In the first half of 2023, an estimated 39 million people were impacted by 295 data breaches, in the US alone. This is a stupidly staggering number, and it just shouldn’t be the case. As ‘clickbait’ as the title of this post may seem, I think it’s true. When I go to the doctor, I pay attention to these things. I see the unlocked computers, the shared user accounts, the pulling up of entire lists of patients and why they are coming in today, right in front of my eyes.
I think if we’re being honest, a huge portion of the healthcare sector hasn’t moved on from the 90s/early 2000’s idea of patient privacy. When we see ten million or more patients impacted in a single breach, something has to be massively wrong. Companies with massive revenues are still choking their cybersecurity teams to death, and then trying to blame the incidents on them. Purely from a cybersecurity standpoint, a large chunk of the healthcare sector is simply failing miserably, not to mention general procedural HIPAA violations.
One of two things are happening. Practices can’t be secure, or they won’t be secure. There’s a case for both of those causes, if you ask me. As someone who’s literally heard a doctor say “I can afford the fine,” there is absolutely an aspect of not caring. More to the not caring, implementing tracking tools on telehealth platforms (like Meta Pixel) is just an astoundingly stupid decision too! On the other side, small practices in many areas are simply unable to find talent or services to meet their security and privacy obligations.
Why do we care?
The answer may be obvious for some, but not for others. In the more severe cases, medical records can be used to blackmail, humiliate, and otherwise harm people (intentionally or not). Imagine suddenly getting Meta ads for a drug aimed at exactly the mental health issue you discussed with your therapist last week? Imagine every bit of your medical history for sale online. Stolen healthcare data is also used for insurance fraud, identity theft, stalking, and a myriad of other nefarious purposes. So, long story short, you should care. The impact is high.
How do we fix it?
I certainly won’t have the most popular answer, but I’m really only looking to address this at the provider level. Give HIPAA more teeth. Right now, a HIPAA violation is often a fine and public name and shame. Very few patients (or providers for that matter) give a damn about the ‘wall of shame.’ It’s a nice sales tactic for technology providers, but seriously, how many of you check for your provider on the wall of shame regularly. The fine piece is often a joke too.
So, what can we attack? Medical licenses. A breach from negligence should absolutely put a license in serious jeopardy, the same way discussing your health with others should get your doctor canned. For the bigger organizations, like the ones where a breach impact 11 million people at once, you can go after the company. Dismantle it, find where they messed up. If they were doing all the right things, give them safe harbor. But chances are, they were not doing all the right things.
At the end of the day, there are many ways this could be addressed. What I know for certainty is that what we have isn’t working. Some 11% (without deduplicating; in H123) of the US population has been impacted by a healthcare provider or business associate breach. It’s a staggering number, and there aren’t a lot of places where your most sensitive data is more at risk than with healthcare providers. Something needs to change.