Data Protects Patient Privacy

Posted on by Christopher Burgess

Who wants his or her medical information shared beyond the healthcare professionals who need to know? It’s common sense that when it comes to medical privacy, no one wants to share his information. 

For the recent 2014 EMC Privacy Index,respondents from different countries were asked to rate their willingness to trade privacy for convenience on a scale from 0 to 100 (100 being the most willing and 0 being not willing at all). The citizens of India were the most willing to give up some of their privacy for increased convenience, with a score of 61. Comparatively, other nations' scores were 54 for China/Hong Kong, 41 for both Japan and United States, and 39 for Australia and New Zealand. When asked  about convenience of medical record access, globally 74 percent responded that this information was highly valued. Only 45 percent were willing to trade their privacy for enhanced engagement with their medical data.

It’s clear the healthcare industry and IT security vendors need to go beyond locking data down to protect medical data. Investing in personnel training on the importance of data protection will be repaid handsomely as the security measures will be applied more consistently. It boils down to the individual doing the right thing, at the right time, to protect the patient's information. Examples of data breaches within healthcare and medical entities are numerous. For example, in June 2014, a hospital in San Diego suffered two separate incidents affecting patients' data. In both instances, patient data was sent to job applicants as an attachment. How was this possible? Human error.

In Pennsylvania in early June 2014, patients also had their medical privacy violated when an employee took his administrative work home on a USB drive and performed work on his home computer (which did not have the depth of technological protection that the devices at the medical center had). Furthermore, the information was sent to the employee's personal email account. How was this possible? Again, human error.

Couple these "human error" incidents with the lack of attention paid to known vulnerabilities, and the situation becomes further amplified. According to security researcher Robert David Graham, more than 300,000 servers remain susceptible to the known Heartbleed OpenSSL vulnerability. When vendors and providers don't keep their infrastructures secure, is it any surprise that the educated consumer will gravitate toward those entities who invest their time and resources into protecting the data and, by extension, the privacy of their users?

And indeed, those companies and government organizations that put data protection and privacy at the forefront are deserving of the confidence of the consumer. Yet the number of data breaches that have occurred of late is staggering, and puts the privacy of the consumer on the line, even more so with respect to medical privacy.

Patients as a whole do not conduct an information security analysis of the IT infrastructure of their general practitioner or medical facility. Consider these two data points from the privacy index: the number of individuals who don't change their passwords regularly (62 percent) and those who believe governments and businesses have the skills required to protect their data (58 percent).There is clearly an expectation that the organization will be compliant with the governing laws under which they operate.

Yet the inability to protect patient data continues to chip away at patient trust. The EMC survey showed almost three of every four individuals (72 percent) are concerned about medical privacy and the security of their medical data. To put it another way, only 28 percent believe medical data and their medical privacy are being protected appropriately, a clear klaxon call of opportunity for all service providers to address data protection and garner consumer confidence.

Christopher Burgess

, Prevendra Inc.



Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community