At a panel during last week’s Consumer Electronics Show in Las Vegas, Edith Ramirez, chair of the Federal Trade Commission – America’s top privacy regulator – said she would not wear a Fitbit personal fitness tracker. “I don’t want my sensitive health information being shared,” she explained. And as it happens, Fitbit suffered a hack the same week.
Meanwhile, U.S. healthcare regulators have recently been promoting policies that promise to aggregate and render more accessible the health data of millions – whether that data comes from consumers using personal health devices like Fitbit or patient visits to doctors or hospitals.
These policies go back to the $700 billion stimulus package Congress passed in 2008. As part of the stimulus, Congress earmarked more than $30 billion to promote healthcare information technology – in particular, the adoption of electronic health records (EHRs). As a result, the number of hospitals and doctors’ offices using EHRs skyrocketed from about 10 percent in 2008 to about 70 percent in 2014. One thorn (among many) in the side of healthcare practitioners is the lack of “interoperability” between EHR platforms (there are more than 100 major U.S. EHR vendors). For example, a patient’s primary care doctor might use an EHR platform that’s incompatible with the platform used by the patient’s oncologist, making it difficult for the oncologist (or patient for that matter) to get a comprehensive overview of the patient’s health records. Such lack of interoperability opens the door to missed diagnoses, duplicate testing, and potentially problematic medical care..
The government is pushing to remedy this problem. In September 2015, the Office of the National Coordinator for Health Information Technology (ONC) – the “principal federal entity” charged with coordinating nationwide implementation of healthcare IT – issued its Federal Health IT Strategic Plan 2015–2020. ONC’s stated goals are to improve health outcomes and enhance the ability of public health officials and medical researchers to access population-level medical data sets. ONC is promoting policies that would create a “single information source” combining “information from various sources – whether that information is stored in mobile applications, EHRs, or patient portals,” as well as “social media . . . and medical devices.”
As one technology blog colorfully put it, OCR’s Strategic Plan envisions a near future featuring “increased use of in-home, wearable and portable devices that monitor your activities and health 24 hours a day and send that information to your caregiver (or, potentially, your insurer and employer)”; systems “that will take the knowledge gained from millions of patients, their genetics and their every health service, applying it to individual patients’ specific conditions”; and a “Faustian Bargain, faced by each individual or society as a whole, in which one must choose between personal privacy and the full benefits of available healthcare services.”
One of the government’s major tools in pressing for increased interoperability is its “Meaningful Use” regulations, which have been rolled out in three “stages” since they were first implemented in 2010. “Meaningful Use” refers to healthcare providers’ meaningful use of healthcare IT, including EHRs. Providers must meet Meaningful Use standards to quality for certain Medicare and Medicaid payments (or avoid penalties). In October 2015, the Centers for Medicare & Medicaid Services (CMS) issued a “final rule” setting forth the requirements of Meaningful Use Stage 3 – the last of the three Meaningful Use implementation phases, which CMS says it will make optional for covered providers starting in 2017 and mandatory starting in 2018. (In an unusual move, CMS – partially in light of significant pushback to Meaningful Use rules from providers – announced a 60-day comment period after the issuance of the “final” Stage 3 rule. It is unclear when the “final-final” rule will be released.) The major provisions of Meaningful Use Stage 3 include a requirement that more than 60 percent of “proposed measures” be interoperable and that application program interfaces (APIs) enabling interoperability be finalized.
Needless to say, the eventual creation, as envisioned by the ONC’s Strategic Plan, of a “single information source” drawing on healthcare information from EHRs across medical providers, as well as from personal devices and apps, will create a highly valuable data trove of sensitive healthcare data. While the goal of interoperable platforms for healthcare data is certainly laudable, such a source is unlikely to escape the notice of cybercriminals.
2015 was already a fairly disastrous year for healthcare industry cybersecurity: more than 100 million health records were compromised, including 78 million records in the Anthem hack alone. According to the Financial Times, the Anthem breach “sent a wave of panic through the healthcare industry. It exposed clients’ most sensitive and valuable personal information, and revealed just how unprepared the health industry was to threats from increasingly sophisticated cyber criminals. . . . Yet as more information is maintained in electronic form – an idea pushed heavily by the US government to make health records more portable – cyber intrusions have grown.” FT reports that the healthcare industry is an “attractive target” for cyber criminals in part because medical records breaches generally take longer to detect than stolen credit card numbers, such that “the data have a longer shelf life” – during which time they can be “used in a range of schemes from tax refund fraud, insurance fraud or Medicare fraud.” Because of this, stolen medical records are worth 10 to 20 times as much as stolen credit card numbers. Stolen medical data can also be used to illegally obtain drugs or medical equipment for resale.
Even more alarmingly, a recent report issued by IDC Health Insights predicated that, in 2016, one in three consumers will have their healthcare records compromised in a cyber attack.
In their enthusiastic vision of seamlessly interoperable EHR platforms interfacing with personal medical and fitness devices, government agencies should not ignore the possibility that their well-intended and in many ways commendable policies are increasing the threat that our most private and sensitive data will be compromised. The government may well step up its focus on healthcare industry cyber security in the coming year. Indeed, one provision in the Cybersecurity Information Sharing Act signed into law in December 2015 creates a healthcare industry cybersecurity task force that will study the factors that make the healthcare industry vulnerable to cyber attacks. Such a focus on enhanced cybersecurity will be a necessary counterbalance to the government’s push for increased health data access.
But for the time being, at least one prominent US government official – Chairwoman Ramirez of the FTC – has publicly stated that, due to data breach risk, she won’t use the very same healthcare technology the government has been actively promoting. That’s telling, to say the least.