The continued digitization of electronic health records (EHRs) and growth in the number of wearables and Internet of Things (IoT) devices are rapidly expanding the volume of patient data. This increased digitalization offers patients more access to their health histories and the ability to track and take active responsibility for their health. EHRs also hold the potential for provider productivity gains and better patient outcomes — but the existing technologies have largely failed to produce these results thus far. The technology is still cumbersome for many physicians, who find themselves buried in their laptops taking detailed notes, and patients have derived limited health outcome value from the digitization of their records.
Progress in this area has been stymied, in part, by regulations in the Health Insurance Portability and Accountability Act (HIPAA) that impede the creation of technology startups that could help unlock the value of patient data and drive the development of new treatments and cures.
As Apple, Alphabet, Amazon and other major technology players now turn their attention to EHRs, however, this barrier may become less significant. These companies have the resources, user experience background and compliance capabilities to navigate HIPAA so that patients and providers can access EHRs in new ways. Moreover, they are able to combine additional data and analytics to create new value for patients. These companies, of course, have much to learn in the complicated field of human health, but they bring a fresh perspective that is unconstrained by past practice.
Patients appear to welcome this opportunity if their security concerns are addressed. A recent survey indicated that more than three-quarters of consumers are interested in sharing their digital health information, particularly if such transparency leads to better care from physicians. The survey also found that 87% of consumers want to be able to control who has access to that data.
These security concerns are valid. The digitalization of health care has opened the sector to mounting cybersecurity threats. The Brookings Institution finds that 23% of all cyber breaches happen in the health sector, and that more than 155 million Americans — nearly half the total population — potentially had their medical data exposed through 1,500 discrete incidents over a six-year period. Patient records are valuable to hackers because they contain not just information about medical histories, but also personal identifying information, including social security numbers and home addresses that can be sold on the black market. While HIPAA requires protection of such data, it is vague on best practices and in many ways is outdated regarding cyber threats.
Offensive cyberattacks such as the spate of recent ransomware attacks against hospitals are an even greater concern. The threat against medical devices — from pacemakers to dosing pumps — continues to rise due to the lack of set standards surrounding device security and the growing black market sale of zero-day vulnerabilities across software platforms.
During the WannaCry attack in May 2017, reports emerged that radiology equipment had been exposed to the worm, raising the potential for device outages, delays in care and even clinical errors. Along the same lines, the Food and Drug Administration recalled almost half-a-million pacemakers in August 2017, due to fears that they could be hacked to alter a patient’s heartbeat or drain the batteries in the devices. While there were no reported instances of such hacks taking place, their chilling (and potentially fatal) implications are emblematic of future concerns and the need for cybersecurity vigilance in all medical equipment.
Personalized medicine may also expose new privacy vulnerabilities. The 2008 Genetic Information Nondiscrimination Act (GINA) sought to ensure that genetic information could not be used to discriminate against individuals in employment or health insurance contexts. However, a bill introduced in the House of Representatives in the last few years sought to repeal the blanket anti-discrimination law, allowing employers to require genetic testing as part of wellness programs, which could include disclosure of test results. While the fate of this legislation is uncertain, it has raised serious concerns, particularly regarding employee privacy, the potential for discrimination and even targeted increases in insurance premium costs. Additionally, while GINA provides vital protections in employment and health insurance, it is important to note that it does not cover three other types of insurance: life, long-term care and disability.
Similarly, as new and commercial genetic testing proliferates, questions surrounding collection, dissemination and security of genetic information data are mounting. A recent test developed by doctors at Brigham and Women’s Hospital in Boston offers genetic screening of newborns for roughly 1,800 conditions. While such data could be used to identify and treat diseases and other illness before symptoms even manifest in a patient, roughly nine out of 10 families are declining the test out of concerns that the data could be breached or used to discriminate against their children later in life.
As patient health data is increasingly digitized, data security will pose a growing challenge for executives in the health sector. Businesses with direct patient engagement and financial transactions — particularly health insurers, hospitals and retail pharmacies — face an array of cyber threats and regulatory restrictions that will add to compliance and litigation costs, as well as the potential for reputation damage that can be caused by a major cyber breach. Businesses with limited patient data, such as medical device manufacturers, face risks as well, as technologies such as connected medical devices and trackable pills can also be hacked. Ultimately, the health sector needs to prepare for future hacks by strengthening its cyber defenses and pursuing commonsense approaches to minimize cyber risk.
Rodey Wing is a partner in A.T. Kearney’s health and consumer retail practices. He can be contacted at [email protected]