There’s no question that the adoption of electronic health records has improved patient care and convenience. But at what cost? Millions of medical records have been exposed in cybersecurity events targeting healthcare providers and vendors in recent years, putting patients’ privacy and identities at risk.
Before patients can protect their medical data from theft and fraud, they need to educate themselves on the risks threatening their personal health information.
Why Medical Data Breaches Are a Major Problem
- The numbers behind medical data breaches are staggering: “89% of healthcare providers have suffered data breaches in the past two years [and] 41% of Americans have had their protected health information exposed in the last three years,” according to Leftronic. Read more.
- Speaking to Reuters, Chris Carmody, senior vice president infrastructure and services and president of Clinical ConClinicalConnect Health Information Exchange at the University of Pittsburgh Medical Center in Pennsylvania explains that “there’s financial data embedded in health data – your name, your address, your social security number … With that information someone could go out and get a credit card account. Or a criminal could go out and sell it on the dark web, the shady part of the internet where identities are sold and traded.” Read more.
What About HIPAA? Doesn’t That Protect You?
- “It may seem like HIPAA should protect Americans from having their confidential health information shared or stolen. Unfortunately, this is not the case. New methods of storing and sharing data have created gaps in the regulatory framework that those with malicious intent can exploit,” Jordan Harrod, writing for SITNBoston explains. “As a result, more and more of our personal information, including health data, is being collected by Internet Service Providers and third party analytics companies to be sold to marketing agencies.” Read more.
- “You no longer have the “right of consent” with the Amended HIPAA Privacy Rule Rule, effective April 2003,” the American Patient Rights Association warns. “‘Covered entities’ are required to provide notice to individuals of the uses and disclosures of identifiable health information that may be made under the Amended HIPAA Privacy Rule as well as the rights of the individual and legal duties of covered entities. Section 164.520 (a). These notices are called Privacy Notices.” Read more.
What Can You Do to Protect Yourself?
- “A full 80 percent of 1,000 US consumers surveyed by Unisys are concerned that hackers could access their electronic health records (EHRs) at their healthcare provider,” according to Health IT Security. Read more.
- Fraud.org recommends that patients regularly “check in with your doctor(s) to ensure your medical records are accurate. Make sure the records contain your procedures, treatments, prescriptions, and other medical activities. If you notice inaccurate health details such as the wrong blood type, pre-existing conditions, or allergies, it may be a sign that an identity thief has accessed your records.” Read more.
- And CNBC explains that “it may not sound like a dangerous request, but allowing your doctor’s office to photocopy your driver’s license or credit card is not a smart move, and often isn’t even required to receive services. If you’re asked by the front desk to provide anything other than your insurance card, ask why it’s needed and how the office plans on protecting your information.” Read more.
What Are Medical Providers Doing to Protect You?
- Zog Inc: “Nearly three quarters of cyberattacks in healthcare resulted even though the business had passed HIPAA audits with flying colors … Because the majority of attacks on healthcare persist even when recommended HIPAA security measures are heeded, healthcare needs ways to evaluate what they should do to prevent cyberattacks and data breaches in addition to compliance.” Read more.
- Datica underscores the need for further security measures stating that “HITRUST CSF Certification is a much more rigorous process, with a higher burden of proof put on the organization trying to achieve certification, than a HIPAA audit. Achieving HITRUST CSF Certification requires significantly more time, effort, and resources than a HIPAA audit. Being HITRUST CSF Certified should be seen as a more significant badge for security and compliance than completing a HIPAA audit,” Read more.
- Organizations working to improve cybersecurity shouldn’t try to do it on their own, Kidney News advises. “They need to have access to a real security professional, whether it is somebody that just consults with them or, if they are a large organization, somebody that works in-house.” Read more.
Cybersecurity in the healthcare industry remains a work in progress. Until HIPAA regulations are updated to reflect modern cybersecurity challenges, poor data security will likely persist as an issue in the healthcare sector. While there’s little that consumers can do to protect their data from cybercriminals, you should be proactive about reviewing your medical records so that if a breach does happen, you can take the right steps to protect yourself.
Image via Unsplash