frequently target hospitals and health care systems for ransomware attacks, but it doesn’t pay for hackers to demand money when robust backups exist. While the industry has made some progress, the problem of individuals taking personal risks continues.
A former Department of Homeland Security adviser and a doctor, Chris Pierson is CEO of BlackCloak, a company that specializes in personal digital protection from financial fraud, cybercrime, reputational damage, and identity theft. He believes vigilance is key for doctors and patients alike.
Protect Your Entire Family
“I don’t think people realize that once someone is able to get just one piece of information, that can lead to opening others’ private data,” Pierson says. “It’s no longer the original individual on their computer, but additional family members’ identity that can be compromised.”
He explains that even if one organization keeps your data safe, another associated one may not, and that’s where criminals will strike.
“It’s not just medical offices. It’s your pharmacy, labs, insurance company, anyone who keeps personal information. That has real value, and selling it is the priority.”
Victims of identity theft can be revictimized when personal information gets into multiple hands. A street address and verified phone number can go far, especially if the phone contains many contacts, who then become vulnerable to attack themselves.
“If you get Mom’s info, you can get the child’s as well. An ID card, social security, all of it, and then they have the ability to collect false medical claims or just extortion. It’s a two for one.”
Two-Factor Authentication Is Worth the Effort
Pierson mentions how critically important it is to use a multistep authentication system. Your level of protection goes up considerably just by using secure passwords and one-time authentication codes.
Thankfully, setting all this up is easier than it sounds. Apps on your phone or tablet can help. Google Authenticator, when paired with a service that supports authenticator apps, provides a six-digit number that changes every few seconds and can keep people out of your data even if they have your username and password. Other companies ask users to enter an SMS code as the second authentication factor, in addition to a password, although SMS codes are less secure than authenticator apps. Either approach is better than none—unless a hacker is in physical possession of your phone, they are not getting access.
Social Media and Tracking
Social media is becoming a popular way for health care providers and entrepreneurs to connect with the public—and often to sell them treatments or advice. These Instagram or TikTok accounts may offer tips from someone in the medical industry, which can appeal to those facing rising health care costs and difficulties accessing care. But an internet doctor’s background or popularity does not ensure that they observe strong privacy guidelines or secure their transactions.
My Instagram is flooded with offers promising everything from better sleep to improved sexual health. It’s nice to have options, but that help and any information you receive from those accounts or send to them isn’t covered under HIPAA. Any time you pay out of your own pocket for health-related items or services, or on a direct-to-consumer health app, there is no recourse if someone steals your personal information or shares it.
Along with social media and direct-to-consumer health options comes large-scale data tracking. Outside of official medical practices, you should view surveillance as an expectation, rather than an exception.
When you sign up for any service, whether through a new doctor’s patient portal or an online supplement shop, ask how your data is stored and where it goes. Read the privacy policies and settings, even briefly, to find out what options you have to restrict the sale or reuse of your data. Check the default settings to make sure you’re not giving away too much information. Find out if the service or platform offers two-factor authentication and set that up if it’s available. Know that it’s rare for anyone to need your social security number, no matter what a customer service agent says. A birth date and address is usually enough.
Pierson and others agree that we all need to consider security from several angles and do our best to protect ourselves and our loved ones. “The sophistication of identity attacks will always evolve and change. Remember, they only have to get it right once, but we have to guess right all of the time.”