What do you think is the most valuable asset of every patient in the world?
The thinking behind this question is shown in the implementation of digital health functions and solutions in the company and its products. The most valuable asset for a patient is his/her personal health data. This topic becomes more and more important with the rise of digital health solutions in our daily personal and business life.
Laws and Regulations
In many countries there are laws and regulations issued in order to provide data privacy for digital health and to prevent health records being misused and stolen. In the USA, the Health Insurance Portability and Accountability Act (HIPAA) provides guidelines for digital data usage, whilst in Europe the EU Data Protection Directive states all policies and procedures protecting personal data including the electronic health data.
HIPAA, for example, limits disclosure of patient data and mandates secure storage and transmission of electronic records collected by health care providers (physicians, researchers and pharmacists) and their business associates which provides treatment, payment or healthcare operations. Anybody who violates HIPAA faces civil and criminal penalties. All data breaches which affect more than 500 patients are published on a publicly accessible website, which can result in loss of reputation and income for the company where the data breach occurred. Nowadays increasing quantities of medical and health data are being created outside HIPAA protection, primarily by patients. In fact, most of medical and health information are controlled by third party data brokers and internet companies. These companies have the ability and interest to combine these data with a wide range of consumer’s personal information such as data from daily activities, transactions, movements, and demographics.
Protection of Patient Health Record Data.
As it was mentioned before, the health records and data of a patient is their most valuable asset. One must be aware, that with the rise of digital health data and connected data sets of patients’ lives including electronic health records, this data becomes enticing to third parties who want to abuse it. In fact, medical identity theft is already a multi-billion problem in the United States alone, and can be a life threatening factor – according to an ESET security researcher. A comprehensive identity-theft kit containing a health insurance record can be worth as much as $1,000 on the black market, and even partial health insurance credentials can fetch $20.
Let us now look how health record theft works and why it is so life threatening. The theft of health records and information is carried out via social engineering, classical hacking (malware) or classical theft of laptop and smartphones. The stolen data is sold on specific dark net websites filled with confidential data sets. This could be life threatening, since people with dubious intentions can then own a data set of health records. They can use these data sets to put undesirable persons to death by using specific health information. In another case, an affected patient might result to suicide, because confidential therapy notes were leaked. This leaking resulted in the patient being set under social pressure and decides to take his or her life by suicide. Suffice to say that no company wants to be connected with a big data breach like the Sony Hack and/or also faces civil law suits from patient families.
One has to do the following to protect patient data:
- Train your staff how to deal with and process personal sensitive information.
- Encrypt your mobile access, the data transfer and storage systems.
- Do not do the same mistakes as other industries/companies did before (learn from their faults).
- Have a good user access and identity management system in place.
- If you want to still be in business, mitigate and minimize the risk of patient data breaches as much as possible.
- Only process health related patient information as if it is required to fulfill the related task or activity.
Challenges for the Future
Privacy experts argue that the health industry has been slow to respond to data privacy incidents by adopting the encryption techniques and other common standards used for years by other industry sectors.
As more parties of the healthcare system goes digital with medical records and information, the size and frequency of data breaches are alarming! Although healthcare providers face serious penalties if they allow patients’ electronic records to be breached, thieves ceaselessly keep trying as health records contain too much valuable and expensive information.
In the EU there is an upcoming general regulation for data protection which guarantees more law security instead of data privacy in different EU countries. This regulation is based on the thinking “Privacy by Design”. This means that developers design their digital health solution in a way that only collects data, which is required to perform the intended use of this developed digital health solution. Possible digital health solutions are yet to be seen when this regulation becomes effective.
Conclusion and Outlook
It is worth remembering, that one can only mitigate the data privacy risk for digital health solutions. If a digital health solution is developed, marketed and used, a setup of a (personal) risk management must be carried out to analyze the risks associated posed to any data which is processed by a digital heath solution, e.g. cloud based electronic health records, wearable computing devices.
It is also worth keeping in mind the protection of data privacy of patients and consumers. Their health records are their most valuable asset, which need the best protection from misuse and theft that you can guarantee with acceptable costs.
KVALITO have solutions in their portfolio to help you to deal with the data privacy issue in the age of digital health. Our consultants can help you to turn data privacy for digital health solutions and products from a tedious compliance requirement into a unique value proposition for your company and business.
Author: Florian Schnettelker and Daniel Attard