How Much Would You Pay For My Electronic Health Records?
Our data holds value. Anyone that uses Google, social media or pretty much any ‘free’ internet service is purchasing access through the currency of personal information. This data is harvested by the internet company, then packaged up and sold to marketing agencies that use it to produce highly targeted advertisements. Society has grown to become relatively comfortable with the use of personal data in this context. Rather than a threat or a nuisance, it can even be a positive thing. As the theory goes, individuals benefit from receiving communications for products and services that they actually want, as opposed to blanket advertisements that bear no relevance to them.
The basic information given to companies like Facebook and Twitter is fairly innocuous: name, job, email address, hobbies, interests. A number of people would disagree that sharing such data is harmless (omissions such as location tracking and search history analysis are more controversial…), but on the whole, these details are similar to much of the information that would be available on a blog or a profile on an employer’s website. The sheer volume of people on social media (as of Q415, Facebook had 1.59bn monthly active subscribers) suggests that even if users resent giving up personal information, the strength of feeling is not enough for them to reject the product.
Society’s attitude towards the distribution of personal health data is more opaque. You would be unlikely to find details of someone’s recent ailments, prescriptions or doctor appointments on a social network. That is unless they are going off on one about the shoddy state of the National Health Service (NHS). Regrettably, the intrinsic value of health data remains, whether individuals want it shared or not. And where there is value, there is likely to be a market.
In the case of health data, the market is black, shadowy and led by health hackers — cyber criminals that infiltrate the computer systems of healthcare providers to steal, and later sell, valuable patient information. According to the FT, electronic health records (EHRs) do not come cheap. On the black market, credit card identification is worth approximately $1, whereas EHRs can cost upwards of $200. The accuracy of these estimates is dubious, but it is clear an appetite exists for personal health information. Who is buying the data is less obvious. Speculation ranges from the Chinese to competing healthcare providers, it would also be logical if identity thieves were interested.
As with any good market, there is not only strong demand, but also a ready supply. The digitisation of healthcare services is being pushed forward with altruistic vigour, but as more and more information goes online it becomes easier to access en masse. 2015 was a bumper year for such activities; over 100mn health records were accessed or stolen and eight of the 10 largest health hacks of all time have occurred in the last 12 months. Healthcare is being targeted because it is a security laggard behind other industries that deal with personal information. For example, healthcare systems are easy access when compared to those in banking. This makes the industry an enticing target for cyberattacks and the threat of health hacking is increasing further still.
If you are in the UK you can breathe easy, kind of. The NHS has reported no breaches as yet, but it has been fined a total of £1.3mn for sloppy security by the national data privacy auditor.
If you are in the US, it may be time to run for the hills. The fragmentation and subsequent consolidation of the US hospital network has left its IT infrastructure in tatters. Throw in the muddled soup of health insurers and government regulatory bodies and it does not look pretty. Last year, US health insurer Anthem suffered a data breach that affected 78.8mn individuals (the primary contributor to record levels of security impingements in 2015).
More recently, the extraction of value from health data has evolved beyond the simple theft and sale of information, and now also includes a strategy known as ransomware. Last week, the computer network of a Los Angeles hospital was infected and locked by health hackers who demanded a ransom of $17,000 (paid in Bitcoin) to release the hospital’s kidnapped servers. The hackers controlled the system for over a week and nursing staff returned to paper-based recording methods before the hospital stumped up. The hospital’s CEO said that ‘the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key’. The ethics of ransom payments (however big or small) is a sensitive topic but it seems like this has set a dangerous precedent. It would not be surprising to see similar hacks occur, now it is clear hospitals will just foot the bill.
The outcome from all of this is healthcare providers (globally) need to step up. To make this happen, regulatory action is required. In the US, the Health Insurance Portability and Accountability Act (HIPAA) configures a laissez-faire approach to cybersecurity, with a lot of the guidance recommendatory in nature, rather than mandatory. The UK is not much better. In the actual provision of healthcare, the industry is often labelled as overregulated and bureaucratic. There needs to be a rebalance so that areas needing security are well supported, without constraining the areas that benefit from flexibility.
The reaction to Tim Cook’s stance on digital privacy (refusing the FBI back door access to the iPhone operating system) provides an insight into the public’s view on data security. It is hard to know whether people would be more passionate about the security of their smartphone than their health records (I would speculate that those under 35 years old would choose the former, while older generations the latter), but it does seem like there would be widespread support for healthcare providers that take a stance on data protection.
