Tag: health data security

The Perils of Making Your Health Data Available Online

Hack, Hacker, Elite, Hacking, Exploits

It’s easier than ever to put health data on the Internet. Fitness trackers, health apps and other connected devices can give people a lot of insight into their health. Unfortunately, that’s not the only way that their health data ends up getting used. Health insurance companies are particularly interested in getting their hands on all of the data they possibly can about people. They end up adjusting their risk pools based on the added insight, as well as looking at individual subscribers and choosing to increase their rates or possibly deny service entirely based on it.

Insurers are in the Business of Data

The entire business model of health insurance revolves around data. They use information to establish risk pools to determine which medical conditions and characteristics result in more claims or higher claims. Because of this, they try to gather as much information as possible about the population on a group and individual level.

Where Do Insurers Get Health Data

Insurers can get health data from multiple sources, some of which are freely offered up, and others that are purchased through third-parties or gathered from publicly available online sources.

First-party Data

First-party data is the information that the health insurance company has access to and generates directly. They have information about the claims filed through their company, data from the partnering medical providers and other records. The sheer amount of information that an insurer handles on a daily basis is overwhelming to think about, and it’s only going to expand as more ways of generating health information become possible.

Voluntary Disclosure

Some health insurance companies offer incentives for people to provide additional information about themselves. This process could involve entering in activity levels, going to get an annual physical, and disclosing information on smoking, drinking and substance use. Since the subscriber is providing this information directly to the insurance company, it’s considered part of their first-party data.

Social Media

Social media profiles can show a lot of health information, even when a person doesn’t mean to. If they’re engaging in high-risk activities, such as extreme sports, or they go into detail about their health conditions and other issues, the insurer would be able to see this information if the profile isn’t locked down. Of course, given data privacy concerns from many social networks, even a private account could still be at risk of having that information sold or otherwise misused.

Shopping Records

Another unexpected source of health information is shopping records. If someone is buying cigarettes, cigars, or pipe tobacco online, it’s a strong indication that they have a smoking habit. The same goes for ordering alcohol. Medical devices that indicate pre-existing conditions could also show up on these records, which could become problematic when it comes to making insurance claims in the future.

Wearable Devices

Fitness trackers and other wearable devices are able to track sleep patterns, heart rates and other information about the person. They may also share their height, weight, diet and habit data with these services.

Third-party Databases

Many third-party companies have databases available with information that’s relevant to health information or that the insurance company can use to add more context to the data they already have. This data is not always sold with the consent of the user that it’s collected from.

Connected Medical Devices

More medical devices are able to connect to the Internet, which means that there are more opportunities for this health data to end up in the hands of people other than a doctor or another authorized party. CPAP machines are a commonly impacted device in this situation. Read more about that in this article.

What Health Insurance Companies Can Do With This Data

AI-technology helps health insurance companies derive actionable insights from this information. In some cases, that can be beneficial to healthcare overall when it comes to predicting whether someone is at more risk for developing a certain type of medical condition and being able to recommend preventative healthcare in advance of that. Unfortunately, where it’s likely to come into play for health insurance companies is whether they will raise someone’s rates or deny them coverage based on the likelihood of developing expensive health conditions, even if they don’t currently have them, or declaring something a pre-existing condition.

What Happens If Health Data Is Stolen?

The healthcare industry is one of the most common targets for hackers, due to how valuable their data is. When the insurance company is pulling together all of this information without someone’s knowledge or consent, they are putting it at risk of being stolen if they’re ever subject to an attack that accesses their databases.

A few ways that a subscriber gets affected in the event of stolen health data includes:

How to Respond To Stolen Health Data

People have a few ways to react in a way that prevents further data from being stolen and to protect themselves against the negative consequences of this situation. The first step is to get all current medical records and keep a close eye on them to see whether unexplained or unexpected claims show up. Do the same for credit reports in case they also use this information for identity theft. Freeze the credit reports so they’re unable to open up accounts in that name, as they could try to get a Care Credit account at a healthcare provider or a similar medical account.

Let the insurance company and medical providers involved know if anything unusual appears during this time frame. Stay on top of reporting this information.

It’s difficult to keep health data safe when health insurance providers are collecting it from so many sources. It’s impossible for the typical layperson to know how much of their information is out there and how it’s being used. However, they’re the ones bearing the most risk in the event of a data breach. Protecting online activities by using an encrypted virtual private network service, locking down social media accounts, and limiting the health information shared online are all good steps going forward.

Health IT’s Most Pressing Issues

Healthcare is not without its issues. Seemingly, for each source asked what the biggest problem the sector faces, there is a differing opinion on what’s most important. I’m often perplexed by the lack of cohesiveness shown toward the industry’s leading issues, too, and sometimes wonder how many of us could name the most pressing threats to the industry, as agreed upon by the community. There are clear problems – interoperability, lack of transparency, disparate systems working against each other — to name a few. So, in the following series, I’ve asked some insiders for their opinions on health IT’s greatest problems, and as you’ll see, they responses received vary greatly.

Scott Friedman, executive vice president, Sherpa Software

Healthcare IT struggles mightily with patient information that is not in the medical record system, but has leaked into other locations in the healthcare organization (cell phone emails, USB drives, employee desks, etc.). Healthcare organizations have moved Protected Health Information (PHI) into HIPAA compliant electronic health records (EHRs) systems, patients maintain electronic copies of their health information, which they give to their different providers as they move between appointments. This “patient distributed information” becomes PHI, with all its associated compliance and legal burdens for the health care organization.

There is liability associated with this, and information governance strategies available that reduce the associated risks. Patient distributed information is present on smartphones, tablets, laptops, and the like are not sanctioned EHR (such as email, file directories, etc.). These devices are not part of the organization’s HIPAA compliant system, and never can be. Most healthcare providers ignore the problem, which eventually leads to catastrophic security failures resulting in patient privacy breaches, and career damaging incidents for the healthcare IT department.

To eliminate the problem, IT needs to look to integrate an information governance framework that can:

Acknowledge the increasing presence of patient distributed information on your digital systems, and have a plan for how to address it. Look to information governance to establish a strategy and program to address patient distributed information. With the proper policies, procedures, training, and systems in place your organization will be able to effectively handle and mitigate the risks.

Continue Reading

Could Privacy and Security Concerns Cloud the Future for EHR and HIE?

Stephen Cobb

By Stephen Cobb, senior researcher, ESET North America.

The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?

Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.

During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.

Continue Reading