Cyberattacks perpetrated against US healthcare providers continue at high levels. In 2022, 588 breaches were reported to the HHS Office of Civil Rights (OCR), affecting 44,665,819 patients in total (1). Sadly, for the industry, these breaches involve exfiltration of data. In fact for all of 2022, 79% of data breaches are reported as an IT/hacking incident:
Source: Health and Human Services (1)
Most recently we learned of a suspected Russian malware organization (BlackCat) having exfiltrated data from an oncology practice in Pennsylvania2. The covered entity chose not to pay the ransom, which is line with typical advice include that of the FBI. This incident is especially egregious because of what happened next. The bad actors then published the data publicly, and that data happened to be nude photographs of patients being treated for cancer.
This points out two problems patient privacy advocates have been pointing out for years. One is apparently these patients had no idea they were being photographed and thus didn't know what kinds of data their healthcare provider had on record. Second, they had no say in how long this provider could retain and store their data.
The HIPAA release form we all sign is a very blunt instrument. It has no nuance or conditions that allow a patient to determine who can have access to their data and when. You simply say yes or no to sharing the data if your provider needs to see it to treat you. To be safe, most of us agree to this because in most circumstances the only people interested in our data are those trying to help us. Except not people like BlackCat.
One solution being advanced is to give the patient a choice, and request that no data be retained on their behalf. Simply don't store it, but give it all to the patient to own and archive in a digital wallet of some kind. Then, they may chose to share it when and where they decide, either through the cloud or even electronically download from your smartphone in person. The technology exists today for this to happen, and it’s not even a difficult thing to architect. The blockage is the lack the regulatory and legal framework to allow it.
Legally, who is responsible if the patient arrives at the emergency department and no record of their medication or allergies is present? We may decide then that allergies and medication records can be kept but nothing else since that information can save lives. That’s fine, but subsequent arguments goes on with the same logic and soon we arrive back to where we are today, that its safer to keep everything, and might as well be forever "because you never know".
On the regulatory side, states have different laws about medical data retention. Even if a patient wants their clinical photographs expunged, the healthcare provider cannot comply because most state require that image data be retained 7 years, or if the patient is a child until they are 18 (or up to age 21 in some states). So in essence as a patient, the regulatory say you don’t have rights to your data or a say how long your provider may keep them.
It's time for our laws and regulatory agencies to catch up with the realities of modern-day cyber threats.
— Seth Feder | seth@ontargetadvisors.tech | OnTarget Advisors LLC (C) 2023
---------------------------
1. HHS, Data Exfiltration Trends in Healthcare, March 9, 2023
202303091300_Data Exfiltration in Healthcare_TLPCLEAR (hhs.gov)
2. Cancer patient sues hospital after ransomware gang leaks her nude medical photos https://www.theregister.com/2023/03/15/cancer_lvhn_sues_hospital/