Healthcare, like other industry sectors, has become part of the new wave of digital transformation.…
Healthcare is arguably one of the most data-driven business there is, which is why healthcare data privacy is becoming a widely discussed topic. All in all, health data is vital in getting a diagnosis and in creating the conditions for optimal patient outcomes.
Many initiatives are springing up that work to use the data generated by patients to create healthier people. An example is tranSMART, which is an open-source project for exploration and analysis of clinical and genomics data.
Projects that use patient data also use technologies that generate data.
An example of this is the Internet of Things (IoT), which is increasingly used to create and connect up healthcare data. The Internet of Medical Things (IoMT) is expected to be worth $158 billion by 2022.
Related Post: Privacy & Data Protection Challenges in the IoT
Another example is telemedicine. Telemedicine provides long-distance use of health data to facilitate remote patient-physician care. As you can imagine, each step in the process is utilizing data. In fact, the whole is a complicated matrix of data within technological structures.
However, these frameworks, structures, and services underlying patient data are now under pressure. Data theft and fraud are rife. Health data has both intrinsic financial and personal value. Therefore, the question we must answer as a society and as a business is, how do we ensure we can use patient data for good whilst protecting it from privacy violations?
Health data is both valuable and highly sensitive to the individual. This makes for a privacy storm.
In fact, the value of health data was found to be around $250 per record in a recent TrustWave survey. And, according to an IBM study, a data breach in the healthcare sector within the U.S., costs, on average, $ 6.45 million, almost double the global average.
Once stolen, these records end up on darknet marketplaces for sale. The impact on the individual for health data that has been exposed can be damaging, causing emotional harm and increasing the risk of identity theft and fraud.
One of the stranger aspects of health data is the disconnect between health data and privacy. Health data is used to improve our lives and make us healthy. By the very nature of its use, health data and privacy can end up as being mutually exclusive. In the UK, for example, 4 in 5 patients don’t know how their data is used once collected. There may even be a feeling of lack of control by the very nature of using a nationalized health service; this, of course, should not detract from the right to data privacy.
In addition, the privacy of health data can be complicated by its collection and subsequent lifecycle of use. However, it is vital that we build structures that respect privacy, into our health data use.
Violations of data privacy and healthcare happen globally.
However, we can see just how lacking, care of health data is, by looking at the U.S. Department of Health and Human Services (HHS) “wall of shame”. In the U.S., under HIPAA rules, a breach must be made public if it affects more than 500 individuals. Using the HHS listings showing health data breaches, for the year January to November 2019, there were 294 breaches with over 37 million health data records exposed.
The Protenus Breach Barometer, which collates health data breaches, found that between 2017 and 2018, there was a tripling of breaches. Whilst health data remains valuable, it will remain a target.
Data protection regulations offer a set of best practices for organizations to follow. There are a number that cover the areas of data privacy and security and that draw heath data under their umbrella:
HIPAA is a U.S. based data security regulation. One of the strengths of HIPAA in terms of data is the clear definition of what constitutes health data or “Protected Health Information” (PHI).
HIPAA uses 18 PHI identifiers including names, zip code, medical record numbers, Social Security Number, etc. The full list can be found on the California Department of Health Care Services website. HIPAA also covers electronic PHI, ePHI. This includes medical scans and electronic health records.
HIPAA has a specific ‘Privacy Rule’ that became enforceable in 2003. This rule covers all organizations or “covered entities” which must comply with the regulation. The HIPAA Privacy Rule remit is to make sure that patient data stays under the control of the patient. To do this, the Privacy Rule has a set of patient rights on the use of data and limits the ways that patient data can be used. It also has strict breach notification requirements.
HITECH is a framework for securing electronic health records. It is complimentary with HIPAA and strengthens HIPAA’s privacy regulations.
HITECH has also widened the scope of HIPAA through the Omnibus Rule. This extends the privacy and security reach of HIPAA/HITECH to business associates.
The Australian Digital Health Agency runs the “My Health Record System” which is used to track citizens’ medical conditions, test results and so on. The OIAC sets out controls on how health information in a My Health Record can be collected, used, and disclosed.
PIPEDA applies to all personal health data. PIPEDA is stringent and although has many commonalities with HIPAA it goes beyond HIPAA requirements in several areas. One such area is in the protection of data generated by mobile health apps which is not strictly covered by HIPAA.
The GDPR includes health data as well as all other personal data that represents an EU citizen in an EU state. Some health data is covered under a more stringent set of expectations under GDPR, as they fall under the ‘sensitive data’ category.
In addition, GDPR has strict data consent and breach notification expectations. Fines are high, at 4% of total global revenue or 20 million euros, whichever is higher.
Healthcare data is not just about preventing data breaches. Instead, it is also about respecting the data that you collect and use.
In the UK, the report “Review of Data Security, Consent and Opt-Outs” several recommendations were made, focusing on three lifecycle areas to enhance privacy:
In addition, health data resides within a complex matrix of collection, use, analysis, and sharing. Each part of that data lifecycle placing it at risk. However, this highly sensitive information is a vital part of our healthcare plans. As such, stringent protection and recognition of its source — the patient — should be considered when designing and using healthcare systems and when using technologies that utilize patient data.
When it comes to health data privacy, it is critical to adopt a “Privacy by Design” approach as much as possible. Hitachi Systems Security offers a broad array of data privacy services to help your organization understand its various privacy obligations, get strategic recommendations on how to improve your privacy posture and protect your confidential patient or personal data.
Want to learn more about our data privacy services? Click down below or contact us today at [email protected].