Your personal data may be safer on your computer than at your doctor’s office.
Health care providers — not hackers — are responsible for the majority of data breaches regarding personal health information, a new study from Michigan State University and Johns Hopkins University found. More than half of personal health data (53%) leaked between October 2009 and December 2017 was exposed due to internal negligence — not efforts from external parties.
“Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,” said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business.
Hackers caused only 12% of external data breaches, the study found. The research, published on Nov. 19 in JAMA Internal Medicine, found nearly 1,800 occurrences of large data breaches in patient information over a seven-year period, with 33 hospitals experiencing more than one substantial breach. More than 164 million patients were affected between October 2009 and December 2017.
Because sharing sensitive information with health care providers can result in more breaches, patients should be more discerning about how much information they give out, said Jessica Ortega, website security analyst at privacy firm SiteLock.
“It’s not uncommon for doctor’s offices to ask for your Social Security number to ease the billing process and easily find your health insurance information,” she said. “However, it is recommended that you opt not to provide this information because not all doctor’s offices are created equal when it comes to data storage and protection.”
In most cases a doctor does not need your Social Security number to identify you as a patient, Ortega said. Patients can list just the last four digits of their Social Security number or leave it blank. If the doctor truly needs the number, they will follow up, she noted.
Patients can take “proactive steps” to secure their data, Ortega said, by asking the physician’s billing representative how data is being used and secured. Under the Health Insurance Portability and Accountability Act (HIPAA), patients can ask to see who has requested to see their personal information outside of the health care provider itself. They can also limit what information can be shared with other doctors or clinics.
“Health care providers should be able to answer basic questions about their data storage policies, such as how long information remains on file and who can request access to the personally identifying information,” Ortega said.
Ask health care providers if they have a history of hacks or leaks, and whether they have a clear security policy in place, Francis Dinha, chief executive officer of security firm OpenVPN, suggested. Red flags to watch out for include being asked to send private information over a public cloud or generally seeming flippant about cybersecurity.
“Once you give your personal information to another company, there’s not much you can do if they suffer a breach,” Dinha said. “That’s why it’s so important to be cautious who you share that information with.”
The authors of the Michigan State University and Johns Hopkins University report said better policies are needed to tighten security and prevent leaking of private information, especially as Electronic Medical Records (EMR) become more common. The EMR market is expected to increase 8.8% by the end of 2023, according to industry intelligence group ReportBuyer.
Encrypting content or “putting on armor” against attacks is a basic measure that should be taken to protect data, study co-author co-author Ge Bai said. “Not putting on the whole armor opened health care entities to enemy’s attacks,” Bai said. “The good news is that the armor is not hard to put on if simple protocols are followed.”