In 2017, a ransomware attack crippled Britain’s National Health Service. Thousands of appointments were canceled because of WannaCry, which also locked out access to essential medical services such as MRI devices and blood and tissue sampling. While not the first attack on a healthcare organization, it brought to light the real-world impact of cyber attacks. Two years later, these attacks have increased by 90%, while third-party data sharing revelations highlight how the most sensitive data is being monetized and accessed without patient or provider permission. As our data is held for ransom and medical records shared without our permission, patients need and deserve greater control over their most personal data.
In the last few weeks alone, the public learned just how fragile privacy protections are for their health data. The sharing of millions of American medical records between one of the largest nonprofit health systems, Ascension, and Google has now sparked a federal inquiry. There already is an ongoing investigation into data sharing between Google and the University of Chicago over the handling of health data and whether privacy-preserving protections were in place. To be clear, this is a much broader problem as tech companies race into the healthcare industry. A recent investigation by the Financial Times analyzed 100 health websites, and found the vast majority enable tracking and sell the data, including prescriptions and fertility and menstrual information, to many of the largest tech companies.
One of the largest and fastest-growing concerns is the handling of genetic data. Over 26 million people have taken at-home genetic testing. The recent data breach of Veritas Genetics illustrates the growing privacy concerns over the security of genetic information. Genetic data has the potential to enable groundbreaking research and cures for some of society’s most intractable diseases, but it also can be misused if not appropriately protected. Earlier this year it was revealed that American companies are helping surveillance efforts in China that target and track people based on genetic information. More recently, a Florida detective introduced a warrant to access GEDmatch DNA data. Coincidentally the same site also was the subject of researchers finding a vulnerability in the crowdsourced platform that allowed them to guess more than 90% of the DNA data of other users.
Unfortunately, external breaches and data sharing aren’t the only risks for health data. One investigation found medical images and records of more than five million patients exposed online. In sum, 187 insecure servers that stored the images from x-ray services and medical imaging centers were identified across the United States. Insider threats pose an additional risk to health data. In September, a couple was charged with stealing research-based intellectual property for pediatric medical treatment.
Taken as a whole, medical theft and health data exposure not only have significant privacy and security implications, but they also have financial repercussions and can impact life and death situations. The financial damages affect both the providers and consumers. In 2019, data breaches will likely cost the healthcare industry $4 billion, while one in four consumers have had their health data breached with an average cost of $2500 as well as medical identity theft. There also is evidence of the life and death nature of these attacks. A Vanderbilt study found that hospitals hit by a ransomware attack also experienced an increase in fatal heart attacks.
As the recent federal inquiry demonstrates, these revelations are driving a broader technology and policy need to empower people and organizations with greater control and ownership of their data. The Confidential Computing Consortium is one example of a new alliance crafted to release open source tools for greater privacy-preserving data protection. Similarly, non-profit advocates like the Open Privacy Research Society conduct research and create open-source tools aimed at enhancing privacy and control over data. Despite these efforts, there remains skepticism over whether it’s even possible to anonymize and protect health data.
At Virtru, we understand this skepticism and have built solutions to protect data against the risks while also enabling data sharing that preserves privacy. Years ago we introduced the Trusted Data Format (TDF) to ensure the integrity of the data, while maintaining granular access controls. We have continued to evolve TDF to protect all forms of data, from live-streaming IoT device data to securing the algorithms against data poisoning and manipulation.
We also recently launched the Virtru Developer Hub for simplified and at-scale TDF creation through a software development kit (SDK). We have championed these kinds of efforts across the community, with new proof of concepts at organizations like “23andjustme” that would allow individuals to monitor what specific data is shared with organizations for analysis, as well as revoke access to that data as needed.
Given the steady drumbeat and extremely legitimate concerns over the misuse and theft of health data, we are well past time for a new paradigm and approach to ensuring the privacy and security of data. We are on the verge of significant societal benefits and impact as medical breakthroughs become possible thanks to the wealth of health data and big data analytics. But these benefits rely on trusting that the data will be secured and privacy protected.
Just as the past year highlighted the growing risks to health data, the upcoming year could be the year where the data defenders breakthrough and take major steps toward realizing these societal benefits. Through our partnerships and collaboration, Virtru will continue to help protect against the growing risks and misuse of health data, while helping move these medical breakthroughs from theory to reality.