Your health data is vulnerable, and getting less secure every year since medical records started going digital, a new report reveals.
In 2010, most Americans were obsessing over Angry Birds and how many of Facebook‘s 550 million friends were theirs.
But in the basements of hospitals and the backrooms of doctor’s offices, a slower, messier and, as it turns out, less secure changing of the technological guard was happening.
A 2009 legal change was pushing medical records into electronic filing systems, and the process opened up the opportunity for 200 health data breaches.
But a new analysis reveals the security problem has only gotten worse in the years since. In 2017, there were 344 breaches.
That information is protected by law but falling increasingly into the wrong hands as the medical community struggles to transition to digital and hackers get more sophisticated, a Massachusetts General Hospital study found.
Of the 2,149 medical records that were breached between 2010 and 2017, the vast majority happened in doctors offices and hospitals (light blue) and the rates are rising, a study finds
Information about our health is inherently private, and personal.
Perhaps more insidiously, identifying information, diagnoses and even risk factors have the potential to be used by employers or health insurers to discriminate against hopeful employees or customers.
But doctors are helpless to help patients without information like their medical and prescribing histories, blood work, and even simple information like gender and age.
Though the first electronic medical record-keeping system was created in 1972 – three years before the first ‘personal computers’ – most doctor’s offices kept everything on paper until quite recently, and many still do.
Then came HIPAA, and then HITECH.
When it was introduced in 1996, the main objective of HIPAA, the Health Insurance Portability and Accountability Act, was to make it easier for patients to change jobs while keeping their health insurance.
And making sure that all of a patient’s health information could easily be handed off from one employer and insurer to another set could happen much more easily if it was all logged electronically, in one place.
So HIPAA become the impetus for the digitization of health data.
In turn, the digitization of health care – and the transition from paper to electronic records – necessitated even tighter security and privacy measures than HIPAA provided.
In 2009, HITECH, the Health Information Technology for Economic and Clinical Health Act, was passed into law.
HITECH was designed to push more and more health insurance and medical care providers to go digital, but it also introduced harsher penalties for data breaches to help protect patient privacy as the healthcare industry stumbled into the digital age.
But research, including the latest study, published in JAMA, suggests that the industry still doesn’t quite have its feet.
The sources and types of breaches, however, have changed.
Between 2010 and 2017, there were 2,149 known health data breaches in the US.
Cumulatively, 78.8 million records were leaked over those eight years.
Each year, more and more records have been hacked, leaked, lost, stolen or found in the (digital or analog) trash.
In the earliest days of the database, patient records were mostly being stolen off of laptops.
That fad has finally tapered off, but hacking and IT SNAFUs have since surged, and 2017 set a new record, with 132 million records breached.
And most of them are being pulled off of network servers, where the majority of documents are now stored in the cloud.
Interestingly, breaches happen most frequently in hospitals or doctors offices, but by far the largest loads of data are lost by health insurers.
In fact, three large breaches at health insurance companies accounted for more than half of the total records lost since 2010.
Among these was an enormous 2015 hack that affected an estimated 80 million customers of the insurer Anthem. The company settled the class action lawsuit for $115 million in 2015.
‘A long-standing tenet of medical care is that confidentiality is expected, and breaches are a failure to uphold that expectation,’ study co-author Dr Thomas McCoy Jr of Massachusetts General Hospital told Daily Mail Online.
‘Big data has the ability to lead to opportunities for transformational health discoveries, but it also presents an opportunity to have these big data breaches.
‘My attention would be on preventing hacking and IT incidents.’