Tuesday, March 14, 2017

Health Care in a Post-Privacy World

Someone knows you are reading this.

They know what device you are using.  They know if you make it all the way to the end (which I hope you do!).  They may be watching you read it, and listening to you.  They know exactly where you are right now, and where you've been.

As FBI Director James Comey recently proclaimed, "there is no thing as absolute privacy in America."
Director Comey was speaking about legal snooping, authorized by the courts and carried out by law enforcement agencies, but, in many ways, that may be the least of our privacy concerns.

Your phone knows where you are, all the time.  Go outside and chances are you'll show up on surveillance cameras at some point.  Facial recognition software can now easily identify you (e.g., Facezam), as can supposedly de-identified data.

Think about what Google knows about you.  Think about what Facebook knows about you.  Think about what Amazon knows about you, including anything you may have told Alexa.  Think about what your mobile phone carrier or your cable/internet providers know about you.

It's pretty staggering.

We all know, in theory, that all these organizations are collecting information on us, and even that they're using it, ostensibly to "help" serve us better.  Again, in theory, we've given permission for them to collect and use our information -- in some cases, to even sell or share it with other organizations, with whom we may have no other relationship.

And these are all from the "good guys" -- law enforcement agencies or well known, usually publicly traded companies we're electing to get services from.   There's a whole world of hackers and cybercriminals who are after our data, for fun or for-profit, and they're pretty damn good at getting it.

I'd be remiss if I didn't note the recent WikiLeaks disclosure about how pervasive the CIA's surveillance capabilities are.  Whether they only use them per their mission, whether they can actually absorb and analyze all the information they collect, whether this is the whole iceberg or just the tip -- I don't know, but I'm pretty sure the C.I.A. is not the only one with these kinds of capabilities.

And if we think things are bad now, wait until the vaunted Internet of Things (IoT) really takes hold, when virtually everything may be subject to attack.

The Pew Research Center has been following the digital privacy issue for several years, and concludes that:

  • 91% think they've lost control over their personal information;
  • Few have confidence that any organization will protect their personal information;
  • At most only about half think they understand what happens with their information;
  • Most claim to have taken actions to protect their personal information, but most also admit they'd like to do more.
  • Perhaps most telling, our attitude about privacy is "it depends" -- e.g., it is OK to use their information if used to combat terrorism (or perhaps to make shopping easier).
Interestingly, younger respondents paid more attention to digital privacy -- but also were more likely to have shared personal information online.

What does all this have to do with health care?  After all, we have HIPAA to protect our data, right?  

Not so much, as it turns out.  Health care data breaches were up some 40% since 2015.  Accenture says 26% of Americans have had their health data breached -- and half of those were victims of medical identify theft, costing them, on average,  some $2,500 in out-of-pocket costs.  
Despite that, Accenture found that consumers still trusted health care providers and payors with that data much more than they did health technology companies or the government.  That confidence may be badly misplaced, according to IBM's Paul Roemer, who asserts that the average hospital has 100,000 unsecured (data) entry points, and large hospital systems 1,000,000.  

Indeed, Avi Rubin, the head of Johns Hopkins University Health and Medical Security Lab, told NPR that the health care sector was the "absolute worst" in its cybersecurity problems, because: "Their data security practices were so far below every other industry."

When all of our records were on paper, when none of medical devices and equipment were connected, security was not very good either, but at least the exposure risk was limited by proximity.  In an almost fully digital, connected world, though, we should all feel very exposed.

Yes, certainly people -- the biggest weakness for data breaches -- could be more vigilant.  Yes, certainly, all organizations should to beef up their privacy policies and their efforts to protect our data.  Perhaps blockchain or other alternative approaches to security can mitigate the risks of our data being exposed.  

But the genie is not going to go back in the bottle.

We leave digital footprints.  Lots of them. We've implicitly or explicitly decided that the advantages of being digital outweigh the disadvantages.  It may be time to revisit our attitudes and approaches to privacy, in health care and elsewhere.

It is supposed to be "our" health data, but if, as they say, possession is nine-tenths of the law, you'd have to say that the institutions that house it own it.  They are the ones who are failing to protect it, who are already sharing it -- for research and for commercial purposes -- without us even knowing it (or profiting from it), and they are the ones who sometimes charge us to get copies of it (usually delivered in paper form!).  And yet they seem to have a hard time sharing it when we show up in an ER or at a new doctor. 

The new era of Big Data won't happen without all our little data, yet we haven't figure our how our "little" should relate to the "Big."
HIPAA was literally passed in the previous century, when the Internet was still feeling its way and few of us relied on it.  Now, though, as Evan Schumn writes in Computerworld, "true online privacy is not viable."  We urgently need to revisit ownership of our data, what sharing of it means, to whom, and what privacy is realistic to expect in the 21st century.  

Like it or not, there is no absolute privacy, not even for our health information.  

No comments:

Post a Comment