The State of Data Security in Healthcare in the US
For quite some time, the healthcare system lagged behind in terms of cyber security. However, a lot has happened in the last 20 years: New laws and higher budgets have made the healthcare industry retrofit and invest in new technologies. Clinics and medical practices are getting better at handling personal data and can increasingly avoid data theft. But what exactly does the processing of data in the healthcare industry look like in the USA? How is data processing regulated? And most importantly, how secure is sensitive data collected in a practice or hospital?
What is the HIPAA/HITECH Law?
The so-called Health Insurance Portability and Accountability Act was passed in 1996 during the term of President Bill Clinton. The law prescribes rules for the handling of personal data, which must be adhered to by all companies in the health care sector. They form the cornerstone for the secure and confidential processing of personal data in electronic patient files (EHR) and in the healthcare sector in general. However, in the USA it is not obligatory to protect health data through encryption, it is just recommended. This is a problem, because strong encryption could prevent many cybercrimes in the healthcare sector.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) came into force in 2009. It promotes the introduction of technologies designed to simplify the processing of patient data. These include an electronic health record (EHR), which is now widely used in America.
What Data is Captured in an Electronic Health Record?
The data processed is a so-called “special category of personal data”. This type of data is considered significantly more vulnerable because it reveals sensitive information about a person's physical and mental well-being. When this data falls into the wrong hands, it can be extremely harmful for the person effected. For this reason, health data is extremely interesting for hackers and should be protected adequately.
That is why standards have been established which must be adhered to by medical practices in order to ensure coordinated medical care and the security of healthcare data. These standards prescribe in detail how the organization, security, and maintenance of an EPA should look like.
In summary, the content of a file consists of all information concerning the physical and mental well-being of a patient, e.g. medication lists, allergies, anamnesis, treatment plans with diagnoses, or vaccinations.
The advantage of a personal electronic patient file, of course, is its simple handling and transparency for doctors. Files, diagnoses, findings and other information no longer have to be sent from practice to practice and simplify the treatment of a patient immensely.
Nevertheless, this transparency can come with risks for the privacy of the patient’s data. There is information in those files that you only want to discuss with your doctor and a few close people. And sadly, there are still to many instances, where successful data thefts are revealed that make sensitive data openly available to third parties.
How Desirable is Health Data for Hackers?
“Who should be interested in my data?” This is unfortunately still a widespread reaction from people who underestimate, how valuable health data can be. According to the HIPAA Journal, between 2009 and 2018, nearly 190 million records of personal health data fell into the hands of third parties. This corresponds to almost 60% of the US population. The largest data theft to date occurred in 2015 at Anthem Inc, where nearly 80 million records were stolen by hackers over a period of several months.
Especially in companies that work with biometric or health data – and therefore with special categories of personal data according to Art. 9 GDPR – it is recommended, in the opinion of the German data protection expert Wolfgang Schmid, to take special precautionary measures, as the person responsible is obliged to maintain specific measures to safeguard the interests of the person concerned.
In case of a hack, the data is usually sold. A study carried out in 2013 shows that even anonymous health data, if combined with other data sets, can give conclusions about a person and thus be clearly identified.
How Can Boxcryptor Help?
Boxcryptor is a simple but extremely secure way to encrypt and thus protect data stored in the cloud, on a NAS, on hard drives or locally. The software is both GDPR compliant is implemented with AES encryption with a key length of 256 bits. Since as of today, no practicable attack against AES exists, it is the preferred encryption standard for governments, banks and high security systems around the world.
The Cloud in the Healthcare Industry: Free Whitepaper
In our free whitepaper we give information on how the use of a securely encrypted cloud enhances the data security in your practice or organization, and how, at the same time, it helps you save costs.
By entering my email address I agree that Secomba GmbH sends me information via email. I can revoke this agreement at any time.