Healthcare providers — not hackers — leak more of your data

 

More than half of personal health information leaks happened because of internal issues with medical providers. PxHere –

Your personal identity may fall at the mercy of sophisticated hackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.

New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers – not because of hackers or external parties.

“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business.

The research, published in JAMA Internal Medicine, follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over a seven years, with 33 hospitals experiencing more than one substantial breach.

For this paper, Jiang and co-author Ge Bai, associate professor at the John’s Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients.

“Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,” Jiang, the Plante Moran Faculty Fellow, said. “These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or ‘other.'”

After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in healthcare entities.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” Jiang said. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

While some of the errors seem to be common sense, Jiang said that the big mistakes can lead to even bigger accidents and that seemingly innocuous errors can compromise patients’ personal data.

“Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,” Jiang said.

Of the external breaches, theft accounted for 33 percent with hacking credited for just 12 percent.

While some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren’t aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem.

While tight software and hardware security can protect from theft and hackers, Jiang and Bai suggest health care providers adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a “copy vs. blind copy” protocol (bcc vs cc) as well as encryption of content.

“Not putting on the whole armor opened health care entities to enemy’s attacks,” Bai said. “The good news is that the armor is not hard to put on if simple protocols are followed.”

Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data.

 

Are you happy for your health data to be shared? Find out how new data protection legislation might affect you

As concerns grow about how our information is being used, especially with the rise of interactive technology such as social media and apps which require the input of personal data, new rules and regulations are being put in place to keep users safe.

Healthcare and technology

Healthcare and technology

• The rise of health apps and wearable tech related to fitness and wellness and the use of the personal data inputted will see the EU introduce a law in 2018, which governs how organisations in Europe manage this sensitive data
• The definition for what constitutes health data currently encapsulates the type of information collected by wearables such as Fitbit, Apple Watch and health apps, potentially forcing it to be treated in the same strict manner reserved for medical records
• But there are calls for the EU to rethink the law with new research showing the majority of us would be happy for health data to be shared if it could be used by health professionals to recommend medication or for apps to alert them if their health is at risk
• Opponents say that at a time when the NHS is predicted to be staring at an annual deficit of £2bn, data-based healthcare could drive huge cost savings and also improve quality of life


Respected technology and life sciences law firm, Osborne Clarke, calls for action from EU regulators to re-think the impact of its forthcoming European General Data Protection Regulation on health data generated by wearable devices and apps. As it stands, the EU’s position will stifle innovation and cost national health providers tens of billions of Euros.

The call comes after the company’s new study found a growing majority of people are happy for data such as heart rate, body temperature and sleep patterns to be used in medication recommendations and virtual consultations.

Set to come into law in 2018, the Regulation governs how organisations in Europe manage sensitive data. The definition for what constitutes health data currently encapsulates the type of information collected by wearables such as Fitbit, Apple Watch and health apps, potentially forcing it to be treated in the same strict manner reserved for medical records.

Osborne Clarke today calls for greater clarity after its new research questioned over 4,000 people from around Europe on their views on the topic. It found 55% of people would be happy for things such as heart rate, sleep patterns, exercise regimes and other information about their bodies to be used to recommend medication. In addition, 62% said they would like to be actively alerted if the data predicted a serious health issue.

The study also showed that future generations are particularly open to the idea of data-based healthcare. When questioned, 68% of 18-24 year olds said they would be happy to be alerted to health issues, with 62% were also happy to be recommended medication from their wearable or health app.
The research also found nearly 40% of people would prefer a virtual consultation based on such data, instead of having to attend a GP surgery. This rises sharply again in younger generations, with over half preferring to see their doctor over the Internet.

At a time when The Government is looking to find a £10bn budget surplus over the next 5 years, the NHS is predicted to be staring at an annual deficit of £2bn. This research shows that people are open to the idea of data-based healthcare, which could drive such cost savings, whilst also improving quality of life.

Smart use of health data is way more than just mapping heart rates and running distances, it can save lives if allowed to be used correctly. Unfortunately, the forthcoming legislation has the potential to nullify the potential of such technology by being overly restrictive.

Patient Talk interviewed Jon Fell and Dan Sung to find out more.

Patient Talk – So the first question I have here is what are the legal requirements for medical database collection at present?

Jon Fell – I think that’s a very interesting question because you have to look at the type of data that’s involved, so at the moment all of your health data is censored if personal data and the requirement is that you have to get informed consent from each individual to collect that data and use that data. Now in many respects that doesn’t change with the new data protection legislation that’s coming into force in 2018 the big difference is that it will apply to all data rather than just sensitive personal data so there is an issue with the data collected by your fitness trackers because is that medical data or is that biometric data or is that just sort of personal data regarding the number of steps you have taken and everything else but the rules now will be changed so you have to get explicit informed consent from the individual before you can collect that data and use that data.

Patient Talk– Ok and how does the Safe Harbor process impact upon data held in the U.S?

Jon Fell – I think the whole point with the Safe Harbor is that there has been a recent decision in the E.U where the Safe Harbor system is no longer to be relied upon so we are in a state of flux on how that’s going to work, what we do have with the E.U is that a number of ways which data can be transferred outside of the EEA, one of those rules is that you have to have a country which has a finding that has an adequate state of privacy that safe guards privacy within that country , now that doesn’t apply to the U.S so the way you would have to deal with in the U.S is something that is known as the ‘model clauses ‘ so it’s not impossible to transfer data to the U.S but you have to go through certain hoops and steps to deal with that but the whole positions which was the case that determined harbour doesn’t work , was a big big issue for the industry as a whole and I think it’s something that we just have to watch and base on how it’s going to sort itself out.

Patient Talk– Ok and what question should patients be asking their G.PS?

Jon Fell – So what we need to understand is what data and how is it going to be used so if you go into a clinical trial they get you to sign all sort of forms that say ‘this is the data we are going to collect and this is how we are going to use it with other researchers that that information is useful to their research, here’s how it’s going to anonymised ‘ then you need to understand what the data is going to be useful you shouldn’t be frightened by that because a lot of this data is actually going to make the whole healthcare and the way in which you are treated much more efficient and much better for you so it’s a question about being sensible about what is going to be collected, why is it going to be collected and who’s going to have access to it.

Patient Talk- And what access do people have to their own medical records and can they challenge any inaccuracies?

Sung – Well as far as I’m aware people can have access to their medical records but then often by their G.P’s they are not encouraged too, there’s something of an information based symmetry when you go to a G.P whereby they have your medical information on their screen facing them and your sort of kept at a distance from that but hopefully that will be changing soon, there’s a lot of virtual doctor services which will encourage you to take hold of your medical information and use it as you need.

Jon Fell – There are stories out there and real life examples of people accessing their medical records and finding flaws within the information that’s stored and it actually can be very difficult to get that changed , there is the argument that it’s not for you to determine whether is incorrect or not but when I was listening to the radio they was talking about this lady who had on her record that she had broken a leg but that was 3 years before she was even born so it is likely wrong but in actual fact they couldn’t change those records and refused to do so, now that’s something that I think has to be addressed but it’s a difficult one because you can’t just change a record to say ‘ I had a problem with X Y Z in the past ´ you need to be able to have on there for your own treatment in the future and for people to understand the true history of your records.

Patient Talk– Ok and what can you tell us about the new EU data protection legislation and what does it actually mean?

Jon Fell – So the European regulation which is the general data protection regulation, it should all be finalised by the end of this year and come into force by 2018, it is different to anything that we have at the moment because as a regulation it has direct effect and what we mean by that is that you don’t have to have any local or putting in place data protection regime it will all become from this regulation, the big changes from the point of view of uses of wearable technology and for health and everything else is that the level of consent for data protection has gone up o it has to be consent from an individual which is freely given , it has to be specific, it has to be informed and it has to explicit so you can longer rely on the fact that people have been provided information , continue to use the service , continue to use the device for that to be applied consent. The other thing that I find really interesting about it is that they have addressed some of the issues of the modern day in relation to the portability of data in particularly your ability to move your data from one provider to another which I think is actually in the context of wearables it’s quite a big step forward.

Patient Talk– Ok and how will this effect different countries such as Germany, Spain and Poland in particular?

Jon Fell – Well that’s the whole point of the regulation is to have harmonisation in all of the countries because it is a regulation and because it directly to all EU members in exactly the same way there should be exactly the same rules in every country, at the moment the one thing what we don’t have is harmonisation as there are lots of different rules in every single jurisdiction.

Patient Talk – Ok so what rights do we have now and how can they be improved?

Jon Fell – We have a number of rights which are to understand and be told what data is going to be collected, how it is going to be used, we also have a right to inspect that data and to look at what data is going to be collected and how it’s been processed now none of that really changes the big difference is that the obligation is being tightened on the person who collects that data to get proper consent at the very beginning to give you the right information at the right time and that’s where the difficulty lays particularly with wearable devices in that how do you get detailed information about someone at the point of which they are just about to use the device.