I have wasted another day on a familiar ritual. As a result of a security breach at a nearby retailer, I’ve had to replace my credit card and now must update the myriad of businesses that keep my information on file. Sifting through my monthly statement, I’m struck by just how many places that is: toll tags and parking apps, grocery and produce delivery, wireless carrier, video streaming service, airline and hotel accounts, my kids’ after school programs and countless online retailers. While the sheer number is alarming, what is more concerning is the picture this data paints about me and my family: it reflects where we go, what we do, what we eat, what we watch and what we buy. My credit card data isn’t just about my finances; the data detail nearly every important aspect of my life—including my health.
Maintaining privacy in health care used to be relatively straightforward. As a physician, I was bound by doctor-patient confidentiality. This gave my patients the confidence that they could share with me intensely personal information. And, security used to focus on limiting access to paper charts. Breaches typically involved only a handful of individuals.
Now, in an era of electronic health records (EHR) and clinical data warehouses, consumers’ confidence in the security of their data continues to be shaken. From lapses in protocols to sophisticated cyber attacks, the public is confronted by exposure on a massive scale. The value of health care data on the black market is even beginning to outpace financial data, as scammers and hackers can use information about individuals’ physical characteristics to steal identities. The information that comes with a person’s medical identity is also more difficult to move back into the private realm once it leaks out into the public.
Some of this news could not come at a worse time. The future of health care depends on the secure flow of information. Nearly every major delivery reform, from value-based care and population health to personalized medicine and use of real-world evidence relies on data and the willingness of those who have it to share it. The ability to better serve individuals depends on our ability to view their data in aggregate.
Compounding the problem is the awareness that our overall privacy – not just health privacy – is slowly eroding. A casual glance at the online ads served up to you reveals how quickly your consumer data gets shared, but technology has taken us well beyond that. Last year, while participating in a conference on privacy in Abu Dhabi, one of the speakers asked, “Who knows you’re here?” The list grew rapidly: my office, the airline, customs and immigration, the hotel, the taxi company, the coffee shop, my cell phone carrier, the conference center and the owners of the literally thousands of security cameras I’d passed during my trip. Adding notes to family and friends along with followers on social media, it was clear that the record of my trip had been broadly dispersed.
As we sit on the cusp of the era of “big data” in health care, there are several important things to consider:
- Health data concerns are different. While the loss of financial information can be distressing, the impact can usually be mitigated and consumer liability is often limited. By contrast, disclosure of certain medical information can be devastating with far-reaching consequences. In addition, breaches and misuse can introduce inaccuracies into a medical record, potentially impacting patient safety.
- Privacy preferences fall along a continuum and vary within individuals depending on the topic. While many consumers may freely share certain health information for clinical research, on social media and with disease-specific websites, they fiercely protect other data about themselves. As we strive to gather more data to advance health care, the tension between the need for individual privacy and knowledge for the greater good is only going to increase.
- The industry has a communication challenge. Do your own survey and ask some friends, “What are the risks of having your medical information stored electronically?” Once they have talked your ear off about identity theft, discrimination and even extortion, ask them, “What are the benefits?” Having done this many times myself, I’ve found that few have a compelling answer. While we have invested heavily in EHRs and health information exchange, we have done little to educate the public whose data may be at risk.
These are extraordinarily complex and highly personal issues that sit at the intersection of science, law, ethics and technology. Solving them may begin with establishing a firm foundation that addresses the pervasiveness of cyber risk and ensuring an organization’s strategy is secure, vigilant and resilient. This strategy might include:
- Performing a risk review of the full health information supply chain of an organization
- Articulating the organizational vision for security and privacy
- Capturing policies and processes in an organization-wide plan that also includes business associates
- Investing in and implementing a security and privacy program that includes continuous monitoring and updating
Change happens at the speed of trust. The need to transform health care is clear and the goals set are ambitious. However, progress will depend upon a public that is informed and confident that the industry will be a trustworthy steward of their data.