With Mark Zuckerberg’s appearances before Congress this week, the conversation about data protection is timelier than ever.
In the realm of healthcare, hospitals, physician practices and insurance companies have moved toward digitizing patient data through electronic health records. These records contain large amounts of sensitive information such as medical diagnoses and behavioral health data.
Given the sensitivity of this data, the challenge for the healthcare sector to protect patient privacy is even bigger than the one Facebook is experiencing.
According to the Department of Health and Human Services, some of the biggest healthcare data breaches happened in the past two years. Even large insurance firms like Anthem, are not immune. Anthem suffered from unauthorized access to data for over 18,500 of patients in 2017.
This week members of Congress examined the need to hold corporations liable for large data breaches and discussed potential legislative solutions to these privacy violations. One bill under consideration, the Secure and Protect Americans’ Data Act, would require entities which collect information to develop a written security policy which details the use, collection or dissemination of information. The bill would also require the designation of a manager of information security.
Perhaps another angle for protecting healthcare data would be mandating cyber security training for healthcare employees. According to a study conducted by MediaPro, 78% of healthcare employees were unprepared to deal with common cyber threat scenarios. For instance, 18% of healthcare workers believed phishing emails to be legitimate ones. Phishing emails usually come from a suspicious address and seek to gather sensitive information through external links. Healthcare workers were also likely to log onto public, unsecure networks to complete their work tasks even though such networks provide an extra risk of cyber attacks. Organizations provide mandatory training on HIPAA compliance, which instructs professionals in the medical field on the use and disclosure of individual’s health data. They do not, however, offer training geared specifically to protecting electronic data even though as demonstrated in the study it is needed.
Whether Congress or the healthcare sector will take the lead on a conversation about data protection remains unclear. What is clear though is that a conversation is needed today more than ever and healthcare companies should start thinking about it before their CEOs are in Mark Zuckerberg’s shoes.