Few can deny that digital technology has streamlined connectivity in all aspects of life, and considering the equally rapid improvements in efficiency and utility that continue to transform the tools we use to monitor and manage our health, it seems increasingly futile to argue that the sum effect of technology on our quality of life amounts to anything other than a net positive.
But for all the advantages afforded by digital health products, it is evident that many forms of digital technology can, at times, appear notoriously unreliable. Glitches, malfunctions, and other inconsistencies in device functionality can pose a problem, especially for potentially millions of patients who stake their well-being on digital medicine. Thankfully, many instances of spotty technical performance can be alleviated simply by practicing proper device maintenance techniques and ensuring software is up-to-date.
Perhaps the most serious threat to digital health’s reliability, however, jeopardizes not only patients’ hardware’s stability, but the integrity of electronic health records and other personal information collected by medical apps. When a medical database is compromised via cyberattack or data breach, every digitally chronicled fragment of a patient’s identity is left vulnerable to theft; from medical histories to social security numbers and financial info: potentially nothing stored in a breached archive is secure.
Over 113 million US healthcare records were leaked throughout 2015 alone. Although the majority of data breaches result from accidental disclosures and human error, a projection by consulting firm Accenture predicts that from 2015-2019, medical identity theft will cost 4 million patients a total of around $56 billion in out-of-pocket expenses.
Some cyber criminals looking to make a quick profit target not only individual patients, but entire hospital operations. For hackers and data pirates, ransomware (a form of malware that infects computers by restricting access to core systems until its user surrenders a virtual payment as ransom) is increasingly a weapon of choice. In 2016, ransomware hacks encompassed 72% of all healthcare-related cyberattacks. Just this year, ransomware cryptoworms such as the WannaCry virus managed to self propagate into hundreds of thousands of computer systems, holding medical facilities hostage, and even prompting several hospitals to postpone surgeries and transfer patients.
While security is certainly concern for all forms of digital technology, the continuing spate of widespread cyberattacks on digital health systems can put vulnerable patients at risk, many of whom entrust digital healthcare companies with personal information in pursuit of medical aid. Just as digital health manufacturers and care providers hold the burden of responsibility for patients’ health, so too are they responsible for preserving the integrity of the records they collect. But with so many security threats looming out of sight, how exactly can digital health manufacturers and distributors optimize security practices to safeguard patients’ sensitive information? And is there anything patients can do to protect themselves?
Fortunately for digital health consumers, there is a standard for patient data protection laid out by the US Department of Health and Human Services, which should be followed by all digital health manufacturers whose products relay data to “covered entities”: organizations who provide healthcare treatment, payment, or conduct related operations. The Health Insurance Portability and Accountability Act (HIPAA) describes a number of regulations regarding digital health companies’ treatment of patient information. HIPAA’s Security Rule requires companies to institute access controls such as PIN numbers and passwords, encrypt sensitive information and provide decryption keys only to authorized individuals, and maintain an audit trail which tracks who accesses medical information and when it was accessed, as well as any changes or updates to a record.
HIPAA’s Privacy Rule also guarantees patients a number of rights concerning their health information, including the right to obtain a copy of their medical record, to request corrections to errors on the record, and to be notified regarding how information is used and shared. If a patient believes that any of these rights have been violated, or that a digital health company has not complied with HIPAA security obligations, they can file a complaint.
While security risks are a concern, digital health interests can mitigate data breaches through compliance with federal guidelines such as HIPAA, which mandate a timely risk analysis and effective response to any identified current or future security risks. Patients can protect themselves by monitoring how their records are accessed and protected by healthcare companies, and reporting any lapse in fulfilling security responsibilities.
This post is the first of a two-part series. Check out part two, in which I examine how users of digital health tools that fall outside HIPAA regulations can protect themselves, as well as what digital health providers and manufacturers can do to ensure their products remain secure.