Health care providers leak more of
your data than hackers do
Your personal data may be safer on your
computer than at your doctor’s office.
Health care providers
— not hackers — are responsible for the majority of data breaches regarding
personal health information, a new study from Michigan State University and
Johns Hopkins University found. More than half of personal health data (53%)
leaked between October 2009 and December 2017 was exposed due to internal
negligence — not efforts from external parties.
“Hospitals, doctors
offices, insurance companies, small physician offices and even pharmacies are
making these kinds of errors and putting patients at risk,” said John (Xuefeng)
Jiang, lead author and associate professor of accounting and information
systems at MSU’s Eli Broad College of Business.
Hackers caused only
12% of external data breaches, the study found. The research, published on Nov.
19 in JAMA Internal Medicine, found nearly 1,800 occurrences of large data
breaches in patient information over a seven-year period, with 33 hospitals
experiencing more than one substantial breach. More than 164 million patients
were affected between October 2009 and December 2017.
Because sharing
sensitive information with health care providers can result in more breaches,
patients should be more discerning about how much information they give out,
said Jessica Ortega, website security analyst at privacy firm SiteLock.
“It’s not uncommon for
doctor’s offices to ask for your Social Security number to ease the billing
process and easily find your health insurance information,” she said. “However,
it is recommended that you opt not to provide this information because not all
doctor’s offices are created equal when it comes to data storage and
protection.”
In most cases a doctor
does not need your Social Security number to identify you as a patient, Ortega
said. Patients can list just the last four digits of their Social Security
number or leave it blank. If the doctor truly needs the number, they will
follow up, she noted.
Patients can take
“proactive steps” to secure their data, Ortega said, by asking the physician’s
billing representative how data is being used and secured. Under the Health
Insurance Portability and Accountability Act (HIPAA), patients can ask to see
who has requested to see their personal information outside of the health care
provider itself. They can also limit what information can
be shared with other doctors or clinics.
“Health care providers
should be able to answer basic questions about their data storage policies,
such as how long information remains on file and who can request access to the
personally identifying information,” Ortega said.
Ask health care
providers if they have a history of hacks or leaks, and whether they have a
clear security policy in place, Francis Dinha, chief executive officer of
security firm OpenVPN, suggested. Red flags to watch out for include being
asked to send private information over a public cloud or generally seeming
flippant about cybersecurity.
“Once you give your
personal information to another company, there’s not much you can do if they
suffer a breach,” Dinha said. “That’s why it’s so important to be cautious who
you share that information with.”
The authors of the
Michigan State University and Johns Hopkins University report said better
policies are needed to tighten security and prevent leaking of private
information, especially as Electronic Medical Records (EMR) become more common.
The EMR market is expected to increase 8.8% by the end of 2023, according to
industry intelligence group ReportBuyer.
Encrypting content or
“putting on armor” against attacks is a basic measure that should be taken to protect data,
study co-author co-author Ge Bai said. “Not putting on the whole armor opened
health care entities to enemy’s attacks,” Bai said. “The good news is that the
armor is not hard to put on if simple protocols are followed.”
https://www.marketwatch.com/story/is-your-doctors-office-asking-for-your-social-security-number-think-twice-2018-12-03
No comments:
Post a Comment