It could be malicious hacking in search of sensitive health information. It could be careless handling of a laptop containing data from a doctor’s office. It could be a hospital insider or savvy outsider using patient information to fraudulently obtain medical care or prescription drugs.
In March alone, more than 1.5 million patient records were affected in 39 separate breach incidents, according to the Protenus Breach Barometer, a monthly report of data breaches affecting the health care industry. Unfortunately, data breaches are on the rise, and patients have limited power to protect their right to privacy.
Even so, the situation, although unsettling, isn’t hopeless. Hospitals and other health care organizations are paying more attention to cybersecurity, experts say. As a patient, you’re never immune to data breaches, but by carefully monitoring your medical bills and insurance records, you might help uncover a breach and limit the damage.
[See: HIPAA: Protecting Your Health Information.]
Major teaching hospitals were more likely to report data breaches in a recently published study looking at episodes from mid-2009 through 2016. Researchers analyzed nearly 1,800 such reports for their findings, which appeared online in JAMA Internal Medicine in April.
The size and nature of these facilities make them vulnerable targets for data leaks, says Ge Bai, the lead study author and an assistant professor of accounting at Johns Hopkins Carey Business School, in Baltimore. “Teaching hospitals have to do research and education, so they must share data broadly,” she says. Information is shared not only within the organization, but with researchers at other university hospitals as well, she explains, inevitably raising the risk of data breaches.
Axel Wirth, a health care solutions architect at Symantec, based in Mountain View, California, encounters a wide scope of data breaches in his work, with both malice and carelessness involved. “You see insiders and people who have access to patient data — admission clerks, the reception desk and clinical staff [who] misuse patient data,” he says. There’s overt negligence, he says, such as lost or stolen laptops or misplaced data sticks, possibly taken home from work on a Friday evening and ending up lost at the dry cleaners.
Data breach sources go “all the way to what we believe are nation — or state-sponsored attacks on health care systems, health insurers and so forth,” Wirth says. “So there’s really no one size fits all. It’s a very broad range — anything’s possible.”
Wirth points to a recent incident of a hospital threatened with blackmail. “Basically, the hospital received a message that a significant number of patient records were stolen and that the hospital was supposed to pay a ransom,” he says. “Otherwise, the records would be released to the public.” To demonstrate they really had something, he says, the perpetrators released a few records on the so-called dark web.
“There are obviously very sinister scenarios that involve criminal activity,” Wirth says. “But the more common scenarios are still around identify theft. Because your medical information held by the hospital is very complete.” Financial and insurance information, vital statistics such as height and weight, and next-of-kin details make hospital documents highly valuable for purposes of identity theft.
[See: 14 Things You Didn’t Know About Nurses.]
There’s not that much individual patients can do to prevent medical-data hacking, says Dr. David Blumenthal, president of The Commonwealth Fund, a private foundation with the goal of improving U.S. health care policy and practice. However, they can voice concerns to their elected officials, he says, urging them to support better cybersecurity regulation of health care organizations.
Data hygiene — protecting all patient data and educating personnel on how to do so — is something hospitals can directly address, Blumenthal says. Encrypting all patient data and other information in electronic systems is a key component of good data hygiene. Requiring staff members to use two-factor authentication to log on to hospital information systems is another data-hygiene best practice.
Unfortunately, Blumenthal says, most hospitals don’t take these steps. Hospital personnel may push back in busy work settings where time is of the essence. As a longtime practicing physician at Massachusetts General Hospital, Blumenthal recognizes that repeatedly requiring extra data safeguards and log-in authentication can be time-consuming and annoying for staff. But, he says, it’s necessary.
The scope and frequency of hospital data breaches make it clear that cybersecurity measures can’t be ignored. A May 2016 report from the Ponemon Institute — which tracks privacy and security trends of patient data and health care organizations — provides more perspective. Ransomware, malware and denial-of-service attacks were the top cybersecurity threats in 2016.
Thirty-eight percent of health care organizations were aware of medical identity thefts affecting their patients, according to the report. Most organizations did not offer protection services like credit monitoring for breach victims, nor did they have a process in place for correcting resulting errors in medical records. An interesting finding was that 31 percent of breaches were revealed by a patient’s complaint.
Cybersecurity awareness is increasing among health care organizations, Wirth says. “Especially since 2016, we’ve seen this significant uptick in ransomware attacks on hospitals. That was a wake-up call.” While health care has yet to catch up with other industries, he says, technologies have come a long way toward providing additional security without impacting the clinical workflow.
What Can You Do?
As a patient, you accept some trade-off between getting medical care you need and exposing your records to potential data breaches. In theory, when you’re admitted to a health care facility, you could ask whether your data will be encrypted, or insist on having copies of insurance cards and other IDs shredded when no longer needed (although it would be hard to know if staff followed through) . But as a vulnerable patient requiring prompt care, that kind of assertiveness may not be realistic.
On the other hand, advance online research is quite possible when you have the luxury of time. “What you can do as a patient is to ask your doctor or ask your hospital, when you’re there for a routine outpatient visit, for example, whether your data will be encrypted if it’s recorded electronically,” Blumenthal says. “And you can take that into account in who you use for care. That’s the most direct way, aside from voting and bringing up the issue with your elected representatives.”
[See: 12 Questions to Ask Before Discharge.]
Monitoring your medical bills, insurance documents and other personal health records is a smart routine. “The most important thing is to keep a close eye on your medical record and the events around medical care,” Wirth says. “Look closely at your insurance statements. Make sure that services listed are indeed services that you recognize and received.”
Check medication orders on hospital documents, too. An unfamiliar prescription for an opioid drug, for instance, raises a potential red flag.
Be vigilant, but don’t let fear of cyberthreats interfere with your health care, either by opting to withhold medical information or by avoiding treatment. “It’s impossible to have zero data breaches,” Bai says. “We should have realistic expectations of what hospitals can do.” Even so, she adds, “As a patient, I would still go to the hospital I believe gives the best care and that I trust.”
More from U.S. News
11 Ways Rural Life Is Hazardous to Your Health
Which Practitioner Do I See, and When?
11 Ways Healthy Community Design is Working
Could Your Hospital Data Be Breached? originally appeared on usnews.com
