Why It Matters
Our health is everything. Literally. Without good health, most everything else doesn’t matter. Ever had even a minor health issue and start to realize that all the other things you’ve been worrying about or focusing on aren’t really THAT important? We tell ourselves we’re going to do things differently once we recover. That we’re going to worry less, enjoy life more, spend more time with our kids, our families, our hobbies. But when we do, we tend to go right back to our old ways, prioritizing the things that weren’t so important when we were ill, putting off the things that we decided were truly important for later. We take our health for granted when we feel good, but fear and worry often change our thinking. It’s unfortunate that it takes an injury or illness to make us realize what really matters, and how quickly we forget once that fear and worry subside.
The same thing happens with our health data. We assume and expect that our care providers and others with access to our medical records will treat our personal health information with the utmost care and will prevent it from getting into the wrong hands. We sign the HIPAA document every time we visit the doctor and think nothing of it. Of course we want our doctors to be able to consult with other professionals to ensure we get the best care and treatments. There are probably about 10 different documents to sign every time, so we just flip through, read the headline, and sign, without thinking too much about what they say. Again, assuming that our data will be kept private and secure. Even when we’re informed that our health data “may have been” involved in a breach, and many of us probably have been, we still don’t think much about it as we may not have been personally impacted. Ask someone if they are aware of the risks associated with a healthcare data breach and they are unlikely to understand what that means. Most will understand credit card fraud, given it’s the most common type of identity theft, but in most cases the credit card company will remove fraudulent charges and issue a new card with a new number. This has happened to me a few times, and while it’s a nuisance to find and update all the places where that CC number is stored (online shopping, utilities, etc.) it hasn’t (yet) caused a financial or serious personal impact. But when it comes to protected health information (PHI), very few will even know what that is, and less will understand its value and the incredible impact of it being stolen. Who cares if someone in some other country knows that I went to the doctor and had the flu? Let ‘em have it. Why should I care?
After a healthcare breach, affected individuals may be offered credit monitoring services for a year or two. That may help protect against any financial misuse, but it’s not going to help with what could be done with your health information.
Why We SHOULD Care
Unlike with a credit card, theft of our PHI cannot simply be rectified by issuing a new card. That data is gone and even if it can be recovered by the hosting organization, the bad guys still have it and can use it to extort money from the healthcare provider or even directly from us, the patients. A recent breach resulted in patients receiving a very nicely worded email offering the opportunity to pay the hackers to prevent their data from being sold to data brokers who will resell it and/or share it publicly.
While some or even much of our medical history may not be too interesting, there is likely some we most certainly would not want made public. Going to the doctor for the flu may not be very valuable intel on us, but think about all the other aspects of our health and how, in the wrong hands, it could cause serious personal harm. Who’d have thought something as simple as our vaccination status could have such an impact on what we could or couldn’t do, where we could and couldn’t go, who we should or shouldn’t spend time with. Some were proud to share their status and others were afraid to, but regardless of where we all fell along this spectrum, the pandemic made us more sensitive to the impact of our health records being known by others. Now that things have calmed down a bit, most probably again tend not to think much about it. As with our health, once things are better, it’s back to life as usual.
HEALTH RECORDS ARE TOO VALUABLE IN THE WRONG HANDS
Our health records have proven to be extremely valuable when in the wrong hands. And that value doesn’t necessarily diminish over time. You may have completely forgotten about an old injury or illness, but to a prospective employer or insurer, that information could be very interesting. Maybe it was a broken leg in high school or a brief stint with asthma when you were a kid. They may consider these risks, risks that they aren’t willing to take, and pass you over for a job, increase insurance premiums, or flat out deny coverage. If you think no one really cares what happened years ago, they do, and if they can reduce their risks in any way, they will.
Even more sensitive than our physical health information is our mental health information. Thankfully we’re overcoming the stigma of mental health, but even with broader awareness and treatment, the impact of this information in the wrong hands is frightening, and if it’s not, it should be. Although the Americans with Disabilities Act (ADA) of 1990 prohibits discrimination in hiring and employment based on physical and mental health, this can be difficult to prove. Once someone has the information it can very easily become part of the decision process, even if not consciously.
Worse than the impact on our own lives is the impact on our families. How horrible to see loved ones suffer at the hands of some hacker just looking to make a buck.
Our most sensitive information is collected at many places, not just at the doctor’s office or hospital. Get a prescription? They have your PHI. Visit the corner clinic for that little mishap trying to one-up the kids? They have your PHI. Get an MRI? They have your PHI. Donate blood? Yup, they have your PHI. It’s everywhere, and the bad guys know it and are looking to steal it. Over the past decade the use of DNA to determine our ancestry and possible health risks based on our genetic makeup has grown substantially. This information can be fun and interesting as well as prove extremely helpful in how we live and manage our own health. But how many people using these services understand or even think about the risks involved? We are giving these companies access to, and use of, very detailed information not only about our current health, but our unique genetic makeup, and how that could impact our future health. The insurance industry would love to have this crystal ball for marketing purposes and for determining insurability. A recent breach at 23andMe resulted in data from 6.9m users being stolen. What’s really interesting in this case is that the hackers only accessed personal data for 14,000 users, but with the ability for individuals to share information with others, the breach extended far beyond just them. What started out as more of a novelty has morphed into a tremendous warehouse of personal health information and a target for the hackers looking to steal and monetize the data. The more places our PHI is collected, the higher the likelihood it will be involved in a breach. It’s simple math.
The numbers are staggering. According to HealthITSecurity, 112 million individuals have had their PHI stolen in 2023 (note that the OCR only requires reporting of breaches impacting 500 or more patients), up from 48.6 million in 2022. This represents a 230% increase in one year! Think about this the next time you’re with two of your friends, coworkers, or family members. One of you has had your health information stolen. That’s frightening. And it’s only getting worse. Healthcare breaches are on the rise, and rapidly, As reported by the HHS Office of Civil Rights (OCR), healthcare breaches have risen 239% since 2019. They cost the healthcare industry trillions of dollars each year. In 2023 alone there were 540 reported breaches with an average cost of just under $11m, for a whopping total of $5.94 trillion dollars.
If everyone knew that 1 in 3 people are part of a PHI breach, and the potential personal impact, would we give more thought when providing consent? Would we try to limit the providers we use?
Why do WE care?
Because it IS personal. And the hackers are making it more personal. Whereas it used to be the hospitals and healthcare providers they would go after, they are now going directly after the patient, directly after us and our families! These organizations, and they are actual money-making businesses, are extorting money directly from the innocent victims as demonstrated above with the INTEGRIS Health data breach. And in one of the most disgusting and egregious acts, earlier in 2023. Lehigh Valley Health Network in PA was breached and photos of breast cancer patients were stolen and posted to the dark web in an effort to extort money. This could be anyone’s mother, sister, daughter, wife, partner, friend. If it wasn’t personal before, it certainly is now.
Healthcare data breaches affect us all. They impact patient care and affect outcomes. Hospitals already run at VERY low single-digit and even negative margins. Costly breaches impact the level of care and services an organization can provide and limit investments in IT and other crucial infrastructure needed to improve patient outcomes. It’s not just businesses that are impacted. The impact flows down to the patient. Real people and real lives are affected.
As the patient, we may not have a lot of control over how our PHI is handled or protected, but we can ask questions about how it is managed and who it may be shared with and make informed choices of where we go for care and who we share our health data with. In the end, securing our PHI is ultimately the responsibility of those who are collecting it from us. As individuals we may not be able to dictate or enforce policy, but as a company our mission is to provide solutions that make it possible for organizations to understand where PHI is located, how it’s being used and shared, and if it’s adequately protected. There will always be people out there looking to steal our personal data for financial gain and they’ll keep finding new ways to get in regardless of the defenses deployed. But there is certainly more that can be done to minimize what they can take that’s of any value, making their efforts futile – protecting real people, real lives, and the providers we entrust.
At Tausight, this is why we do what we do. This is why it matters to us and why we are so passionate about and driven to helping healthcare organizations secure their most sensitive data, OUR most sensitive data. So that we can worry less and focus on what really matters…getting to and maintaining good health.