Big Medical Data, Big Ethics
By Yue Hu | July 19, 2019
The collection and usage of personal medical and health data has come under increased scrutiny recently with technology and medical development. Obviously, most medical scientists increasingly want patients to donate massive amounts of sensitivity personal information for study such as the complex sets of factors causing SCA and determining survival. However, privacy protection and ethical medical research become a big concern due to difficulties in data flow control with hidden network of patient data distribution by healthcare organizations and their third-party vendors. How to balance protecting patients’ privacy with the benefits that big data brings to medical research becomes a popular topics and increase public attention.
Hidden Network of Medical Data Sharing
Receiving notice letter of data breach or spam call for asking payment of medical statement makes people scared and helpless. Recently, I received a notice letter of a data privacy incident involving Retrieval-Masters Creditors Bureau Inc. doing business as American Medical Collection Agency. The security compromise of company’s payments page from an independent third-party compliance firms affected millions of Quest Diagnostics Inc. customers. Based on an external forensics review, that an unauthorized user had access to companies system between August 1,2018 and March 30, 2019, and the hackers had 8 full months to gather personal information including first and last name, SSN, band account information name of lab or medical service provider, data of medical service, referring doctor, certain other medical information. Upwards of 20M customers of Quest Diagnostics and Laboratory Corporation of America had their data stolen.
This shocked news bring me to more consideration and concern about my and my family personal medical data and information. I had two questions on top of mind when I received this letter:
- Am I asked for consent to share data with this company? Obviously, the answer is ***NO***! I never gives the right to share any data with this company. After the research online, I realize that my blood sample collected by WomanCare Center in last August was sent to the medical lab and this company collects receivables for medical labs.
- How do I prevent this data privacy incident in the future? Definitely, it is hard! When I was asked for blood test by my doctor, I lost autonomy to choose lab test company. What is worse, information is collected by third party agency without knowledge and consent. Therefore, I totally lost control of my personal medical data flow.
This story indicates the huge hidden network of medical data distribution by healthcare organizations and their third-party vendors. When patients receive care at a healthcare provider (HCP) or organization (HCO), most of time they don’t have the freedom to choose the medical lab for their test. Moreover, they are not asked for consent to sending test and identity to these third-party labs and vendors. Unfortunately, patients can not find this unseen layer of networks until data breaches happen at these third party companies.
Cyber Criminals in Health Care
In the past five years, we’ve seen healthcare data breaches grow in both size and frequency, with the largest breaches impacting as many as 80 million people. Nowadays, medical data and identity is uniquely comprehensive and valuable for quality clinical care and health-related research, making it more valuable than a credit card information or location data. Moreover, today healthcare organizations comes to cloud, network, application, IoT, and etc., which brings difficulty for data security. According [a recent report](https://www.hcinnovationgroup.com/cybersecurity/news/13027679/report-healthcare-industry-workers-lack-basic-cybersecurity-awareness), SecurityScorecard ranks healthcare 9th out of all industries in terms of overall security rating. With frequent medical data breach, the public lost trust to health care industry’s who still use outdated technology and lack basic security awareness.
Cyber criminals also leads to financial and operational losses except for reputation loss and cost of recovery efforts. On the other hand, the security criminals will bring irretrievable physical, emotional, and dignitary harms. Once the data is inappropriately disclosed or theft, the patients are not possible to control their sensitive private medical data flow. Based on [A February 2017 survey from Accenture](https://newsroom.accenture.com/news/one-in-four-us-consumers-have-had-their-healthcare-data-breached-accenture-survey-reveals.htm), 50% of breach victims suffers medical identity with an average out-of-pocket cost of $2,500. Unfortunately, many breaches is detected with a fraud altered or an error on their credit card statement and their benefit explanation instead of receiving company enforcement notification.
Code of Medical Ethics
Upholding trust in the patient-physician relationship, to preventing harms to patients, and to respecting patients’ privacy and autonomy create responsibilities plays an important role in individual physicians, medical practices, and health care institutions when patient information is shared and distributed to third-party vendors. Due to the hidden and complicated network of medical data distribution between medical institution and third-party vendors, medical health organizations and individual physicians have the obligation to better secure patients’ data for vulnerable population protection and medical privacy respects.
- Risk mitigation before breach: All health care organization should take action to approach security efforts. Training staff in proactive cyber awareness training, limiting the security access, provide early alters to trending cyberattacks and refining partners and third-party vendors to reduce the risks for data breach. It is always impossible to achieve total security. Every health care organization and medical institutes needs to evaluate the acceptable level of data breach risk and determine the cybersecurity strategies with professional cybersecurity providers.
- Data Sharing with third-party: Reviewing partners’ and third-party vendors’ security level and standard before sharing medical data is very important for medical institutions. Collaborating with third-party companies lacking data security awareness will impose high risk of cyberattacks even high security level is adopted by the institutions. In addition, in order to enhance patient privacy, the institutions should apply technological solutions to anonymize, de-identity or perturb the data.
- Actions after data breach: Ensuring that patients are promptly informed about the breach, what information is breached, and potential harms is important. The healthcare organization also provide information to patients to enable patients to mitigate potential adverse consequences of inappropriate disclosure of their personal medical information.
- What patients can do after data breach: Data victims should remain vigilant for fraud and identity theft by reviewing and monitoring their account statement and credit reports closely. If patients believe that they are the victim of identity theft or have evidence for their personal information misusing, patients should immediately contact the FTC who can provide information about avoid identity theft.
- Breach of Security in Electronic Medical Records: https://www.ama-assn.org/delivering-care/ethics/breach-security-electronic-medical-records
- One in Four US Consumers Have Had Their Healthcare Data Breached, Accenture Survey Reveals: https://newsroom.accenture.com/news/one-in-four-us-consumers-have-had-their-healthcare-data-breached-accenture-survey-reveals.htm
- Top 10 Biggest Healthcare Data Breaches of All Time: https://digitalguardian.com/blog/top-10-biggest-healthcare-data-breaches-all-time
- How to Prevent a Healthcare Data Breach in 2018: https://healthitsecurity.com/news/how-to-prevent-a-healthcare-data-breach-in-2018
- The tricky ethics—and big risks—of medical ‘data donation’: https://www.advisory.com/daily-briefing/2018/07/18/personal-data
- How to be a cybersecurity sentinel: https://www.advisory.com/research/health-care-advisory-board/multimedia/infographics/2018/how-to-be-a-cybersecurity-sentinel
- Big data, big ethics: how to handle research data from medical emergency settings?: https://blogs.biomedcentral.com/on-medicine/2018/09/13/big-data-big-ethics-handle-research-data-medical-emergency-settings/
- Debt Collector Goes Bankrupt After Health Care Data Hack: https://www.bloomberg.com/news/articles/2019-06-17/american-medical-collection-agency-parent-files-for-bankruptcy