Patient Privacy in Healthcare: A Security Practitioner's Approach
Data privacy, after years in the desert of “meh,” is becoming headline news. Data breaches, such as the recent one affecting up to 143 million Equifax customers, bring home how important it is to ensure that our personal data is protected. But personal data isn't just our name, address, and social security number. Our personal data also includes our health data. The healthcare industry is increasingly dependent on this data to perform all aspects of patient care. To make the best use of patient data, the industry is going through an evolution in the generation, sharing, and use of health data.
Back in 2011, Dr. Gregory Abowd of Georgia Tech predicted that “within five years, the majority of clinically relevant data…will be collected outside of clinical settings.” Cisco reiterated and updated Dr. Abowd’s view in their report, “The Zettabyte Era: Trends and Analysis”. The report shows that “connected healthcare” will increase by a CAGR of 30% by 2021, and will be the fastest growing industry sector for Internet-connected devices - all of which generate massive amounts of patient data.
Implementing HIPAA Controls
Having these massive amounts of health data floating around our hyper-connected planet raises the question: “What about the privacy of that data?”
The answer to that question comes in the form of the Experian report, “Data Breach Industry Forecast 2017,” in which they identify the healthcare sector as being the sector most targeted by cybercriminals. Actual breaches against healthcare organizations back up the Experian findings. If we look at some healthcare-based breaches in 2017, we can see the breadth and impact of data exposures:
- The WannaCry ransomware attack, which affected over 60 UK NHS trusts.
- 1 million Indiana Medicaid patient records accidentally exposed via a live hyperlink.
- The ransomware attack against Airway Oxygen, which put 500,000 patient records at risk.
- Unauthorized access to an employee's email at Children’s Hospital Colorado, which exposed the protected health information (PHI) of 3,400 families.
In fact, according to the Department of Health and Human Services (OCR) “Wall of Shame” for the first 9 months of 2017, there were 206 recorded incidents of patient data breaches, representing over 9 million individual records exposed.
The Three Muses of Patient-Data: Privacy, Confidentiality, and Security
When considering patient data, we need to think of PHI as having three sides: privacy, confidentiality, and security. These three aspects of patient data are intrinsically linked, and each impacts the other. When designing a system that generates or processes patient data, it should be designed with these requisites in mind.
Let’s look at what each of these requisites is and how they are interlinked:
Privacy: Privacy of personal and, in this case, specifically health data, is a fundamental human right. The definition of privacy originates in a treatise by Warren and Brandeis dating back to 1890 titled “The Right to Privacy.” Privacy is generally defined as the right to protect your personal information from external scrutiny, or “the right to be left alone.” In the U.S., most states have some form of data privacy statute but there is still no national law. Interestingly, in recent years the definition of “the right to be left alone” has been updated for the Internet age and includes an extension to this sentiment in the General Data Protection Regulation as the “right to be forgotten.”
Confidentiality: Patient confidentiality is to be upheld by those who require access to these data. Professionals who use patient data should hold the data in confidence as if it were their own. Confidence in data is an integral part of patient-caregiver trust. Privacy of patient data helps to maintain confidentiality.
Security: This is about protecting the confidentiality and privacy of patient data and concerns the means to that protection. So, for example, methodologies that use encryption or de-identification techniques are part of data security.
Regulatory Frameworks
Patient data privacy has made the mainstream with a number of regulatory frameworks and laws that are either dedicated to this issue or include it as a distinct area. Two examples of this are:
General Data Protection Regulation (GDPR): Although this regulation originates from the EU, the GDPR has a far-reaching impact. Any organization that processes data of an EU citizen or employee in the EU will come under the auspices of the GDPR for data privacy. The GDPR also sets out types of data and assigns special considerations for certain classes of data. This includes specifying health data. There are some exemptions in the protection of privacy of health data within the GDPR, particularly around its use for scientific research.
Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Security Rule, Privacy Rule, and Enforcement Rule are used to ensure health data privacy and protection. The HIPAA was extended to force organizations to ensure not only that they themselves applied the rules but that any business associates who processed these data also abided by the same rules.
GDPR and HIPAA play an important role in highlighting what needs to be protected, from whom, and, in some cases, how. However, it is often difficult for an organization to assess the situation when it first approaches the subject of health data privacy.
Assessing the Risk
Risk assessment gives you insight into your procedures that touch health data. A risk assessment will let you see where within your processes, you are in, or out, of compliance with regulations like HIPAA. In terms of health data, a risk assessment will demonstrate the areas of your organization infrastructure that put PHI at risk.
PHI has a lifecycle of collection/creation, transfer, process, maintain, audit, and archive. This lifecycle should be assessed at each point for risk to PHI exposure.
Risk assessments are not one-off events. As your organization changes, perhaps improving processes, or moving apps to the Cloud, then continued risk assessments should take place.
Fixing the Risk
Once a risk to PHI privacy has been identified, you can look at the options to remove the risks. There are a number of techniques that can be employed by an organization to minimize data exposure and improve privacy.
Encryption is one type of technology that can minimize the potential of data exposure. In the Breach level Report, more than 9 billion exposed data records since 2013 are identified, of which only 4% were encrypted, and so protected post-breach.
Other techniques include anonymization and pseudonymization. Certain organizations that utilize health data can do so while de-identifying these data.
Both HIPAA and GDPR offer exemptions to compliance for organizations that de-identify data. In deciding what data to de-identify data and how to do it, frameworks such as the Common Security Framework (CSF) developed by industry body, HITRUST, can help. Within the CSF is a 12-step program for de-identification of health data.
Implementing HIPAA Controls
Patients, Privacy, and Respect
The healthcare industry has an opportunity to take advantage of the explosion in big data and patient-generated data through Internet-enabled devices and wearables. These data are beneficial to both the industry and the patient. More data, more accurate analysis of data, and swifter communication of data lead to better patient outcomes and clinical decisions. But, when using these data, respecting the privacy of the patient is a fundamental right. This respect for patient data privacy builds bridges between healthcare industries, which have lost patient trust in recent years, and those patients. Creating a privacy-enhanced environment to share PHI is not just about complying with laws and regulations, but it is about patient respect.