Patient Privacy — A New Way Forward
By Robert Lord
Health data security and patient privacy are in a state of crisis. Electronic health records (EHRs) are in the process of being ubiquitously rolled out, providing access to as much patient data as possible, to as many users as possible, in as little time as possible. As a consequence, hundreds of millions of patient records have been made easily accessible to millions of health system employees and affiliates, with essentially no oversight of who is viewing what patient data in the EHR and if that access is appropriate.
However, this isn’t because of health system negligence – it’s about a collective lack of accountability among several key stakeholders. Due to the sheer volume and complexity of patient records accessed each day, it is impossible for privacy and security officers to efficiently detect breaches without new and practical solutions and standards.
Something needs to change. Despite promises of role-based access controls, training programs, and security templates, the problem just isn’t being solved, and HIPAA violations continue to affect hospitals on a daily basis. That critical human layer of access is the root of these problems, and that doesn’t have an easy solution.
A new report from the Brookings Institution details that the majority of recent healthcare data breaches are caused by theft or unauthorized access. Research also shows it takes more than 200 days to detect an insider threat, if it is detected at all. And the in-depth report from ProPublica last December helped bring into focus that small-scale violations of medical privacy — like the Walgreens pharmacist who snooped in the prescription records of her boyfriend’s ex — often cause the most harm.
We are now at an inflection point that will decide the future of patient privacy. The actions and decisions of four key stakeholders and their collective will to collaborate through an independent fifth apparatus will significantly advance or stall patient privacy protection and next-generation health data security.
Patient privacy technology vendors need to invest in their teams and products to take advantage of the significant advances made in big data analytics, clinical informatics, and cybersecurity. These advances have changed many other fields, but cybersecurity and compliance solutions built for non-healthcare industries are rarely effective in the complex and idiosyncratic healthcare environment.
Furthermore, the big data environments that define many modern hospitals also require big data solutions that are at the cutting-edge of technological possibility. Critically, vendors need to better listen to their customers to create clinically-aware, healthcare-first solutions that address patient privacy. Health systems cannot purchase what does not exist and rarely have the in-house bandwidth to create production-ready systems.
Hospitals and health systems are working hard to protect patient privacy, but their security and privacy teams are stuck in a reactive mode, having to put out fires with limited resources. It’s clear that CISOs and chief privacy officers need a seat at the boardroom table and their roles need to give them the breathing room to see into the future rather than just to react to challenges as they occur.
Furthermore, compliance and bare-minimum standards are no longer enough. To truly protect patient data, a close relationship between hospital security and privacy groups must be formed. This partnership must be augmented by the technology necessary to detect and remediate threats and their collective mission must be aligned with the board. Fundamentally, resources and C-suite support must be allocated to tackle the next generation of privacy and security challenges, as current efforts aren’t on the right trajectory.
The federal government, with privacy protection authorities like the Office of Civil Rights and standard-setting bodies like ONC, want very earnestly to protect vulnerable populations and help hospitals protect patient data, and I have always been impressed by my interactions with them. However, there is no denying that they are under-resourced and limited in the amount of time they can spend looking into better solutions that could serve as next-generation patient privacy platforms. As a result, they are not able to offer much substantive guidance on what hospitals should and shouldn’t do to keep patient data secure. While distance must be maintained between vendors and regulators, greater public-private partnerships, like those in national security, are critical.
All of us as patients are an important but (amazingly) often overlooked constituency when it comes to advancing the protection of health data. Just as we wouldn’t keep our money in a bank that didn’t use passwords for online accounts or locks on their vaults, patients should expect and ask for more details about a hospital’s security posture. When hospitals ask you to sign forms that let them use your data, we should request that our providers detail how they’re protecting our information. A basic set of criteria about data encryption, proactive patient privacy monitoring, dual-factor authentication, network security, and whether or not a CISO/CPO are part of the team can tell you a huge amount about a hospital’s stewardship of patient data. We are all patients and I’m just as guilty of signing a HIPAA release form without thinking as anyone else. But if we’re to drive change, we have to think hard about what’s truly important to us and take a stand.
Ultimately, each of the above stakeholders has its own incentives, and I would contend, its own set of responsibilities and roles with respect to bringing about a new standard of patient privacy. In addition, while industry partnerships and bodies like the NH-ISAC are steps in the right direction in unifying these stakeholders, we need collective accountability and transparency regarding insider threats and HIPAA breaches beyond HHS’s “wall of shame.” Only through creating central, practical, collaborative bodies that bring all of these stakeholders to the table will we be able to move patient privacy forward and set a new standard for protecting our patients’ data.
Robert Lord is co-founder and CEO of Protenus in Baltimore, MD.