As solutions like remote care are becoming the norm, 3D printing disrupts the normal supply chain and the number of life science studies on tools like artificial intelligence (A.I.) skyrocket, it’s become clear that we are not anticipating the digital health era; we are in the digital health era. This was to come sooner or later, but the pandemic accelerated the process by years.
However, along with the enhanced healthcare landscape that digital health brings along, there is the pressing issue of privacy. To put it bluntly, there is no digital health without sacrificing a part of our privacy. The advanced technologies fuelling the transformation cannot improve – and offer better services or access – without our data.
- In the age of digital health, it’s not a question of whether we should do this but how we can do it in a way that protects what is valuable and vulnerable.
- And also: how can we prevent companies or individuals from making money off our health data without our explicit knowledge AND consent?
Such a discussion is at the centrepiece of our new e-book “Hackers, Breaches And The Value Of Health Data.” In this article, we discuss the three cornerstones of privacy in every privacy discussion going forward. These encompass the traditional, the new, and the future spheres that deal with your health data.
We also highly encourage you to pick up our e-book on LeanPub to discover our full analysis.
The traditional: when institutions hold on to your data
For long, healthcare institutions and authorities safeguarded our healthcare data. Secured as physical records and on IT systems, this medical information was not even accessible to us. With the digitisation of healthcare, those authorities have to double down on securely managing sensitive data. Are they up to the task?
Already, medical information is among the most valuable items on the black market. It allows counterfeiters to file false insurance claims and even to buy medical equipment illegally. This valuable commodity is leading to an increased incidence of compromised healthcare records. HIPAA has been monitoring these incidents since 2009 and their accumulated figures show that while the number of incidents increases year after year, their impact (number of exposed records, number of compromised records) varies.
However, we are talking about some whopping numbers here:
- Between 2009 and 2021, 4,419 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights.
- Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 314,063,186 healthcare records.
- That equates to more than 94.63% of the 2021 population of the United States.
An influx of data to deal with
Forecasts put the amount of digital data by 2025 at 175 zettabytes or 175 trillion gigabytes. Digital health tools’ contribution to this very significant chunk of data isn’t negligible as their market share is steadily increasing. The very authorities safeguarding this information must handle this major influx of sensitive data with extreme caution. And we can extrapolate from recent examples to see how this can play out.
During Facebook’s Cambridge Analytica scandal, millions of users’ information was compromised without their knowledge. When Mark Zuckerberg faced Senators during his hearing, the main take-home message was that politicians understand little regarding the tech industry’s functioning. Some Senators clearly failed to understand how Facebook operates and generates revenue – which was at the core of the scandal.
With such poor grasp over the basic functioning of tech companies, how will policymakers regulate upcoming digital health issues where the technologies and data involved put human lives at stake?
On the other hand, we have the case of Iceland. Here authorities took the lead in addressing similar issues. The private genetic sequencing company, DeCode Genetics, could identify all of the country’s inhabitants who are at risk of breast cancer due to a defective, inherited gene. DeCode Genetics could do this by extrapolating on the genetic data it already sequenced from Icelanders as part of a study, but the rest who could be identified didn’t take part in or knew about this research. The country’s regulators ruled that neither the government nor private companies should identify and inform individuals of such risks without prior consent to access their genetic data.
With the ever-increasing volume of sensitive information, similar conflicts are bound to emerge in the coming years. Policymakers should take the lead in regulating and handling these issues, rather than lag behind.
The Epic case
While authorities traditionally kept our data safe in the ivory towers of medicine, we, the patients, could not proof-check the information gathered about us. However, turning this around can help fix data errors and offer additional insights. One of the stars of the e-patient community, e-Patient Dave emphasised this back in 2009. How would you know if potentially life-saving information about you is right or wrong if you can’t look into those records yourself?
However, the attitude of barring access to one’s own medical records has little changed. In 2020, Epic, the largest electronic health record (EHR) company in the U.S., downplayed the federal government’s effort that would enable easier access to one’s electronic health data. Epic’s CEO wrote to hospital administrators, nudging them to disapprove of the proposed rules. Critics went on to highlight how Epic has done little to favour health data interoperability between different EHR systems and that the company even “imposes information blocking.” A study showed how some healthcare institutions give patients “conflicting information about requesting their records and, in many cases, give blatant misinformation or limited information.”
Giving patients agency over their health information by giving them clear access to it should be promoted, not hampered. Such access allows them to have second opinions easily, switch providers if necessary and even download the data that institutions have about them. If major actors aren’t supporting this view, then outsiders will come into play.
For instance, Apple’s Health app lets users view all of their health data and even allows them to delete the data from their app. The Hugo Health platform connects patients with their medical data and only moves data with their permission. Legislative bodies could further support such efforts to open up access to data so that patients can make more informed decisions.
The new: consumer tech with your medical information
With the help of digital health technologies, patients turn into the point of care. Consumer technologies like smartwatches, portable ECGs and at-home genomic tests give unprecedented access to one’s own personal health data.
This democratisation of access to quality care is a double-edged sword as the companies behind those solutions might make profit of our individual health data without our explicit knowledge, let alone, consent. Furthermore, security might not always be the main concern when it comes to for-profit companies.
By adopting digital health technologies, a new level of individual responsibility ensues in order to secure the load of accompanying sensitive data.
According to the 2019 Trustwave Global Security Report, healthcare data may be valued at up to $250 per record on the black market (unfortunately, there is no follow-up on these numbers from later years). On the other hand, the next highest valued data, payment cards, are at $5.40. As we mentioned earlier, such information enables fraudsters to make false insurance claims or buy medical supplies illegally.
Now that individuals supply such information through their wearable sensors, these devices are becoming targets for malicious third parties. For instance, fitness wearables giant Garmin was one such target in 2020. Hackers halted the services, threatening users’ data. The company reportedly paid $10 million to free its systems.
And such reports represent only cases made public. “There are certainly rather large organisations that you are not hearing about who have been impacted,” Kimberly Goody, senior manager of analysis at security firm FireEye, commented on the matter. “Maybe you don’t hear about that because they choose to pay or because it doesn’t necessarily impact consumers in a way it would be obvious something is wrong.”
If even major players in the wearables industry aren’t impervious to cyberattacks, then it raises the question of how seriously these companies take the issue of security over our data. There is much room for improvement and it’s ultimately up to the company to do so. As consumers, we can demand tighter control over our information, or at the very least, reconsider with which company we entrust our data.
Genetic sequencing: risk-averse or profitable?
At-home, direct-to-consumer (DTC) genetic testing kits are simply revolutionary. The first human genome took some $2.7 billion and nearly 15 years to complete. Now people can order a kit to take samples at home and send it back to the company to get a result within weeks. The cost to do that has dropped precipitously, soon sequencing a genome could cost as little as $100. Having such a test done informs one about their risk for ailments and allows them to tailor their diet and lifestyle to maximise their health.
It’s easy to see how up to 2 billion human genomes will have been sequenced by 2025. Some governments like England, Saudi Arabia, Estonia and India are trying to fast-track this adoption. Authorities in these countries plan to sequence a large number of their population’s genomes. However, such measures raise a host of ethical and legal questions.
- How will the data be secured to prevent abuse from bad actors?
- Will authorities and workplaces discriminate based on someone’s genetic risk?
- Will the data be sold to companies for a profit?
The novelty and ease of access to such sensitive information are happening at a faster pace than regulations can catch up with. However, it might help to look at how other countries are handling similar situations.
We mentioned how Iceland dealt with private company mining for information without consent. In another example, the Estonian government secures genetic and healthcare information with blockchain technology. The transparency it offers allows authorities and even patients to get to know who looked up individual health data. Healthcare professionals who did so without the proper authorisation were fined or even fired from their respective medical institutions. Such measures can build trust with the average citizen so that they know that their data is in safe hands.
The future: data you are not even aware of
As we adopt advanced technologies as part of our daily lives, those very same tools are intermingling with our healthcare. We ask virtual assistants like Siri and Alexa about our ailments as simply as we ask them about a recipe; these, in turn, synchronise with our wearables that are constantly monitoring our vitals to offer personalised results. These devices and assistants can further link up with other services or get employed by institutions in ways that can influence our health, beneficially or otherwise.
In the digital health era, it’s getting challenging to keep up with technological advances. And it’s getting even more challenging to track where our health data ends up and its impact on ourselves. As part of the privacy discussion, we must look beyond the traditional healthcare landscape and into other industries for a better overview of the bigger picture. Here are two cases where advanced technologies raise the bar for the need for enhanced privacy and security.
Would you give away your privacy to help save lives?
This question might have sounded far-fetched a few years ago, but it became a very sensible one during the pandemic. Countries worldwide were adopting apps to monitor people for contact tracing. Those like South Korea with an even more aggressive surveillance approach yielded successful results in curbing COVID-19’s spread.
By tracking bank transactions, phone use and CCTV monitoring, South Korean authorities could successfully identify those potentially infected and take precautionary measures. However, this was done at the expense of individuals’ privacy. So-called “safety guidance texts” alerted individuals about details of those who tested positive for the virus. They could see a list of places this particular person visited prior to a positive virus test. This exposed numerous intimate details, leading to rumour-mongering among the population.
But the issues didn’t end here. Even though contact tracing apps were attractive for healthcare authorities, they weren’t immune to serious security flaws. Over a million users’ personal data and health status were in jeopardy due to security vulnerabilities in Qatar’s mandatory contact tracing app. The contact-tracing apps of the U.K. and South Korea also had similar flaws.
Decentralised apps like the one proposed by Google and Apple could have added a layer of security by de-identifying data while still being helpful for public health authorities. However, the general public in Western countries flatly refused to use these apps and share their locations with tech companies.
A.I. needs your data, will you give it away?
From solving alarm fatigue to quickening drug research while cutting down on costs, A.I.’s potential in improving healthcare is revolutionary. However, without enough quality data, such smart algorithms simply cannot function as intended.
Take for example the Flu Tracker launched by Google a couple of years back. It aimed to predict flu outbreaks, but in 2013, it failed at forecasting that year’s peak by 140%. Lack of trustworthy data was among the causes of this failure, leading to Google halting it in 2013.
Despite such setbacks, Big Tech won’t back down on the potential of A.I. in healthcare. The global healthcare A.I. market is already projected to rise to over $28 billion in 2025. Major companies will inevitably want a share in this market. In 2019, Amazon Alexa and the NHS partnered for the A.I.-based Alexa assistant to offer health advice. Facebook’s A.I. research team (FAIR) teamed up with NYU Langone Health radiologists in 2020 to develop a machine learning model that enables faster MRI scans for quicker diagnoses and less inconvenience for patients.
Facebook has a notorious reputation when it comes to handling private data. For its part, Amazon was secretly storing recordings of Alexa users. Despite this mishandling of individuals’ data, the same companies are venturing forth in healthcare A.I., which deals with even more sensitive information. However, there is no general consensus on the transparent and ethical use of clinical data for medical A.I. development.
Experts stress the need to de-identify data for such purposes; and that, ideally, there should be no involvement of financial transactions when using clinical data for research and the development of A.I. models. Regulators should further keep tech companies in check in these matters.
An example is how the U.K. Information Commissioner’s Office (ICO) investigated the breach of the law when the Royal Free NHS Foundation Trust shared large amounts of patient data to Google’s DeepMind A.I. branch to develop a new platform. The Trust did not inform patients properly about the use of their data for this purpose. It had to set up a legal basis for future data processing, complete a privacy impact assessment, and commission an independent audit.
Will regulators and policymakers step up in similar situations in the future? Or are we expected to give away our information to those companies which can subsequently further profit off of these data?
Upgrades and guidance required for the digital health era
As we’ve seen, privacy and security issues pertaining to the digital health era are complex and multi-factorial. These aren’t likely to get any simpler as more and more advanced technologies get integrated into the field – many needing huge amounts of data to make a real impact.
As such, every stakeholder in the healthcare landscape must contemplate the need for changes in this era. From a change in attitude to upgrades in privacy policies, change is part and parcel of digital health. In fact, it is a cultural transformation by definition.
And for a smooth transformation, there’s a need for appropriate guidance. As digital health technologies empower patients to become more proactive in managing their health, physicians can focus on the human component and serve as guides helping them navigate properly.
We further elaborate on the need for changes, the related issues and provide practical recommendations in our newly updated e-book. We again encourage you to pick your own copy on LeanPub and share your feedback with us.
The post Hackers, Breaches And The Value Of Health Data: 2022 E-Book Update appeared first on The Medical Futurist.