I've been thinking about health care data a lot lately.
Now, I'm no data maven, no informatics guru. But the data breach at Anthem, which could impact as many as 80 million customers, was such big news that I suspect a lot of people -- not just Anthem customers -- are suddenly worrying about their own health care data. That is, if they weren't already freaked out by similar breaches within the past year at companies like Home Depot (60 million), Target (70 million), even Chase (76 million). And, of course, the sophisticated hack of Sony last fall help elevate cyberpiracy into a bipartisan, international concern.
It's pretty scary.
Even worse, experts fear the attack is just the start of similar attacks on other health care organizations. When your credit card information is stolen, your card issuer will typically cover any losses, and give you a new card. You can buy identity theft protection. However, you can't get new health care information. Once that's stolen, you are irrevocably exposed. With more and more health care information digital, it is a ripe target.
Anthem was no doubt vulnerable to the hacking in any event -- it is suspected that that an administrator's credentials were used to gain access, as was true with the Sony hack -- but it didn't help that the Anthem data wasn't encrypted. Many health care organizations might complain about HIPAA burdens, but encryption of the data isn't, as it turns out, one of its many requirements, something that lawmakers are already rethinking. .
People much smarter than me talk about things like firewalls, de-identification, and encryption, but I'm beginning to wonder if it is all for naught. Just before the Anthem breach, Science had a special issue The End of Privacy. Among the many worrisome articles, researchers in one showed how few data points were needed to identify specific individuals. It turns out that as few as four random pieces of credit card data allowed the researchers to identify 90% of the card users. If data from Facebook, Twitter, or health care organizations, were included, it might be even easier.
I'm beginning to wonder if we're thinking about health care data wrong.
In what I'll characterize as our very 1950's approach to health care data, each provider (and administrators, such as health plans) has his/her/their own data about each patient, with the result that data about any patient is typically held by many providers and other organizations, We've spent massive amounts of federal and private dollars to get records digital and to try to connect them, but ONC admits that only 15% of eligible professional have attested to the Stage 2 requirements. And Stage 2 is by no means the desired end point.
I've written before about our dismaying lack of interoperability, but a recent paper by Niam Yaraghi presents some interesting thoughts on perhaps a better way. Instead of HIEs -- health information exchanges -- trying to connect all that data while perpetually needing government handouts, Dr. Yaraghi thinks they should be in the data analytics and real time data services businesses. He believes this provides more robust and value-added business models that will facilitate the kind of interoperability we're looking for.
I think Dr. Yaraghi is on the right track, but with perhaps the wrong industry. Frankly, I'm not sure that HIEs, with their health care background and health care mentality, are at all the right organizations to be in these sophisticated data businesses.
One way to think of the problem is that there are two different health care systems. The first is the physical one where things happen to people: they get sick, they get examined, they take a pill, they get a procedure, etc. Then there is the meta-system, if you will -- the data about all those things that happen. Those two systems have always been intertwined, but perhaps it is time to untwine them.
In the new approach, patients and their providers would get data as needed for care, and generate data by their actions, but would not be the ones holding onto the data. Data vendors would be. Providers might have to pay to get value-added suggestions to deliver more effective care, but they might also get paid for data they generate, and any net increase in spending would hopefully be more than covered by better performance under value-based payment structures.
Companies like Google, Facebook, and Amazon are rumored to be interested in health care, and managing its data seems to me to be a lot better fit than, say, more fitness monitors. They're very good at managing massive batches of data, and they pride themselves on being able to use that data to target ads. Maybe that's what health care needs.
Some people may recoil at the notion that their health care data would be used to drive ads. I think that is an old-fashioned view. After all, I doubt there is much in my medical records that Google can't already ferret out through my online activity. Same for Facebook. If they could use my health care data to target ads for health care products, services, and/or providers that might help me improve my health or help me manage it more cost-effectively, why wouldn't I want to see those? Is my hospital or surgeon going to tell me I might get a better outcome, for less, someplace else? I don't think so, but Amazon or Google might.
Keep in mind that having a data company use our data to drive ads is not the same as actually sharing that individual data with the advertisers. I'm not sure I'd have any less actual confidentiality than I expect now, and at least my data can be put to better use.
You might even call it "Meaningful Use."
Our current approach of "protecting" our data in its multiple silos has led a system in which costs are opaque yet wildly varying (e.g., the GAO's recent report), where we don't do a good job either tracking outcomes or using what data there is to improve them, and in which it is widely agreed that we have too much unnecessary care. As Dr. David Lee Scher wrote in a recent post: "Yet the millions of bits of discrete data amassed every minute in healthcare are warehoused in a contextual vacuum." The silos don't work.
Dr. Scher believes increased analytics can drive some major changes, but I'd argue that cannot be achieved with our current proprietary stance towards health care data.
Yes, I'm sure Google or other data companies can be hacked too, but if it comes to whom I think is more likely to be able to safeguard against such unwanted intrusions, I trust them more than my doctor, my hospital, or my health plan.
Thicker silos aren't the answer. Make health data a commodity, so that providers can focus on what they do best -- delivering care -- and so that businesses can compete on deriving value from that data.