Are we surrendering our data security unknowingly when it comes to health

Sensitive health information is generally classified using the term​​​​​​​ Personal Health Identifier, or PHI. It's thought that with any of this data, a person could be identified, either directly or indirectly, and therefore put at risk of manipulation or fraud.

Current United States law recognizes 18 official categories of PHI. These are:

1.  Patient names
2. Geographical elements
3. Dates related to the health or identity of individuals
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers
13. Device attributes or serial numbers
14. Digital identifiers, such as website URLs
15. IP addresses
16. Biometric elements, including finger, retinal, and voiceprints
17. Photographs of a patient's face
18. Other identifying numbers or codes

Genetic data is perhaps one of the most sought-after pieces of health information today. It's a relatively newer form to be out in the mainstream, as well; companies like 23andMe have made it easy for anyone to glean insights into their health and family history with kits that require nothing more than a swab of spit and postage stamp. Genetic data offers a lot of value, capable of not only providing detailed information about an individual's predisposition towards certain diseases but also uncovering potential underlying causes for existing conditions.

Experts are concerned that, in the wrong hands, this could be leveraged to discriminate against individuals based on their genetic makeup. Others are caught up on the very reasonable question of where their genetic information goes after they send it out. Who has access to it? Can it be sold or used for other purposes without their knowledge? Those are two questions that the average person might not be able to answer.

Many people aren't aware of the full breadth of data they put at risk when working with a medical provider. It's easy to assume that your information is safe and that 'a breach would never happen', but history has proven trust wrong time and time again.

Take 2015, for example. Anthem, one of the largest health insurance companies in the US, suffered a data breach that affected nearly 80 million individuals. The hackers were able to access personal information such as names, Social Security numbers, dates of birth, and even medical IDs and email addresses. This breach not only put personal information at risk, but it also created opportunities for identity theft and fraud.

And this is just one example. In recent years, there have been countless reports of data breaches in the healthcare industry. From small clinics to large hospital networks, no one is immune to the threat of cyber attacks.

While genome analysis is optional, people don't necessarily have control over when they show up to a hospital emergency room. Effective care is contingent upon being able to share information about who you are, your health history, and preexisting conditions. Yet, as has been established, there are inherent risks that come with doing so.

This raises a big ethical question: Is it just to force people to live in a world where life-saving medical treatment comes at the cost of personal privacy?

On one hand, sharing personal information with healthcare providers can lead to better and more accurate diagnoses and treatment plans. It can also help prevent medical errors and improve overall patient care.

But on the other hand, individuals have a right to privacy. They should have control over who has access to their personal health information and how it is used.

In the past, healthcare data breaches have resulted in sensitive information being stolen, sold on the black market, or even held for ransom. This not only puts individuals at risk for identity theft and financial fraud, but it also erodes trust in the healthcare system at large.

So why are these breaches happening? There are several reasons, but a major one is the lack of stringent cybersecurity measures in place. Many medical providers simply do not have the resources or knowledge to invest in strong security measures. Meanwhile, society's widespread adoption of digital platforms and electronic health records has only grown the amount of data there is for hackers to target.

The concept of patient data privacy is nothing new. But what is changing is the level of sophistication today's cybercriminals use to steal sensitive data. We now face a level and nature of threat that no lawmaker could have imagined when HIPAA was first enacted in 1996. And as time goes on - and as technology advances - it's almost certain that new avenues of exploitation will pop up right under our noses.

To mitigate the potential harm of these evolving threats, lawmakers have been hard at work drafting new laws and regulations with twenty-first century patient data privacy in mind. For example, the Colorado Privacy Act (CPA) went into effect on July 1, 2023 as the sixth state-level privacy regulation in the United States. This new law, along with its similar counterparts in Iowa, Indiana, Tennessee, Montana, Oregon, and beyond, outlines a strict set of data protection standards that organizations must adhere to when handling citizens' sensitive health information.

Of course, it's important to recognize that legislation will only get us so far. In fact, it can't be relied on at all according to most experts. While the additional protections put in place by new pieces of legislation like CPA are valuable, they're ultimately only relevant to the state of cybersecurity a few years ago. Things have changed dramatically since then, and they'll continue to change moving forward.

This is where proactive measures and constant vigilance come into play. Organizations must make cybersecurity a top priority and invest in robust security systems, regular employee training, and continuous risk assessments to stay ahead of potential threats.

The healthcare sector's innate vulnerability to digital threats is a reality we'll have to face and actively work to address. It's not enough to simply react and put band-aids on breaches as they occur. Organizations must be proactive in their approach to cybersecurity, constantly adapting and improving their systems to stay ahead of the ever-evolving threat landscape.