Keeping Your Health Data Out Of Harm’s Way
Working in the health and insurance industry has helped me learn potential value of health data or what is called Personal Health Information (PHI). Used properly PHI can help your medical team monitor health, assess chronic condition evolution, and inform you of ways to live a healthier life. Improperly used PHI becomes a marketing avenue, a risk to your privacy, and potentially a source for hackers to infiltrate your life.
As with any risk/reward decision you need the right insight, knowledge, context, etc. to make a fully informed risk assessment. Unfortunately, the proliferation of so-called health technology and its migration into the Internet of Things (IoT) have prompted many people to just give away their most private information without even reading the terms and conditions of the device they are about to put on their arm, chest, or other monitoring location. Many of us just assume the vendors have good security practices, but we never ask. Moreover, we also assume regulators and the laws they create such as the Health Information Portability and Accountability Act (HIPAA) automatically protect PHI. They do not, at least not in the ways or to the extent most of us imagine.
A Collection of Questions
So what? Don’t we live in a world where privacy is dead? The question for each of us then becomes – how much information do we really want about our health floating freely across marketing machines and social anything? Do you want your employer’s health insurance rate setting to be customized for you so that when you eat a pint of ice cream, and your blood sugar spikes and that causes an increase in your premium the next day? And if you are comfortable with that level of sharing, then who gets to determine what your blood sugar levels should be? Do you want a perfect health algorithm charging your credit card every time you eat two cookies? Yes, that is 100% possible today, and like all those safe-driving discounts that demand you attach a device to your car, soon your health insurance could demand you attach a device to your body, and then what.
Some potentially positive outcomes of wearing health data collectors include more informed health habits, eating choices, exercise reminders and tracking, as well as tips or suggestions based on your inputs rather than the generic ‘eat better and walk more.’ These are the lures that cause the danger signals from our brains to be ignored. The thoughts might sound like this; if I just wear this device, fill out this self-assessment, install this app, etc. my health will improve so any risk is really for my own good. With that one decision, information about your health habits and other data you might not share with your closest friend is flowing into servers you have no control over and doing so in real time, and that is the real risk.
We all want to think that our PHI is protected by some sets of regulations, laws, rules, or at least customer privacy protections, and that is why we should listen to the danger signals from our brain. The reality is that in very specific instances HIPAA and other laws protect very specific data, in very specific exchanges, for very specific purposes. That is why we think our PHI is always protected, because for very specific purposes, it is. However, you can give up all those protections, just click here to install the app, sign up for an account, or activate your new wearable device. To see some of these protections and the ways companies avoid them, go to your favorite app or health device website and search for privacy. The search will not reveal a single statement that says you own 100% of your data and here is how to control it. Rather, the search results will include links to collections of laws, rules, regulations, best practices, and intent statements. Some apply to people in California, but nowhere else. Some apply to very specific data, but nothing else. Some just sound good but do no apply to anyone or any real data.
If this all sounds scary and confusing, it is, and that is how medical device, wearable manufacturers, medical records hosts, and just about anyone else who wants to work around the laws and rules can do so. Unfortunately, the solution though talked about in security groups and global health agencies, does not support higher profit margins, so will be ignored until consumers demand it. What is this solution? Security first. By building security into every health-related product rather than trying to bolt it on or add it later, consumers could have 100% control over their data. However, that means security in manufacturing, marketing, distribution, sales, data collection and storage including the actual servers and networks, and ultimately an opt-in for every information disclosure. Fortunately, just like increasing your health insurance rates for each pint of ice cream is 100% possible today, securing your PHI and putting you in charge of every data sharing event is also 100% possible today, but it will not happen until every consumer demands it. When the absence of PHI security and uncontrolled or not approved data sharing becomes more expensive to medical device and wearable manufacturers including their entire network of service providers, then security first will become the standard. Until then, each time you put on that smart watch, workout meter, or other data collector, you are taking a risk that you may not be aware of.
Dr. Mike Lewis serves as Chief Information Officer, EVP of Informatics, Security & Technology for Trillium Health Resources, a managed-care organization serving more than 350,000 members in North Carolina. He earned his Doctor of Management degree from George Fox University and is a former MBA adjunct professor at Maryhurst University. Mike has worked in the IT field for more than 25 years with stints at IBM, Merisel, and Dell.
<< Back to Resources