Patients are better positioned to take ownership of their health and care, thanks to recent advancements in digital health. These benefits come with some security and privacy risks, though.
Two recent advancements in digital health have empowered patients by making their health information easily accessible to them. The 21st Century Cures Act is helping usher in an era of consumerism by focusing on ensuring patients can easily attain electronic access to their health data through third-party apps. In addition, the pandemic accelerated the adoption of telehealth, with patients and providers embracing the use of digital technology in the delivery of care.
Thanks to these innovations, patients are in a better position to take ownership of their health and care.
These benefits come with some risk, though, because patients and providers are not the only ones who seek to access a patient’s protected health information (PHI). Bad actors — cyber criminals, unfriendly nation states, rogue employees — look for vulnerabilities in technology to exploit in hopes of gaining access to data. Their reasons can range from greed to malice.
According to the Cybersecurity and Infrastructure Security Agency, an American’s PHI is up to 20 times more valuable than credit card data on the dark web, making it an attractive commodity for cyber criminals. Ransomware attacks appear to be on the rise, too, with breaches like the attack on software supplier Kaseya making headlines this year.
Healthcare IT executives are aware of these threats, and it is our responsibility to protect patients’ PHI within our organizations.
As the footprint of digital health expands beyond the walls of hospitals and health systems, so does the threat surface. Each digital device a patient or provider wears creates an exploitation opportunity for a bad actor, and once a weakness is found, the increasing interconnectedness of devices can facilitate the spread of malware.
Application programming interfaces (APIs) present another challenge. The Cures Act has the laudable goal of promoting interoperability across the healthcare continuum, allowing data to flow seamlessly from one provider to another or from a provider to a patient. APIs that securely share data across disparate applications and systems are seen as the lynchpin; they make it easier for patients and clinicians to download, exchange, and manage healthcare information.
Cures and related provisions outlined by the Office of the National Coordinator for Health Information Technology (ONC) are now serving as the policy levers for the adoption and use of APIs in healthcare.
Consumers are familiar with APIs, downloading apps onto computers and smartphones to perform common tasks like online banking and online shopping. Yet few people read the terms and conditions before clicking “accept.”
In healthcare, hospitals and healthcare systems are obligated under privacy rules in the Health Insurance Portability and Accountability Act (HIPAA) to protect patients’ information. There are no such safeguards for most API software developers in ONC’s final rule, though. This means there’s a potential for patients to unwittingly agree to terms that allow their data to be mishandled, for instance, by being sold to marketers or data aggregators.
We can mitigate security and privacy risks with common sense measures. The first is education. We are still early in our digital health journey, making it an opportune time to educate users in best cybersecurity practices. Many healthcare organizations conduct yearly (or even more frequent) trainings to promote good cyber hygiene by employees, including clinicians. By extending that level of education to patients, we can harden our defenses against bad actors.
Our second resource is federal policy. Just as the Cures Act set the stage for patient empowerment, policies that safeguard patient data can prevent exploitation. Several leading healthcare associations have voiced their concerns
We can never eliminate risk entirely, but we can minimize it. Many digital health leaders believe we are going in the right direction with telehealth and data sharing. If we manage the risks diligently and wisely, we will reap the many benefits these technologies offer.