Privacy and Security – Health Care
Tag

Privacy and Security

Browsing

As we wait for final rules that will enable consumers to freely access their health data, electronic health record (EHR) giant Epic is saying breaking down the silos where this information lives will create a privacy hazard for patients.

While privacy concerns over health data sharing are always legitimate, they can’t stem the tide of the inevitable: Patients and consumers are demanding access to their data, and new proposed government rules supporting a consumer-directed, seamless flow of medical information will likely go into effect as soon as this month.

When they do, it will accelerate the race among technology companies to offer consumers the end-to-end healthcare experience and outcomes we’ve all been missing. At the same time, they will force the government to move quickly to establish a new privacy framework that will replace HIPAA’s limited reach and work to benefit all stakeholders.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

We could be in for a wild ride. But when the dust settles, we will have what we should have had all along: a healthcare system where consumers sit at the center and are empowered by ownership of their own health data.

A snapshot of health IT’s bumpy history

In 2004, the Office of the National Coordinator for Health IT released a framework for strategic action, the decade of health information technology: delivering consumer-centric and information-rich care (PDF).

I worked for David Brailer at the time, who was appointed by President George W. Bush to be the country’s first information “czar” for healthcare. Dr. Brailer is still an advocate for information-sharing, recently calling on healthcare CEOs to lean into, not away from, the opportunity to engage the patient in a more meaningful way. If healthcare CEOs fall short, tech companies will fill the void (more on that later). 

We envisioned a system where important health data would follow the individual by building interoperability into EHRs from the start—a vision that tragically has yet to be realized. 

ELATED: Epic’s Judy Faulkner: ONC data blocking rule undermines privacy, intellectual property protections

We imagined health data would function as a powerful currency for consumers, but to date, this valuable asset has stayed in the hands of EHR companies who keep it under lock and key. 

Consumers will soon hold this currency in their hands for the first time. If they seek to understand and apply their health data like they have with their genetic information—consider the explosion of tech companies like 23andMe and others—we’ll see dramatic shifts in the health tech landscape.

Consumers are most likely to share their health information with companies that have proven they can offer a powerful, secure and user-friendly experience: companies like Amazon, Apple, Google and a host of established and emerging technology players.

We must now endeavor to build the necessary security and privacy frameworks that ensure the consumer will always be protected and in control of their personal health information.

Where to go from here

We’re entering a new era, one where healthcare providers, payers, solutions providers and technology companies will create a superior healthcare experience and deliver improved patient outcomes.

The days of medical information being walled off and guarded by EHR vendors are coming to an end.

We can expect three things to occur once the rules are finalized:

  •  EHR companies will see their business models disrupted: As consumers control their health data, the silos created by EHR companies will gradually erode. This will change these companies’ business models permanently. No longer the central gatekeepers of the country’s medical information, EHR companies will scramble to build new capabilities and services in a bid to remain important players in healthcare.
  • Technology companies that build trust will earn their moment in the sun: Consumers have shown a willingness to share sensitive information with technology companies in exchange for insights about their health. With new rules in place that turn loose volumes of health data, incumbent tech giants and newcomers will compete to create compelling new healthcare experiences and superior outcomes. Consumers will decide the winners by preferentially sharing their data with companies whose products and services are both transparent and secure.
  • New privacy laws must take shape: As tech companies compete to win the trust of consumers, the government will develop updated rules of the road for our new, consumer-centric health system. This effort is already underway thanks to multi-stakeholder groups like the CARIN Alliance and the work that the Robert Wood Johnson Foundation is doing with Manatt. We can expect these efforts to ramp up quickly.

HIPAA doesn’t cover many of the new digital products and services that can benefit consumers, but that doesn’t mean consumers and technology companies cannot hold this data. It means we need to modernize HIPAA.

When these trends come to pass, it will be the consumer—newly empowered with their health data—who will drive our country toward value-based care. Top-down decisions by healthcare providers, insurers and government agencies haven’t accomplished this vision—consumers can and will.

As a consumer, a health tech entrepreneur, a mother and a former federal and state official, I am eager to bear witness as consumers take the driver’s seat, which was the intention all along.

Lori Evans Bernstein is a co-founder and the president and chief operating officer of HealthReveal. She was a senior advisor to the first National Coordinator for Health IT in the U.S. Department of Health and Human Services and served as deputy commissioner of the New York State Department of Health’s Office of Health IT Transformation. 

Federal lawmakers are taking a hard look at how the VA protects patient data shared with VA-approved health apps.

As more health data is shared with technology companies and mobile apps, it raises concerns about potential privacy and security risks for veterans, according to federal lawmakers charged with oversight of the Department of Veterans Affairs’ IT modernization efforts.

The VA’s App Store includes close to 50 smartphone apps designed to help veterans manage their healthcare.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

Many of these apps required “significant elevated permissions” and request access to a user’s contacts, calendars, photos, and other files, and that raises questions around privacy, said Susie Lee, D-Nevada, chairwoman of House Veterans’ Affairs Subcommittee on Technology Modernization during an oversight hearing Wednesday.

Lee said she’s concerned that smartphone apps could access users’ sensitive health information, such as a post-traumatic stress disorder (PTSD) diagnosis, that could be shared or sold by third-party companies and lead to workforce discrimination or other negative consequences for veterans.

Ranking Member Phil Roe, R-Tenn., said one VA-recommended app designed to provide support to veterans with PTSD requests permission to access the smartphone user’s contacts and microphone. “That’s disturbing to me. You might inadvertently hit that,” he said.

He added, “I look at a risk-benefit ratio. Is this information shared? Is it accessible? Is it sold?”

Paul Cunningham, the VA’s deputy assistant secretary and chief information security officer (CISO), testified that the department has to make “risk-based decisions” over the value of the app while balancing security and privacy.

“We’re trying to solve this problem around access to data. If we go strictly by compliance and zero tolerance, we miss out on opportunities that technology brings if we’re not able to share information with third parties that are trusted,” he said.

Health systems are grappling with the same issues around app privacy, as the Department of Health and Human Services (HHS) will soon finalize a regulation that will allow patients to download their health data using third-party apps.

The VA is the process of implementing a multi-billion dollar IT modernization project, including a new electronic health record (EHR) system from health IT vendor Cerner. 

The Mission Act also is expanding the number of VA patients seeking treatment from community care providers which requires more data sharing. The VA needs to ensure that privacy and security policies keep pace with new technology, Lee said.

“As we assess the data landscape at the VA and the larger health IT space, we need to look at where protections exist or don’t exist and whether we need more guardrails,” Lee said. 

Cunningham said the VA has policies and practices to ensure that access to veterans’ information is strictly controlled. Apps that connect to an application programming interface (API) from the VA and are part of VA’s App Store must sign a “comprehensive and strict’ user agreement that sets limits to how health data can be used, he said.

The VA’s acceptable use agreement includes a commitment not to sell patient data.

Cunningham told lawmakers that VA does not “police” the networks of third parties, but the department would take “swift action’ to investigate if a breach was discovered.

Like many in the healthcare industry, Cunningham acknowledged that he has concerns about how third-party companies not regulated by the Health Insurance Portability and Accountability Act (HIPAA) use health data and the potential privacy risks for veterans.

“It’s difficult to make sure that people really understand when they accept an app that they understand the full access they are granting and how that information will be used downstream,” he said.

Privacy policies used by apps can be thousands of words long and many consumers do not read them, Lee noted.

Key lawmakers are considering whether federal laws like HIPAA need to be updated to better protect veterans’ sensitive health information.

Rep. Jim Banks, R-Indiana, ranking member of the committee, wants to see the HIPAA privacy rule updated to prevent health data from being monetized. 

“Today some of the HIPAA-permitted purposes to asses patient records when applied in a new context, could become loopholes,” he said. “The health technology landscape is evolving quickly. Mobile apps already have taken over the software marketplace. In a few years, most health records will be stored in the cloud. Privacy safeguards have to evolve as well.”

Executives are bullish on the potential of artificial intelligence to improve healthcare. But they say adoption is not happening quickly enough due to a lack of workforce training, high costs, and privacy risks, according to a survey by audit, tax, and advisory services firm KPMG.

KPMG’s survey of healthcare leaders was part of a larger study of how executives across five industries view the future of AI in their sectors, and the steps they are taking to maximize its benefits and mitigate its challenges.

“The pace with which hospital systems have adopted AI and automation programs has dramatically increased since 2017. Virtually all major healthcare providers are moving ahead with pilots or programs in these areas. The medical literature is showing support of AI’s power as a tool to help clinicians,” Melissa Edwards, managing director, digital enablement, KPMG, said in the report.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

An overwhelming majority of healthcare respondents (89%) think AI is already creating efficiencies in their systems, and 91% believe it is increasing patient access to care.

Many of the AI-related services and solutions being advanced in healthcare today are largely in the clinical, patient-facing space.

“Basic forms of automation are proving to be the ‘gateway drug’ to advanced forms of AI—such as scanning documents to determine the urgency of a referral. Applying AI to make earlier diagnoses of critical illnesses is a key area,” Edwards said.

  • Nine out of 10 healthcare executives are confident that AI will improve the patient experience with the greatest impacts being found on diagnostics, electronic records management and incorporating robotics into tasks.
     
  • More than two-thirds of healthcare stakeholders (68%) are confident AI will eventually be effective in diagnosing patient illnesses and conditions, and close to half (47%) believe that diagnostics will have a significant impact soon—within the next two years.
     
  • Healthcare executives also anticipate gains in process automation, with 40% seeing X-rays and CT scans being handled robotically.

Recent findings indicate that function may be close to reality. Google Health reported that an AI model developed and deployed by its DeepMind subsidiary was more effective in screening patients for breast cancer than human doctors using recent X-rays only, despite having access to patients’ previous records.

But the pace of progress is too slow, according to one-third of executives, citing barriers such as a lack of workforce talent and the high cost of implementing AI tools.

To date, only 44% of healthcare insiders say their employees are prepared for AI adoption, which is substantially lower than some of the other industries surveyed. Less than half of healthcare organizations (47%) offer AI training courses to employees.

Just 67% of healthcare insiders say their employees support AI adoption, the lowest ranking of any industry, according to KPMG.

Many healthcare institutions lack a breadth of individuals who “speak” the language of AI, Edwards said.

“Comprehending the full range of AI technology, and how best to apply it in a healthcare setting, is a learned skill that grows out of pilots and tests. Building an AI-ready workforce requires a wholesale change in the approach to training and how to acquire talent. Having people who understand how AI can solve big, complex problems is critical,” she said.

Health systems have already made significant capital investments to meet electronic health records (EHR) requirements. To get AI off the ground requires even more of an investment, and, as a result, some health systems are slower to allocate full funding for AI.

More than half of executives (54%) believe that AI to date has actually increased rather than decreased the overall cost of healthcare. Decision-makers are struggling to determine where to place their AI best bets.

“The question is, ‘Where do I put my AI efforts to get the greatest gain for the business?’ Trying to assess what ROI will look like is a very relevant point as they embark on their AI journey,” Edwards said.

Healthcare executives also are concerned that AI could threaten the security and privacy of patient data. Relatedly, 86% say their organizations are taking care to protect patient privacy as it implements AI.

As the industry waits for a landmark rule aimed at opening up access to patient data, Donald Rucker, M.D. said Wednesday that regulators are challenged with balancing data privacy and transparency.

The proposed interoperability rule will be coming out “relatively soon,” Rucker, who is head of the Office of the National Coordinator for Health IT (ONC), said during a Health IT Advisory Committee meeting Wednesday.

Many have speculated that the rule will be released during the Healthcare Information and Management Systems Society conference in March.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

A year ago, ONC, which is part of the Department of Health and Human Services (HHS), proposed an interoperability and information-blocking rule that defines the demands on healthcare providers and electronic health record (EHR) vendors for data sharing. The rule also outlines exceptions to the prohibition against information blocking and provides standardized criteria for application programming interface (API) development. 

HHS officials say the rule, which promotes the use of application programming interfaces (APIs), will help bring healthcare into the modern app economy.

The proposed rule has created an industry rift—EHR vendor Epic, many health systems, and some privacy groups have voiced strong opposition to the rule. About 60 health systems signed an opposition letter circulated by Epic CEO Judy Faulkner that was sent to Azar. The letter cited risks to patient privacy and intellectual property if the rules are finalized now.

Meanwhile, newer technology entrants to healthcare such as Apple and Microsoft, some EHR companies like Cerner and consumer advocates are backing the rule. Google Health’s David Feinberg, M.D. has met with HHS officials about the rule, Politico reported.

Rucker was asked by members of the Health IT Advisory Committee about the status of the rule.

“There are complicated issues balancing the various interests of the American public to get a good deal in healthcare, to have transparency, to do this in a way that doesn’t prevent innovation and allows vendors to be able to build products in a practical way and draws the right balance on protecting privacy, yet addressing what is ultimately the biggest issue, which is simply the vast amount of healthcare costs that are out there and lack of patients having agency.”

As the lobbying battle over the rule goes on, Politico reported Tuesday that ONC’s rules gained a rare endorsement from a hospital system: the University of California, San Francisco. The “nation needs ONC’s proposed regulations,” the leaders of UCSF and its health system wrote to HHS Secretary Alex Azar, according to Politico.

All the lobbying efforts and public debates could have some positive results, Rucker said.

“Maybe it’s had the unintended benefit of getting people to focus on how this all will play out and part of a broader dialogue about what we want to do with technology in our lives,” he said.

Over 41 million patient records were breached in 2019, with a single hacking incident affecting close to 21 million records.

Healthcare data breaches in 2019 almost tripled those the healthcare industry experienced in 2018 when 15 million patient records were affected by breach incidents, according to a report from Protenus and DataBreaches.net.

Protenus, a healthcare compliance analytics firm, analyzed data breach incidents disclosed to the U.S. Department of Health and Human Services or the media during 2019.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

There also has been an alarming increase in the number of breaches of patient privacy since 2016. Four years ago, there were 450 security incidents involving patient data, and that jumped to 572 incidents in 2019.

This number is likely to be a huge underestimate, as two of the incidents for which there were no data affected 500 dental practices and clinics and could affect significant volumes of patient records, Protenus reported.

There continues to be at least one health data breach per day, a trend Protenus first reported in 2016.

Here are three major cybersecurity trends Protenus found:

1. Hacking incidents surge

It appears hacking incidents, particularly ransomware incidents, are on the rise—hacking was the cause of 58% of the total number of breaches in 2019, impacting 36.9 million patient records

And one disturbing trend: Hackers are getting more creative in how they exploit healthcare organizations and patients alike.

In 2019, there were incidents of hackers attempting to extort money from patients whose records were exposed, not just the affected healthcare organization. In one incident in Florida, hackers sent ransom demands to a number of the affected patients, “threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met,” Protenus reported.

2. One massive data breach

The single largest privacy incident reported last year was a massive security breach at American Medical Collection Agency (AMCA), a third-party billing collections firm. At least four clinical labs, including Quest Diagnostics and LabCorp, were impacted by AMCA’s security breach which, to date, exposed the sensitive data of 21 million patients.

The breach was discovered when analysts discovered patient information including dates of birth, social security numbers and physical addresses, for sale on the dark web, according to Protenus.

In the aftermath of the breach, AMCA’s parent company, Retrieval-Masters Creditors Bureau, voluntarily filed for Chapter 11 bankruptcy protection in the Southern District of New York in June.  

3. Staff members pose major security risk

Staff members inside healthcare organizations were responsible for breaching 3.8 million patient records in 2019, up from 2.8 million records in 2018.

The report characterized insider incidents as either human error or insider wrongdoing, which includes employee theft of information, snooping in patient files and other cases where employees appeared to have knowingly violated the law. 

As one example, the report highlighted an incident where a nurse is suspected of gaining access to patient information and providing the data to a third-party for fraudulent purposes. It is estimated that 16,542 patients could have been affected over the course of almost two years before discovery. The investigation is still ongoing.

Phishing attacks also continue to plague healthcare. Hospital employee education and training to detect and not fall victim to such attacks are imperative to get ahead of the hacking incidents, the report said.

“Hackers are also using credential-stuffing attacks, making it increasingly important to train employees not to reuse passwords across work settings and personal accounts,” Protenus wrote.

NRC Health was hit with a ransomware attack Feb. 11 and it still working to restore its systems and services.

The company, which works with 75% of the 200 largest U.S. hospital chains, administers patient survey tools to hospitals.

The cyberattack was first reported by CNBC’s Chrissy Farr on Thursday.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

See how

NRC Health works with 9,000 healthcare organizations, including Adventist Health, Jefferson Health, Cedars Sinai, Phoenix Children’s Hospital, Ochsner, and Providence Health, according to the company’s website. NRC Health collects data from more than 25 million healthcare consumers a year across the U.S. and Canada.

In a statement provided to FierceHealthcare, Paul Cooper, Chief Information Officer at NRC Health, said on Feb. 11 the company experienced a ransomware attack on certain computer systems and immediately shut down its “entire environment,” including client-facing reporting portals, to contain the issue.

“We also immediately launched an investigation with the assistance of a leading forensic investigation firm to determine the nature and scope of the incident and notified the FBI,” Cooper said.

Since last week’s attack, NRC Health has made “significant progress” in restoration to its systems and services to its customers.

The company anticipates full restoration in the coming days, according to Cooper.

Cooper said in his statement that there is no evidence, to date, of unauthorized access to or acquisition of any data from NRC Health’s systems, including protected health information or other confidential information.

The company started notifying its hospital customers with an email alerting them to the attack, according to CNBC.

Despite the company’s assurances, some hospitals notified of the cyberattack have raised concerns that private patient data was accessed, according to sources who spoke with CNBC’s Farr.

One health system CEO, who requested anonymity, said that they were concerned about hackers having access to confidential information about their hospital including its market share, Farr reported.

David Holtzman, executive advisor to cybersecurity firm CynergisTek said federal HIPAA Rules and many state laws hold health care organizations responsible for assessing and carrying out notifications to consumers when one of their vendors suffers a cybersecurity incident or ransomware event that compromises their unencrypted electronic protected health information (e-PHI).

“HHS’ Office for Civil Rights has issued guidance that when an intruder has gained access to an information system in which e-PHI is stored and has compromised the availability or integrity of the data, it is presumed to be a reportable breach,” Holtzman said.

Measures from patient satisfaction surveys are not only used for patient loyalty, but the majority of senior health care executives have compensation tied to patient satisfaction scores. Hospital reimbursement is also being directly affected by inpatient satisfaction ratings as a part of the Centers for Medicare and Medicaid Services (CMS) value-based purchasing program and private payer initiatives, according to the American Medical Association Journal of Ethics.

“With NRC’s systems shut down, one chief information officer at a hospital said that it’s been a ‘major source of irritation internally,’ because the systems are used to determine how much its physicians are getting paid,”  Farr reported. The executive requested anonymity because they were not authorized to speak about the attack

If private patient information was accessed, hospitals will need to notify their patients.

“Our resources are singularly dedicated to regaining full operability and investigating this matter to completion,” Cooper said. “NRC Health takes our customers’ information and security very seriously, and we have and will continue to share additional updates on progress with customers on a daily basis until the issue is completely resolved.”

A recent report from Protenus found that over 41 million patient records were breached in 2019, almost triple what the healthcare industry experienced in 2018. Incidents involving business associates impacted 24 million patient records.

One incident alone, a massive security breach at third-party billing collections firm American Medical Collection Agency (AMCA), exposed the sensitive data of 21 million patients.