Hackers, Breaches And The Value Of Health Data: 2024 E-Book Update
There is no digital health without sacrificing some of our privacy. The key is to know how you can control this process and protect what’s valuable.
Key Takeaways
As digital health and medical AI develop with amazing speed, an increasing amount of sensitive health data is being generated thanks to these new methods.
This ever-growing volume of data brings new privacy and security challenges at various levels.
On one hand, we need to use this data to achieve better care and quality of life. On the other hand, we must do so consciously, ensuring that external actors cannot exploit or profit from our data without our knowledge and consent
As solutions like remote care are becoming the norm, 3D printing disrupts the normal supply chain and the number of life science studies on tools like artificial intelligence (AI) skyrocket, it’s become clear that we are not anticipating the digital health era; we are in the digital health era. This was to come sooner or later, but the pandemic accelerated the process by years.
However, along with the enhanced healthcare landscape that digital health brings along, there is the pressing issue of privacy. To put it bluntly, there is no digital health without sacrificing a part of our privacy. The advanced technologies fuelling the transformation cannot improve – and offer better services or access – without our data.
- In the age of digital health, it’s not a question of whether we should do this but how we can do it in a way that protects what is valuable and vulnerable.
- And also: how can we prevent companies or individuals from making money off our health data without our explicit knowledge AND consent?
Hackers, Breaches and the Value of Health Data
Today, everyone needs to understand that there is no digital health without sacrificing a part of our privacy. The advanced technologies fueling the transformation cannot improve without our data; and without it, they can’t be implemented as part of regular medical care. And COVID-19 has only made things worse.
In this e-Book, we defined the three cornerstones of privacy of every privacy discussion going forward: the traditional, the new and the future spheres that deal with your health data, and put forward recommendations on how you can start protecting yourself.
Such a discussion is at the centerpiece of our new e-book “Hackers, Breaches And The Value Of Health Data.” In this article, we discuss the three cornerstones of privacy in every privacy discussion going forward. These encompass the traditional, the new, and the future spheres that deal with your health data.
We also highly encourage you to pick up our e-book on LeanPub to discover our full analysis.
The traditional: when institutions hold on to your data
For long, healthcare institutions and authorities safeguarded our healthcare data. Secured as physical records and on IT systems, this medical information was not even accessible to us. With the digitization of healthcare, those authorities have to double down on securely managing sensitive data. Are they up to the task?
Already, medical information is among the most valuable items on the black market. It allows counterfeiters to file false insurance claims and even to buy medical equipment illegally. This valuable commodity is leading to an increased incidence of compromised healthcare records. HIPAA has been monitoring these incidents since 2009 and their accumulated figures show that while the number of incidents increases year after year, their impact (number of exposed records, number of compromised records) varies.
However, we are talking about some whopping numbers here:
- Between October 21, 2009 and the end of 2023, 5,887 large healthcare data breaches have been reported.
- There was no letup in cyberattacks on healthcare organizations in 2023, which set two new records: the most reported data breaches and the most breached records. Last year 725 data breaches were reported to the Office for Civil Rights (only registers cases with 500+ records) and across those breaches, more than 133 million records were exposed or impermissibly disclosed.
- In 2023, 79.7% of data breaches were due to hacking incidents.
An influx of data to deal with
Forecasts put the amount of digital data by 2025 at 175 zettabytes or 175 trillion gigabytes. Digital health tools’ contribution to this very significant chunk of data isn’t negligible as their market share is steadily increasing. The very authorities safeguarding this information must handle this major influx of sensitive data with extreme caution. And we can extrapolate from recent examples to see how this can play out.
During Facebook’s Cambridge Analytica scandal, millions of users’ information was compromised without their knowledge. When Mark Zuckerberg faced Senators during his hearing, the main take-home message was that politicians understand little regarding the tech industry’s functioning. Some Senators clearly failed to understand how Facebook operates and generates revenue – which was at the core of the scandal.
With such a poor grasp over the basic functioning of tech companies, how will policymakers regulate upcoming digital health issues where the technologies and data involved put human lives at stake?
On the other hand, we have the case of Iceland. Here authorities took the lead in addressing similar issues. The private genetic sequencing company, DeCode Genetics, could identify all of the country’s inhabitants who are at risk of breast cancer due to a defective, inherited gene. DeCode Genetics could do this by extrapolating on the genetic data it already sequenced from Icelanders as part of a study, but the rest who could be identified didn’t take part in or knew about this research. The country’s regulators ruled that neither the government nor private companies should identify and inform individuals of such risks without prior consent to access their genetic data.
With the ever-increasing volume of sensitive information, similar conflicts are bound to emerge in the coming years. Policymakers should take the lead in regulating and handling these issues, rather than lag behind.
The Epic case
While authorities traditionally kept our data safe in the ivory towers of medicine, we, the patients, could not proof-check the information gathered about us. However, turning this around can help fix data errors and offer additional insights. One of the stars of the e-patient community, e-Patient Dave emphasized this back in 2009. How would you know if potentially life-saving information about you is right or wrong if you can’t look into those records yourself?
However, the attitude of barring access to one’s medical records has little changed. In 2020, Epic, the largest electronic health record (EHR) company in the U.S., downplayed the federal government’s effort to enable easier access to one’s electronic health data. Epic’s CEO wrote to hospital administrators, nudging them to disapprove of the proposed rules. Critics went on to highlight how Epic has done little to favor health data interoperability between different EHR systems and that the company even “imposes information blocking.” A study showed how some healthcare institutions give patients “conflicting information about requesting their records and, in many cases, give blatant misinformation or limited information.”
Giving patients agency over their health information by giving them clear access to it should be promoted, not hampered. Such access allows them to have second opinions easily, switch providers if necessary and even download the data that institutions have about them. If major actors don’t support this view, then outsiders will come into play.
For instance, Apple’s Health app lets users view all of their health data and even allows them to delete the data from their app. The Hugo Health platform connects patients with their medical data and only moves data with their permission. Legislative bodies could further support such efforts to open up access to data so that patients can make more informed decisions.
The new: consumer tech with your medical information
With the help of digital health technologies, patients turn into the point of care. Consumer technologies like smartwatches, portable ECGs, and at-home lab/genomic tests give unprecedented access to our own health data.
This democratisation of access to quality care is a double-edged sword as the companies behind those solutions might make some profit from our health data without our explicit knowledge, let alone, consent. Furthermore, privacy and security are not always the main concern when it comes to for-profit companies.
By adopting digital health technologies, a new level of individual responsibility ensues to secure our sensitive data.
Watchful tech
According to the Trustwave Global Security Report, healthcare data may be valued at up to $250 per record on the black market (unfortunately, there is no follow-up on these numbers from later years). On the other hand, the next highest valued data, payment cards, are at $5.40. No wonder, such information enables fraudsters to make false insurance claims or buy medical supplies illegally.
Now that individuals generate steady streams of such information through their wearable sensors, these devices are becoming targets for malicious third parties. For instance, fitness wearables giant Garmin was targeted when hackers halted the services, threatening users’ data. The company reportedly paid $10 million to free its systems.
And such reports represent only cases made public. “There are certainly rather large organisations that you are not hearing about who have been impacted,” Kimberly Goody, senior manager of analysis at security firm FireEye, commented on the matter. “Maybe you don’t hear about that because they choose to pay or because it doesn’t necessarily impact consumers in a way it would be obvious something is wrong.”
If even major players in the wearables industry aren’t impervious to cyberattacks, then it raises the question of how seriously these companies take the issue of security over our data. There is much room for improvement and it’s ultimately up to the company to do so. As consumers, we can demand tighter control over our information, or at the very least, reconsider which company we entrust with our data.
Genetic sequencing: risk-averse or profitable?
At-home, direct-to-consumer (DTC) genetic testing kits are simply revolutionary. The first human genome took some $2.7 billion and nearly 15 years to complete. Now people can order a kit to take samples at home and send it back to the company to get a result within weeks. The cost to do that has dropped precipitously, soon sequencing your full genome could cost as little as $100. Having such a test done informs one about their risk for ailments and allows them to tailor their diet and lifestyle to maximize their health.
It’s easy to see how up to 2 billion human genomes will have been sequenced by 2025. Some governments like England, Saudi Arabia, Estonia and India are trying to fast-track this adoption. Authorities in these countries plan to sequence a large number of their population’s genomes. However, such measures raise a host of ethical and legal questions.
- How will the data be secured to prevent abuse from bad actors?
- Will authorities and workplaces discriminate based on someone’s genetic risk?
- Will the data be sold to companies for a profit?
The novelty and ease of access to such sensitive information are happening at a faster pace than regulations can catch up with. However, it might help to look at how other countries are handling similar situations.
We mentioned how Iceland dealt with private company mining for information without consent. In another example, the Estonian government secures genetic and healthcare information with blockchain technology. The transparency it offers allows authorities and even patients to get to know who looked up individual health data. Healthcare professionals who did so without the proper authorization were fined or even fired from their respective medical institutions. Such measures can build trust with the average citizen so that they know that their data is in safe hands.
The future: data you are not even aware of
As we adopt advanced technologies as part of our daily lives, those very same tools are intermingling with our healthcare. We ask Siri, Alexa, and ChatGPT about our ailments as simply as we ask them about a recipe. Our home assistants, in turn, synchronize with our wearables that are constantly monitoring our vitals to offer personalized results. These devices and assistants can further link up with other services or get employed by institutions in ways that can influence our health, beneficially or otherwise.
In the digital health era, it’s getting challenging to keep up with technological advances. And it’s getting even more challenging to track where our health data ends up and its impact on ourselves. As part of the privacy discussion, we must look beyond the traditional healthcare landscape and into other industries for a better overview of the bigger picture.
AI needs your data, will you give it away?
From solving alarm fatigue to quickening drug research while cutting down on costs, AI’s potential in improving healthcare is revolutionary. However, without enough quality data, such smart algorithms simply cannot function as intended.
As more people use digital health devices and services, a trail of health data is created. Companies, in turn, utilise this data to enhance their products, generate IP, and in some cases, monetize it by selling or sharing it with third parties. Concerns arise about who owns IP in healthcare, with varied laws across countries allowing data use in ways not always transparent to patients.
As AI and digital health evolve, there’s a pressing need for regulations ensuring informed data usage, clear IP ownership, and patient data access.
Big Tech won’t back down on the potential of AI in healthcare. In fact, these companies work relentlessly on setting foot in the health realm. The global healthcare AI market is already projected to rise to over $148 billion by 2029. Major companies will inevitably want a share in this market.
And they do have a tarnished reputation when it comes to handling sensitive health data. Amazon has faced a series of issues in the past years, Facebook has a shaky track record when it comes to handling private data. And of course, Google also had its share of similar scandals.
Experts stress the need to de-identify data for such purposes; and that, ideally, there should be no involvement of financial transactions when using clinical data for research and the development of AI models. Regulators should further keep tech companies in check in these matters.
An example is how the U.K. Information Commissioner’s Office (ICO) investigated the breach of the law when the Royal Free NHS Foundation Trust shared large amounts of patient data with Google’s DeepMind AI branch to develop a new platform. The Trust did not inform patients properly about the use of their data for this purpose. It had to set up a legal basis for future data processing, complete a privacy impact assessment, and commission an independent audit.
Will regulators and policymakers step up in similar situations in the future? Or are we expected to give away our information to those companies that can subsequently further profit off of these data?
Upgrades and guidance required for the digital health era
As we’ve seen, privacy and security issues of the digital health era are complex and multi-factorial. These aren’t likely to get any simpler as more and more advanced technologies get integrated into the field – many needing huge amounts of data to make a real impact.
As such, every stakeholder in the healthcare landscape must contemplate the need for changes in this era. From a change in attitude to upgrades in privacy policies, change is part and parcel of digital health. It is a cultural transformation.
And for a smooth transformation, there’s a need for appropriate guidance. As digital health technologies empower patients to become more proactive in managing their health, physicians can focus on the human component and serve as guides helping them navigate properly.
We further elaborate on the need for changes, the related issues and provide practical recommendations in our newly updated e-book. We again encourage you to pick your own copy on LeanPub and share your feedback with us.