The State of Data Security in Healthcare in the US
For quite some time, the healthcare system lagged behind in terms of cyber security. However, a lot has happened in the last 20 years: New laws and higher budgets have made the healthcare industry retrofit and invest in new technologies. Clinics and medical practices are getting better at handling personal data and can increasingly avoid data theft. But what exactly does the processing of data in the healthcare industry look like in the USA? How is data processing regulated? And most importantly, how secure is sensitive data collected in a practice or hospital?
What is the HIPAA/HITECH Law?
The so-called Health Insurance Portability and Accountability Act was passed in 1996 during the term of President Bill Clinton. The law prescribes rules for the handling of personal data, which must be adhered to by all companies in the health care sector. They form the cornerstone for the secure and confidential processing of personal data in electronic patient files (EHR) and in the healthcare sector in general. However, in the USA it is not obligatory to protect health data through encryption, it is just recommended. This is a problem, because strong encryption could prevent many cybercrimes in the healthcare sector.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) came into force in 2009. It promotes the introduction of technologies designed to simplify the processing of patient data. These include an electronic health record (EHR), which is now widely used in America.
What Data is Captured in an Electronic Health Record?
The data processed is a so-called “special category of personal data”. This type of data is considered significantly more vulnerable because it reveals sensitive information about a person's physical and mental well-being. When this data falls into the wrong hands, it can be extremely harmful for the person effected. For this reason, health data is extremely interesting for hackers and should be protected adequately.
That is why standards have been established which must be adhered to by medical practices in order to ensure coordinated medical care and the security of healthcare data. These standards prescribe in detail how the organization, security, and maintenance of an EPA should look like.
In summary, the content of a file consists of all information concerning the physical and mental well-being of a patient, e.g. medication lists, allergies, anamnesis, treatment plans with diagnoses, or vaccinations.
The advantage of a personal electronic patient file, of course, is its simple handling and transparency for doctors. Files, diagnoses, findings and other information no longer have to be sent from practice to practice and simplify the treatment of a patient immensely.
Nevertheless, this transparency can come with risks for the privacy of the patient’s data. There is information in those files that you only want to discuss with your doctor and a few close people. And sadly, there are still to many instances, where successful data thefts are revealed that make sensitive data openly available to third parties.
How Desirable is Health Data for Hackers?
“Who should be interested in my data?” This is unfortunately still a widespread reaction from people who underestimate, how valuable health data can be. According to the HIPAA Journal, between 2009 and 2018, nearly 190 million records of personal health data fell into the hands of third parties. This corresponds to almost 60% of the US population. The largest data theft to date occurred in 2015 at Anthem Inc, where nearly 80 million records were stolen by hackers over a period of several months.
Especially in companies that work with biometric or health data – and therefore with special categories of personal data according to Art. 9 GDPR – it is recommended, in the opinion of the German data protection expert Wolfgang Schmid, to take special precautionary measures, as the person responsible is obliged to maintain specific measures to safeguard the interests of the person concerned.
In case of a hack, the data is usually sold. A study carried out in 2013 shows that even anonymous health data, if combined with other data sets, can give conclusions about a person and thus be clearly identified.
How Can Boxcryptor Help?
Boxcryptor is a simple but extremely secure way to encrypt and thus protect data stored in the cloud, on a NAS, on hard drives or locally. The software is both GDPR compliant is implemented with AES encryption with a key length of 256 bits. Since as of today, no practicable attack against AES exists, it is the preferred encryption standard for governments, banks and high security systems around the world.
Whitepaper gratuita: Sanità nel Cloud
Quali vantaggi e rischi possono derivare dal cloud nel settore sanitario e in cui le istituzioni sanitarie dovrebbero prestare particolare attenzione? Consulta la nostra Guida alla Sicurezza, alla Privacy dei dati e alla Crittografia in ambito Sanitario.
Inserendo il mio indirizzo email accetto l'invio di informazioni via mail da parte di Secomba GmbH. Posso revocare questa accettazione in ogni momento.