Humans love being connected. Almost 4.5 billion of us — over half the world’s population — are now online, and the number keeps growing. Our phones, tablets, televisions, watches, fitness trackers, fridges, and even lightbulbs are now smart devices.

As the number of devices connecting people to the web grows, so does the ability to track personal data. One sector where this is growing exponentially is health-related information. From connected hospital equipment to cloud-accessible patient scans, collection and analysis of patient data is leading to amazing advances in healthcare technology.

However, high-profile data breaches have brought data privacy into the spotlight, and studies show that public trust in healthcare’s ability to safeguard data is falling.

As the industry faces a “crisis of faith,” it seems there is just one thing that all parties seem to agree upon: Medical data must be kept safe and secure, and regulation is the way to do it.

In this report, theCUBE, SiliconANGLE Media’s mobile livestreaming studio, looks at the security problems currently facing the healthcare industry and the solutions being proposed to fix them.

Medical data sends a siren call to cybercriminals

Medical data contains information that is a gold mine for criminals: names, birthdates, identification information, such as Social Security Numbers, and even personal details that could help bypass security measures, such as home addresses and names of next-of-kin. And the potential attack surface is growing in sync with the number of networked devices, which is predicted to hit 28.5 billion by 2022. That’s 3.5 devices for every single person on Earth.

Image: HIPAA Journal

2019 was a bad year for data security. There were more than 500 breaches where 500 or more records were compromised. In one instance, a server breach at Quest Diagnostics Inc./Optum360 Inc. affected the personal records of over 11 million individuals. Three major attacks in June revealed millions of patient records.

One of the companies breached in June was Laboratory Corp. of America Holdings, better known as LabCorp. This was the second of three security lapses for LabCorp in less than a year. The company experienced a ransomware attack in July 2018, and in January this year it again hit the headlines for exposing patient data through an unsecured customer relationship management system.

From the right to be left alone to the right to be forgotten

Concerns about personal privacy are nothing new. The Fourth Amendment to the United States Constitution, introduced in 1789, is the basis for many of the country’s privacy laws. A century later, U.S. law scholars Samuel Warren and Louis Brandeis argued for personal privacy rights in the seminal article “The Right to Privacy,” which established the “right to be left alone.”

In the mid-1990s, the first regulation over how medical data should be shared came with the Healthcare Insurance Portability and Accountability Act. However, HIPAA was designed for an era before big data.

Updates through sister regulations, such as the Health Information Technology for Economic and Clinical Health Act, have helped address some loopholes. But U.S. regulations are still inadequate to cover the fluidity of information exchange that came with cloud, big data, and mobile networking. Acknowledging the vulnerability of data, Microsoft Inc. President Brad Smith said: “We need government action to provide common guardrails across the industry.”

In terms of data privacy and protection, Europe is leading the field. “Data protection is almost of a neurotic interest to us,” said Archana Venkatraman, research manager for European datacenter research at IDC Research Inc. She spoke to theCUBE about the impact of the European Union’s General Data Protection Regulation, known worldwide as GDPR, which came into effect in mid-2018.

One key regulation enforced by GDPR is article 17 — the “right to be forgotten,” which allows people to demand that personal data be erased. Several other closely related articles in the GDPR are also impacting medical privacy and data protection. Article 15 — the “right to access personal data” — and article 20 — the “right to data portability” — are causing debate over how and when patients can control their medical records.

Customer trust is essential in the digital health market

Consumer confidence could be a huge barrier for hyperscalers hopping on the health bandwagon. This Rock Health survey showed only 11% of respondents were willing to share their medical data with a tech company.

Recently, the announcement that wearable activity tracker pioneer Fitbit Inc. was going to be purchased by Google LLC was viewed with caution both by the industry and the general public.

House Antitrust Subcommittee Chair and Rhode Island Representative David N. Cicilline said in an official statement: “Google’s proposed acquisition of Fitbit would also give the company deep insights into Americans’ most sensitive information — such as their health and location data — threatening to further entrench its market power online.”

While there is a chance that the Google-Fitbit deal will be bogged down in the approval process and may not pass at all, Google’s Project Nightingale falls in a completely different category. Less than two weeks after the Google-Fitbit announcement, the Wall Street Journal revealed that Google and healthcare firm Ascension Health Alliance had secretly partnered to gather personal health data from millions of Americans.

Fitbit users can choose to deny Google access to their personal data by simply not wearing the device. But there was no opt-out choice for patients whose personal medical records were shared with Google under Project Nightingale. They weren’t even made aware it was happening. Understandably, Google encountered backlash for what many saw as a trust violation by the tech giant.

“Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place,” an employee involved in the project anonymously told the U.K.’s Guardian newspaper. And experts in the healthcare field warn that Project Nightingale is just the tip of a data-privacy iceberg.

Keith Figlioli, former healthcare technology executive and current general partner at the venture capital firm LRVHealth, sees the concern over Project Nightingale as justified. All companies need to be more transparent in what they are doing with personal data, according to Figlioli.

“Trust and brand affinity are going to become critically important as we mature out in this industry,” he said.

CNBC’s health and tech reporter Christina Farr agrees with Figlioli that the general public is unaware of the extent to which their private data is already being leveraged by health and fitness companies. Her Twitter feed contains many examples, including this one:

“It’s been reported that the health insurance industry has tapped brokers to shore up personal details about your education level, TV habits, and more. They collect what you post and order to make predictions about your health: https://t.co/6OEBMV3ess“

— Christina Farr (@chrissyfarr) December 13, 2019

Project Nightingale was unusual, as information included personal identifiers, such as names and addresses. It is more common for companies to strip identifying information from data before it is shared. This is supposed to safeguard privacy; however, a 2018 study proved that modern intelligent technologies, such as machine learning, can re-match the person and the data, making promises of data anonymity void.

Some have proposed new technologies, such as homomorphic encryption, as a way to maintain privacy while sharing data. But homomorphic encryption, while undoubtedly secure, requires a lot of compute power. This has, so far, excluded it as a mainstream solution.

US needs a federal-level privacy legislation, but what kind?

Minnesota Senator Amy Klobuchar is an advocate for personal privacy. In mid-2019, she joined with Alaskan senator Lisa Murkowski to introduce new legislation aimed at protecting private health data. 

“This legislation will protect consumers’ personal health data by requiring that regulations be issued by the federal agencies that have the expertise to keep up with advances in technology,” Klobuchar said. But while the legislation was introduced to the house, it only stands a 3% chance of actually getting passed, according to the govtrack.us website.

Legislation that is predicted to have a real impact is the California Consumer Privacy Act of 2018. According to the Gibson Dunn “U.S. Cybersecurity and Data Privacy Outlook and Review — 2020,” this is “the first comprehensive consumer privacy law in the United States.” The legislation regulates the trade in personal information, which would include the sale or exchange of personal medical data in return for compensation. This is similar to GDPR in that it links the protection directly to what the data is rather than the entity that owns or controls it.

However, legislation is causing rifts between the tech companies who believe in open access to data and the healthcare companies who are concerned about patient privacy and increased costs of meeting regulatory requirements for patient access to their records.

New legislation proposed by the U.S. Department of Health and Human Services aims to give patients access and control over their healthcare records. “These proposed rules strive to bring the nation’s healthcare system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said Alex Azar, secretary of HHS.

At the core of this legislature would be the use of standardized application programming interfaces so individuals could access their data on a smartphone or other mobile device. “The rule would support patients accessing and sharing their electronic health information while giving them the tools to shop for and coordinate their own healthcare,” said Don Rucker, national coordinator for Health IT.

This accessibility is supported by Apple, Microsoft and Google but opposed by some traditional healthcare providers. Epic Systems Corp. Chief Executive Officer Judy Faulkner went so far as to send an email to hospital system executives urging them to join her in protesting HHS’ proposed rules. Her objection is based in her background in software development. Faulkner wrote the original code for Epic’s interoperability platform, Care Everywhere. She believes the legislation will undermine privacy and intellectual property protections and “will have the unintended consequence of sharing family members’ health data without their consent” by allowing app developers access to the data.

Opening access to personal records could be the panacea that solves the mess that is the current U.S. healthcare administrative system. But healthcare is lucrative, and allowing patients easy access to their records also makes it easier for them to choose an alternative provider. So mistrust occurs on both sides: Can tech companies be trusted not to misappropriate the data? And can healthcare providers be trusted to do what is best for the patient, not the bottom line?

2020 has been forecast to be the year when effective data privacy legislation is finally passed. But as with many problems in the world these days, it’s a convoluted situation with two sides at odds — each with valid arguments and potential pitfalls.

Will humanity’s love of connected devices revolutionize healthcare management and put the power over personal data back in the hands of the owner? Or will digital devices prove to be data-sucking voids that steal sensitive information and secretly share it? The jury may be deliberating for some time.

Image by vjohns1580 from Pixabay