Posted in Breaches

When hackers have easier access to health data than patients

Chris Nerney
Chris Nerney, Contributing Writer |
When hackers have easier access to health data than patients

Massive digital databases containing the medical and personal data of millions of people will continue to attract hackers seeking valuable information to ransom, sell, or use to commit fraud. But in a world where data sharing and interoperability are critical to population health and collaborative, value-based care, providers simply can’t go back to the days of paper records.
Such is the “health data conundrum” facing the U.S., write Kathryn Haun, a federal prosecutor who teaches a course on cybercrime at Stanford Law School, and Eric Topol, a professor at Scripps Research Institute and author of “The Patient Will See You Now,” in a recent New York Times opinion piece.
“There’s quite a paradox when it comes to our health data,” they write. “Most of us still cannot readily look at it, but there’s been an epidemic of cybercriminals and thieves hacking and stealing this most personal information.”
This epidemic is fueled by motive and opportunity. “These records include information that makes them more valuable to hackers than almost any other type of data,” Haun and Topol argue. “Thieves can use this information to order medical equipment and drugs to resell and to fraudulently bill insurance companies, the costs of which are passed along to consumers.”
That’s the motive. The opportunity is that these huge central digital repositories of patient data are “an exceptionally easy target for criminals” because providers focus more on patient care and less on security. As a result, hospitals, healthcare networks, and medical labs will continue to be the target of ransomware attacks and other cybercriminal activities.
The authors propose a solution: Disaggregation. They write:
“Medical data should be stored in individual or family units rather than in centralized databases. Such a regime would return the data to the person who should own it in the first place: the patient. Each individual or family would have medical data in a personal cloud or a digital wallet. Patients could then share their data how they choose: with family members, with researchers, with other doctors for a second opinion.”
Haun and Topol dismiss concerns that data would be lost to researchers if it wasn’t aggregated in repositories.
“We need to move on from the days of health systems storing and owning all our health data,” they conclude. “Patients should be the owners of their own medical data. It’s an entitlement and civil right that should be recognized.”