Here are a few recent stories on the privacy and security of individuals’ medical data. A Washington Post investigation of cybersecurity has found that the healthcare industry is among the most vulnerable to security and privacy problems. NPR notes that individuals are increasingly using technology such as smartphone apps to self-track their health, including exercise routines. But could this data someday be used against individuals by employers or health insurance companies? The American Bar Association discussed storing health data in “cloud computing services” and how this could raise issues with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
“Health-care sector vulnerable to hackers, researchers say,” Washington Post
As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.
Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. […]
Compared with financial, corporate and military networks, relatively few hacks have been directed at hospitals and other medical facilities. But in recent months, officials with the Department of Homeland Security have expressed growing fear that health care presents an inviting target to activist hackers, cyberwarriors, criminals and terrorists.
“These vulnerabilities may result in possible risks to patient safety and theft or loss of medical information,” a DHS intelligence bulletin said in May.
Security researchers are starting to turn up the same kinds of trivial-seeming flaws that earlier opened the way for hackers to penetrate financial services networks, Pentagon systems and computers at firms such as Google.
Those of us trying to lose some pounds after overindulging this holiday season can get help from a slew of smartphone apps that count steps climbed and calories burned. Self-tracking has also become a way for companies to make money using your fitness data. And some experts worry that the data collected could be used against users in the long run. […]
Fitbit is entering a brave new world in privacy as it starts selling devices and data to a new market: employers. Scal says Fitbit is attempting to grow through corporate wellness programs.
“Companies can see how many of the devices they’ve given out have actually been activated. How many are being used? How is it actually changing employee behavior?” Scal says.
Scal explains bosses typically don’t get reports on an individual employee. They get aggregated data, and the worker must consent first. […]
“People should be asking themselves what happens with this data, what type of inferences can be drawn from this data,” says Marc Goodman, chairman of Policy, Law and Ethics at technology research hub Singularity University.
“Health Plans, the Cloud, and HIPAA Privacy and Security,” American Bar Association
Increasingly, employer-sponsored health plans and their third-party administrators (TPAs) or insurers (as well as health care providers) are interested in storing information in the cloud. Most of that information is Protected Health Information (PHI) and subject to the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). Any health plan or TPA that is considering storing PHI in the cloud should be aware of special HIPAA issues that will need to be addressed as part of the process of deciding whether to use cloud resources and negotiating contracts for cloud services. […]
While use of a cloud model might reduce costs and provide greater efficiency and convenience for users, it also adds risks. Clouds are subject to all of the privacy and security risks that can affect user-owned computer systems, including hacking, user error, and system failures that result from natural disasters, power outages, or technological problems. In addition, use of the cloud gives rise to concerns that might not affect a user-owned system. For example, when data is moved to the cloud, the user gives up some degree of control so that the cloud provider can implement uniform administrative protocols, move data as required to meet the needs of other customers, or provide services such as encryption or archiving. Also, clouds may be more attractive hacking targets than user-owned systems, because of the much greater concentration of data in the cloud.