Subscribe to Newsletter
Business & Profession Business and Innovation, Health Economics and Policy

Personal Privacy in the Age of Big Data

At a Glance

  • Medical devices – particularly medical imaging devices – create patient-identifiable data, much of which is stored and shared electronically 
  • Despite electronic patient data being near-ubiquitous, data protection laws and best-practice lag behind these technological advances
  • As healthcare data becomes increasingly more attractive to hackers, more and more needs to be done to protect against privacy breaches
  • I overview what this means for practicing ophthalmologists, and what they should expect in the future

What do Osama Bin Laden and Edward Snowden have to do with medical data privacy laws? Well, the US government introduced the Patriot Act of 2001 in response to 9/11, and its ramifications are still being felt today – despite the Patriot Act no longer even being law.

In 2001, the Patriot Act was a controversial piece of legislation. One of many powers it gave the US government was access to personal information, on demand, from all US organizations and their subsidiaries. After the Patriot Act expired in 2015, the US Freedom Act was passed into law to replace it, and it was intended to narrow the scope US governmental intelligence agencies had for domestic spying. The revelations by Edward Snowden, a former National Security Agency (NSA) contractor, that the US government had sanctioned the secret and systematic collection of masses of electronic data on US citizens, awoke a need for clarity on the civil rights of individuals and their private data.

Snowden’s disclosures have certainly had far-reaching effects around the world, bringing to light an urgent need to update regulations regarding privacy in our digitally connected world. As a European with many friends and colleagues in the US, I have witnessed a divide in how US and European citizens view these developments, and I believe that my personal observations are supported by the rapid development of European legislation regarding data privacy and cloud storage. Regulators should consider these diverging attitudes when analyzing the international effects of changes in legislation for exchanging medical data.

Furthermore, ophthalmology practices and clinics have increasingly extensive electronic forms of medical data with the usual expectations for the rights of privacy. Practicing ophthalmologists should take steps to protect the health data of their patients and shouldn’t rush into the app space without first thinking about the legal ramifications and showing that they have taken the necessary steps to protect patient data.

Snowden changed everything

Until 2000, personal data from the EU couldn’t be shared with the US, as US data protection laws fell short of EU standards. What changed was the introduction of the “Safe Harbor” agreement, where US companies could self-certify their compliance with EU data protection standards. Doing so allowed the transfer of European data to the US.

However, the Snowden revelations about the NSA’s surveillance operations meant that Safe Harbor came under attack. A legal case challenging the Safe Harbor provisions was brought to the European Court of Justice (ECJ) by an Austrian law student called Max Schrems (1) – and he won. The ECJ ruled that even if US companies took adequate data protection measures – and multiple studies have shown that many do not – the fact that US public authorities (and their intelligence agencies) are not subject to the Safe Harbor guidelines meant that the privacy of European citizens’ data could not be guaranteed (2).

A quick resolution was required – and was achieved. The December 15, 2015 EU agreement on data protection rules (3) – considered by many to be the biggest overhaul of European privacy laws in two decades – gave consumers more control over how their data is used and retained. Companies that fail to abide by the rules face fines of up to four percent of their global sales. The quick resolution was not only an acknowledgement of how important both e-commerce and e-health are to our lives, but also a nod to how privacy laws must be respected and updated constantly to ensure international trade continues to happen unencumbered.

The right to privacy?

In the US, large companies such as Apple, Google, Nike, and Fitbit are collecting terabytes of health data from their consumers. Some US citizens, including physicians, have expressed concern over their ability to maintain patient privacy and comply with Health Insurance Portability and Accountability Act (HIPAA) regulations in the “Fitbit era.” There are further concerns in the US about the security of data in the wake of large breaches – only recently 80 million federal workers’ health insurance records were compromised. Some experts forecast that up to one third of US citizens’ health records could be at risk this year.

But in spite of all this, many companies are aggressively pursuing the collection of health data, and inevitably, some are not taking adequate steps to protect their customers from breaches. For physicians, this could have serious legal consequences.

HIPAA and HHS

In the US, HIPAA regulations from 1996 (from the Health Insurance Portability & Accountability Act) provide rules for recording and maintaining medical data records and for providing individuals with the right to access and receive a copy of their health information from doctors, hospitals, and health insurance plans.

The HIPAA act provides the patient with the right to have access to their medical records and to define with whom this information is transferred (9)(10). The doctor should not be able to refuse access to these records outside very well defined exceptions. New regulations are being discussed to address the question of how to deal with electronic data generated by modern mobile devices and apps that run on these devices. The US Department of Health and Human Services (HHS) provides guidance for US citizens to enhance and protect their health and well-being.

The HHS can prosecute where a breach is revealed and require that the practice meets the regulations. Although this legislation exists, it has been reported that, despite the HHS receiving nearly 18,000 complaints in 2014, it only took six formal actions that year. However, others have chosen to settle enforcement claims made after data security breaches (11).

The Health information technology for economic and clinical health (HITECH) Act enacted in 2009 addresses the privacy and security concerns associated with the electronic transmission of health information, extending and strengthening the provisions of the HIPAA act (12). HITECH was incorporated to promote the adoption and meaningful use of health information technology. It addresses the privacy and security concerns associated with the transmission of health information by specifying the range of available extent of civil penalties for violations, clarifying cases where the gathering of health information does not take reasonable attempts to comply with the regulations, and clarifying the definition of the terms reasonable diligence and willful neglect.

The EU agreement on data privacy suggests that Europeans may not be as willing to give away health information as their American counterparts, even though they seem as willing as their US counterparts to share other kinds of personal information through social media. There are a number of potential long-term consequences of health data collection: health data can have an impact on the future purchasing of health insurance, finding employment, and even securing mortgages and loans. Perhaps when Europeans look at the situation in the US, they can see that all interested parties must take measures to protect patient data. At the same time, the European Commission remains fully committed to data transfers across the Atlantic whilst ensuring robust data protection safeguards for citizens and legal clarity for businesses (4).

However, even in the US, there are many unanswered legal questions, and the law in both the US and Europe lags behind developments in technology. The US Fourth Amendment guarantees an individual right to privacy against government institutions. But to have an expectation of privacy, the amendment requires a person to have some standing to be able to claim privacy. Personal information that is in the public record (birth, marriage, real estate records, etc.) is not considered to be “private”. Private companies issue privacy statements that are annually updated, especially where they hold data that are privacy-sensitive in nature such as banking insurance, health and finance industries – but how many people read these before agreeing to hand over their data?

Big Data = Big Business

If the service is free, you are the product. Selling data is big business for Google and Facebook, even if the legal questions related to this business remain the subject of conjecture (5). Should an individual have ownership (and profit) rights for his or her personal information? Should the individual have the right to dictate how the company deals with their own private data? It will likely take a long time before case law will permit the legal system to catch up with companies.

Each company that handles private data should have clear policies on testing its security and how it would deal with data breaches.

Risk Management Tips

Breaches of information are usually unintentional; however, you can take steps to protect yourself from both negligent and malicious events involving employees or third parties. Although no data security policy will be 100 percent effective, the following are some areas to focus on when planning, developing, and implementing your office or clinic protocol for the privacy and security of patient information.

  • Make sure electronic health records (EHRs), and any other electronic data systems you use in the practice, are protected with vigorous virus and data protection software and that the software is updated automatically whenever a new version is released.
  • Perform a regular backup of all sensitive data and store in a secure area with a third party and/or off site.
  • Use encryption services whenever possible and make sure passwords are changed on a regular basis.
  • Limit access of private health information to medical office staff when the information is not necessary for their particular job function by storing on separate computers in a separate area away from any systems on which they are able to engage in personal electronic communications.
  • Install tracking software to log and monitor each time a staff member accesses or retrieves sensitive information.
  • Distribute and rotate duties in such a way that prevents any one person from having complete access to a patient’s health record.

As part of this increase in the data business, public cloud providers are increasingly being asked to store private company data externally. But the data flows through a host of different companies before it reaches the company, be it the ISP, the cloud services provider, the data backup company, or the web portal service provider. Data could (and should) be encrypted to ensure data privacy along this data path or to remove information that identifies the data. This implies implementation challenges for data storage and raises several important questions related to which countries the data is stored, how is the data transferred, where does the data end up, and where backups are performed.

Ideally, each company that handles private data should have clear policies on testing its security and how it would deal with data breaches. Alas, the technological requirements of fast streaming of data and real-time alerting are not necessarily compatible with such encryption requirements. There will have to be a compromise between the security and system performance requirements.

In the case of health data, there is also the issue of setting and controlling permissions to the information (i.e. who can read it, edit it, copy it or delete it), which is of great importance to ensure patient data privacy and security. Companies must keep in mind that internal employees could attempt to exploit their access to sensitive data, exposing companies to liability, therefore policies should be in place to counteract or limit the damage of such events – even if it’s as basic a measure as gluing shut USB ports.

Too big for their breaches

Last year saw an astonishing 253 healthcare breaches that affected 500 individual companies with the loss of 112 million records – which represents about 35 percent of the US population – and the average cost of each data breach reached $3.8 million (6).

One prominent example was that of the US Office of Personnel Management (OPM). The OPM is responsible for keeping records of current and former government workers, including finance records and fingerprints – and in June 2015, it’s estimated that the records of 21.5 million people were stolen. The perpetrators have still not been identified, let alone held to account. What this means is that having a well-defined, planned and executed security policy should be the key to every corporation that has contact with the customer’s personal data (7).

Another major breach occurred in June 2015: LastPass Manager, one of the most popular password manager services (it remembers all of your passwords for you, so long as you remember just the one password and a security code for their service), started informing users to generate new, unique security codes for every one of their online accounts, and a new LastPass master password. Why? Hackers gained access to the customer email addresses, encrypted master passwords, and the remainder of the security words and phrases that the service asks users to create to remind them of those master passwords.

In February 2015, a database breach occurred to Anthem, the US’ second largest health insurance company. Anthem detected a breach of its database containing 80 million customers and employees by hackers with the reported loss of names, birthdays, addresses, and social security numbers – something that’s reported to have cost the company $100 million in claims, including class action suits that are still ongoing.

Of Fitbit and other apps

With the increased use of portable devices and mobile phones to gather and collect patient information, it is of the utmost importance that not only the patients know their rights to access the data, but also that the practitioner knows what steps they are required to take to secure the patient data from unauthorized use or access. This includes the requirement for the practitioner to:

  • report breaches of patient security within their practices; 
  • carry insurance coverage for privacy breaches; 
  • comply with HIPAA regulations (in the US); 
  • carry out risk analysis of their policy, practices and procedures;
  • update and maintain policies regularly to ensure patient data privacy and security; and to
  • educate and train staff to ensure that the policies and procedures are implemented and that they conform to regulations.
Medical apps

In designing medical device apps that exchange protected health information data with a third party, whenever data is transmitted over the internet, the data must be encrypted through HTTPS and the service provider must use a signed certificate that is approved by the certification authority. The data transmission should be in batches rather than large blocks and stripped of identifiable information to minimize the ease of interception and reconstruction of the transmitted data.

Once the data is stored in a database, one should consider the security aspects of querying data to retrieve private information from the data set. Applications should not transmit insecure data queries such as the HTTP Get request that broadcasts the request unencrypted and permits interception of the data. HTTP Post requests are more HIPAA compliant since personal information is not captured in the URL request and broadcast and saved in an unencrypted form.

With regards to the location of the data exchange of the application when being used, it must be clear the only secured transmission services should be used or the data encrypted by transferring the data via a virtual private network. This applies especially to the use of public WiFi access points to transmit data from applications (8).

What does this mean for the practicing ophthalmologist?

Ophthalmologists need to be aware of their responsibilities around releasing confidential information from patient records and transferring it to other organizations or persons. Even after the transfer of medical reports, access to the records can only follow the consent from the patient. There are clear definitions of the applicable rules that define how the practitioner must ensure that electronic medical data is used in the best interest of the patient (that is, not to prevent care where the patient wants a second opinion (13)).

What we can conclude is that there are many pitfalls waiting for the practitioner who does not inform him or herself of the legislative requirements for handling the transformation of paper records to electronic files. The false sense of security gained by the ease of transfer of this patient-related medical information across electronic media (from iPhone to iPad and into the EHR) should be tempered by the reality of the costs of breaches of patient privacy and secrecy. The responsibility lies with all people that come into contact with such data; they should be trained and audited on a regular basis to ensure adherence to the regulations. This presents additional costs in time and effort but can be quickly mitigated in comparison to the costs related to a breach due to loss of equipment.

“The false sense of security gained by the ease of transfer of this patient-related medical information across electronic media... should be tempered by the reality of the costs of breaches of patient privacy and secrecy.”
What to expect looking forward

The IDC’s Health Insights group predicts that one in three healthcare recipients will be victim of a data breach this year. With the advent of additional security on credit cards, it is thought that hackers will turn their attention to health information since it is easier to extract that information from unsecured medical devices that are connected to open “Internet of Things” networks – and that it will be just as profitable. As EHRs are increasingly being used to track patient data, the importance of encrypting the patient data will become more acute to prevent unauthorized access. Manufacturers of medical devices will need to increase their awareness of the requirements to ensure that security aspects are addressed in the design, development and testing of their products.

This can only remain the status quo as long as patients have no alternative to entrusting their health data to institutions and technology that do not take the security of their data as being of the utmost importance. Despite the availability of multiple health data aggregation platforms such as Apple’s HealthKit, Microsoft’s Health, Samsung’s S Health, Google Fit, and Qualcomm Health, the public will need to be convinced that such platforms provide long-term security of health information. In the rapidly developing business opportunities represented by the worlds of ehealth and mhealth, the blurring of the lines between consumer goods and medical devices will be further tested by the consumer goods industry hoping not to come under the scrutiny of the FDA. It will be the companies that embrace the requirements of fulfilling the regulatory requirements of their products for clinical use that will be able to take advantage of the uptake by physicians and patients alike.

Mark S. Talary is the Chief Research Officer of Assistive Technology GmbH, based in Aesch, Switzerland.

Receive content, products, events as well as relevant industry updates from The Ophthalmologist and its sponsors.

When you click “Subscribe” we will email you a link, which you must click to verify the email address above and activate your subscription. If you do not receive this email, please contact us at [email protected].
If you wish to unsubscribe, you can update your preferences at any point.

  1. Maximillian Schrems v Data Protection Commissioner, “The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid”, Court of Justice of the European Union. Available at: bit.ly/schrems-v-dpc. Accessed May 17, 2016.
  2. K Clark, “The EU Safe Harbor agreement is dead, here's what to do about it”, Forbes.com. Available at: bit.ly/fforbes. Accessed May 17, 2016.
  3. European Commission, “Agreement on commission's EU data protection reform will boost digital single market”, Available at: bit.ly/EUdatareform. Accessed May 17, 2016.
  4. Europe versus Facebook, “EU US privacy shield” (Safe Harbor 1.1): European Commission may be issuing a round-trip to Luxembourg”. Available at: bit.ly/EU-v-FB. Accessed May 17, 2016.
  5. M Schaklett, “3 ways to address looming big data privacy and security issues”, iMedicalApps.com. Available at: bit.ly/tech-rep. Accessed May 17, 2016.
  6. D Munro, “Data breaches in healthcare totaled over 112 million records in 2015”, Forbes.com. Available at: bit.ly/ffforbes. Accessed May 17,2016.
  7. U.S. Department of Health & Human Services, “$750,000 HIPAA settlement underscores the need for organization-wide risk analysis”, Available at: bit.ly/HIPAAsettle. Accessed May 17, 2016.
  8. S Pearson, “Clinician’s guide to HIPAA & data security in medical app design, part 2”, imedicalapps.com. Available at: bit.ly/techrep2. Accessed May 17, 2016.
  9. U.S. Department of Health & Human Services, “Understanding individuals’ right under HIPAA to Access their health information”. Available at: bit.ly/ushhsir. Accessed May 17, 2016.
  10. U.S. Department of Health & Human Services, “Individuals’ right under HIPAA to access their health information 45 CFR §164.524”, bit.ly/ushhspro. Accessed May 17, 2016.
  11. TJ Kobus III, “OCR continues waving itsHIPAA enforcement flag: don’t forget about medical devices”, Data Privacy Monitor. Available at: bit.ly/USDPM. Accessed May 17, 2016.
  12. U.S. Department of Health & Human Services, “HIPAA administrative simplification: enforcement. 45 CFR Part 160”. Available at: 1.usa.gov/1W00LrN. Accessed May 17, 2016.
  13. Ophthalmic Mutual Insurance Company, “What you should do now to protect your patient’s eye health information”. Available at: bit.ly/OMICadvice. Accessed May 17, 2016.
About the Author
Mark Talary

Mark S. Talary is the Chief Research Officer of Assistive Technology GmbH, based in Aesch, Switzerland.

Register to The Ophthalmologist

Register to access our FREE online portfolio, request the magazine in print and manage your preferences.

You will benefit from:
  • Unlimited access to ALL articles
  • News, interviews & opinions from leading industry experts
  • Receive print (and PDF) copies of The Ophthalmologist magazine

Register

Disclaimer

The Ophthalmologist website is intended solely for the eyes of healthcare professionals. Please confirm below: