3 common threats to healthcare privacy

3 common threats to healthcare privacy


3 common threats to healthcare privacy

It’s a normal day, John strolls into his clinic clutching a steaming cup of coffee, as the beams of sunlight reflect from the tall glass windows that surround the reception area. Everything is as usual, a typical day in the life of a healthcare worker. John enters the front door and, as the morning reflections fade, his eyes refocus to behold terror on the faces of the receptionists and nurses scrambling about.  

“There’s been a breach, John. It was caused by YOU!”  

Despite the passing of HIPAA Law in 1996 and subsequent updates to protect patient’s privacy and security we are seeing more infringements than ever. Living in 2019 we have seen some truly dumbfounding scandals from hospitals, insurers and small local clinics alike.  

The days of only the big financial institutions being targeted are long gone; anyone and everyone who holds patient records is a target.  

Nowadays, it’s not the disgruntled high school students compromising systems for fun, boredom or, as in “Ferris Buller’s Day Off,” to change attendance records. Modern attacks are performed by sophisticated networks of cyber criminals using complex hacking tools.  

Despite the plethora of attack vectors, below are 3 common faults that enable attackers and lead to patient’s data being lost or stolen. 

1. Lack of two-factor authentication for health systems 

Going back to our example of John, the night before the breach he had received a seemingly innocent email. It came from ADP which his company uses to process payroll.  

The email informed him that he needed to update his account info immediately or have delays in receiving his paycheck. John clicked through the email’s links without questioning the authenticity and entered his system credentials into a website with a strange URL. It redirected him out of the page after capturing his credentials and after a long day John decided to return home and talk to HR later.  

What John didn’t know is that a malicious user had created the fake email and fake login page to capture John’s credentials. Those stolen credentials were then used to connect to and compromise the clinics networks and systems overnight from a remote location.  

The systems had no secondary means of verifying the user’s identity and thus allowed full access. This can be prevented by implementing multi-factor authentication, which uses a text message, phone permissions or email to validate logins, on top of the username and password. 

2. Failure to keep systems up to date with patches 

After the hacker infiltrated the clinics healthcare systems using John’s credentials, they still had a problemJohn wasn’t the primary admin and did not have access to each of the clinic’s patient records.  

The savvy hacker looked up the name of the system in a web search and found the common vulnerabilities listed online.  Vendors publish known vulnerabilities along with patches that fix these issues so users can protect their systems.  

Unfortunately, John’s clinic outsourced their IT but seldom communicated with their IT firm — usually only when there was a problem. The hacker noticed that their IT managers had not run a few of the patches from the vendor’s website and exploited these known vulnerabilities to get full admin privilege.  

3. Storing sensitive data in plaintext form 

Now that the hacker has full access to the system’s collection of patient records, they typically have another issue – all the records are kept in an encrypted and unreadable form.  

Encryption, which HIPAA Law requires for sensitive PHI or protected health information, renders records useless to hackers. However, once again the IT team did not properly encrypt all of the system and the malicious actor stole hundreds of confidential records. 

A lack of awareness and training is the biggest contributor to the poor state of cybersecurity. Well over 90% of successful attacks against healthcare providers involve exploiting people in some form to reveal sensitive information, and therefore the most effective way of preventing an attack is to invest in a comprehensive and periodic training program for staff.  

Stakeholders can also boost their organizations’ cybersecurity efforts by enabling multi-factor authentication for all user accounts. It is by far the fastest, least costly and most simple way to drastically reduce a criminal’s chances of exploiting healthcare systems. 

Nick Biernat

Now 2 decades old, does HIPAA have the muscle to protect patient rights?

Now 2 decades old, does HIPAA have the muscle to protect patient rights?

Security HIPAA

Now 2 decades old, does HIPAA have the muscle to protect patient rights?

Critics contend that some parts of HIPAA are hindering health tech innovation, while others argue it doesn’t protect privacy on emerging channels.

HIPAA, the Health Insurance Portability and Accountability Act, has been one of the most hotly debated pieces of healthcare legislation ever since it was enacted in 1996.

It was originally designed to protect employees’ rights to health insurance between jobs. Today, it is far more synonymous with privacy measures that were enacted along with the bill to address the use and disclosure of individuals’ health information—called protected health information (PHI).

HIPAA is From a Different World

Despite many updates to the regulations since the law was first implemented, HIPAA critics contend the bill is in much need of an overhaul to reflect advancement in technology. At the time HIPAA was first written into law, society and technology were incredibly different from what we have today:

  • A new Internet experience. The World Wide Web was just emerging as a more usable version of the Internet, and lawmakers could have done little to predict just how much it would change the way we share and exchange health information.
  • Search 1.0. While we had Yahoo! and AOL, Google had not yet launched.
  • Internet use. Americans with Internet access at that time spent fewer than 30 minutes a month surfing the Web.
  • Early days of cell phones. Cell phones were just emerging in 1996, but they were large and limited. Consumers were more likely to receive text messages on a pager than a phone.
  • Social what? Social media as we know it didn’t even exist.


HIPAA Limitations

HIPAA critics argue that the law is now out of sync with the digital and mobile technologies that dominate consumer communication and that are increasingly used within our healthcare system.

For starters, the law only pertains to healthcare providers, health plans and healthcare clearinghouses involved in the transmission of PHI, known in the bill as “covered entities.” Developed more than a decade before Fitbit was even founded, the law was never intended to be a measure for managing the flow of healthcare data that exists in today’s digital ecosystem.

With more than 300,000 health apps and a growing number of devices capable of tracking health data, some question if the law is still the best measure for safeguarding consumers’ health privacy.

Needed Changes to HIPAA

While most can agree the law needs some modernization and reform, there are distinctly different philosophies driving demand for change:

  • Digital age demands. On the one hand, some critics don’t believe the law goes far enough to protect consumers and their privacy in the digital age.
  • Hampers the healthcare industry. Others believe the law presents an undue burden on the healthcare industry and is, in turn, stifling innovation at the time we need it most.
  • Patients are paying the price. On both counts, patients are the ones paying the price, caught in a healthcare system that has not yet evolved to make accessing their personal health information easy.


Is HIPAA Negatively Affecting the Patient Experience?

An unforeseen consequence of HIPAA has been its impact on patient communications. A top complaint among providers is that the law restricts them from delivering an experience in-line with today’s consumer expectations.

Consumers are used to easy, seamless electronic communications and they want the same from their health providers. They want to be able to text their doctor directly, get emails from their care team and they don’t necessarily want to deal with logging in to a secure portal to make it happen.




While electronic health portals have been positioned as a solution, security measures often make them cumbersome, and as a result, consumers fail to engage. Those pushing for a modernized bill say it should be as easy for patients to communicate with their care team as it is to conduct online banking.

Hindered Access to Information

Despite its intent, HIPAA has in some cases made it more difficult for patients to secure access to their health data and history. Patients are often told that due to the privacy constraints of HIPAA, they can’t access their records and they can’t be shared with another provider.

Healthcare administrators who have been drilled to protect privacy, too frequently use HIPAA as a scapegoat not to provide access to health data and records. A study conducted by Yale University School of Medicine confirmed the scale of the problem, finding only 53 percent of hospitals they surveyed provide an option for patients to obtain their medical records.

This runs counter to a key goal of HIPAA which guarantees patients’ rights to their protected health information. The HITECH Act extends the requirements, specifying organizations must provide patients with an electronic copy of their file.

It can be especially difficult for loved ones who are caregivers to get access to the data and health information they need. Despite updates made in 2013 to ensure individuals can designate a third party to receive health data via a right of access request, many providers still are not familiar with the rules and are overly cautious in the release of information to caregivers.

Is HIPAA Holding Back Health Innovation?

Many argue HIPAA is holding the healthcare industry back by placing restrictive burdens on data use that make it difficult for healthcare providers and patients to access information and to use health information to its fullest potential. They contend that HIPAA is slowing the pace of innovation and adding to skyrocketing costs that already plague our health system.

In fact, fifty-nine percent of physicians, hospital administrators and health IT professionals cited the complexity of HIPAA requirements as a major barrier to modernizing the healthcare system in a survey by the Ponemon Institute.

HIPAA critics believe the law’s ambiguity and fears of costly fines have created a risk-averse culture. The result is that HIPAA is often over-applied, which then poses negative consequences for our health system and the patients the law was intended to protect.




Unrealized Potential of Big Data

Big data is transforming the way we process information and solve problems across industries, and nowhere is its promise greater than in healthcare. However, many contend HIPAA is a barrier to using health data to its fullest potential, and they maintain that compliance fears have hindered improvements in and from health data.

A 2013 Bipartisan Policy Center report, titled A Policy Forum on the Use of Big Data in Health Care asserts that HIPAA is causing delays in the sharing and movement of data in a meaningful way. They believe that federal regulation is “misunderstood, misapplied, and over-applied in ways that may inhibit information sharing unnecessarily.”

The unintended consequence of HIPAA is that patient data is often siloed. Clinical data and analytics that could lead to better health for the population is instead locked away and not put to optimal use.

Undue Burden on Start-Ups and Innovators

Among the chief complaints of HIPAA are its complexity and lack of clarity. The law’s ambiguity, particularly for new market entrants that don’t neatly fit the “covered entity” definition can make it difficult to interpret and navigate.

Critics argue that those who are trying to innovate in the space face a high barrier to entry and unreasonable exposure to fines or lawsuits. That HIPAA-driven reality keeps many of the best and brightest away from the healthcare industry altogether.

For the many start-ups in the health tech field, the consequences are real and significant:

  • Legal burdens. Entrepreneurs must shoulder hefty legal fees as they try to interpret applicable laws and regulations.
  • Compliance. Start–ups face increased development fees to achieve, maintain and ensure compliance with HIPAA requirements.
  • Capital. Innovators often encounter hesitancy from potential investors due to compliance risks.


Many Argue that HIPAA Doesn’t go Far Enough

While many argue for a loosening of HIPAA restrictions in the name of innovation, others argue HIPAA does not go far enough to protect patient rights and privacy. These pro-privacy critics argue that HIPAA leaves consumers vulnerable in the wake of increased use of electronic health records, rapid advances in mobile health and unclear guidelines of data from wearable devices.

Consumers themselves lack trust in the system and want better protection and privacy assurances. According to a recent Black Book survey, consumers have serious concerns about healthcare organizations’ abilities to protect their health data and to ensure that it will stay private.

  • More than half of consumers who had used technologies provided by their physician or hospital such as electronic health records, portals, and apps, noted they were concerned about the privacy protections put in place. They questioned whether their data could, in fact, be kept private.
  • Their lack of confidence was causing many to hold back from sharing their full medical information with their providers.
  • Eighty-seven percent were unwilling to share comprehensive information for fear of how it would be shared.

This lack of consumer trust isn’t surprising given the increasing prevalence of health data breaches. Despite HIPAA safeguards and protections, medical data breaches have increased seventy percent since 2010 according to a 2017 study published in the Journal of the American Medical Association. It found there had been 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017.

Health Data NOT Protected by HIPAA

Those who believe HIPAA doesn’t go far enough argue the law needs more teeth and better enforcement to truly protect patient privacy. They are also focused on growing gaps in the law’s protections posed by advances in technology that they believe leave consumers vulnerable.

HIPAA was originally intended to cover the information exchange between healthcare providers and health plans. But the unintended consequence of this limitation is that app developers and device makers often fall outside of the law’s purview.

Wearable devices like the Fitbit and Apple Watch are generating and handling a lot of health data. But because they are not covered entities under the law, the data from these devices remain unregulated by HIPAA.

Furthermore, thousands of apps have launched aimed at helping consumers collect and track various health data points. While these apps collect and store personal health information, they may remain unimpacted by HIPAA regulation because they are not transferring the data between covered entities.

Insufficient Updates to Regulations

Updates including HITECH in 2009 and rule changes in 2013 have sought to bring about better protections for the digital age, but critics argue they don’t go far enough. In 2016, the Department of Health and Human Services issued a set of guidelines to clarify when health apps need to comply with HIPAA. Many found the scenarios to be confusing.

Worse still, critics worry this measure did nothing to protect consumers from data and security breaches in scenarios their information is not required to comply with HIPAA.

Attempts to Modernize HIPAA Continue

The American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA) recently called for officials to reform HIPAA to close loopholes created by the law’s “covered entity” distinction. The groups want all health data to be protected the same way, regardless of where it originates or who it is transferred to, ensuring that patient data from Health apps, devices, and social media is protected.

In addition to ensuring that these entities put technical safeguards in place to protect data, they also want to ensure patients’ rights to access their data generated by such tools is also guaranteed. The Department of Health and Human Services (HHS) also plans to revisit HIPAA guidelines this year as it looks to make changes to promote better flow of information required to make value-based healthcare a reality.

Health Privacy and Security is Fundamental to People-Driven Health

While there is much that can be done to modernize HIPAA and make it simpler for providers and patients, its underlying premise to protect patient data is correct, and one that we at HealthChampion feel is essential to build upon, even when the law itself doesn’t require it.

While some argue technology has made HIPAA obsolete, we believe technology can be leveraged to deliver on the very promise of HIPAA. In fact, at HealthChampion, our goal is to harness the power of technology to make it easier for everyone in the healthcare ecosystem to securely and efficiently access their health data.

We believe health app developers have a responsibility to advance security, and we take our role as a steward of health data quite seriously. We know your health data is one of your most valuable health assets and it should be treated as such, with the utmost care. At HealthChampion, we are building a fully HIPAA-Compliant and HITRUST-certified system. And we are developing blockchain powered protocols to ensure safe and secure delivery when you need to share your data with family or other third parties.

Regardless of what happens with HIPAA moving forward, patient access to their health data and the privacy and security of that data are fundamental ideals we must all support. As we move toward a more people-driven system of care, health, and wellness, information is critical.

When patients own their health data, they are empowered to take better care of themselves and their families and make better health decisions. But for this to be possible, patients need to trust that information is accurate, safe and secure, regardless of whether the information originated from their physician or their smartwatch.

Nick Biernat

Pin It on Pinterest