By Tamer Abouras
It feels a bit like beating a dead horse, but the vulnerability of health information is a staple of the news cycle these days. Hacking happens and it’s unclear as to whether or not the wide-scale repercussions of so much data being stolen have truly been felt yet.
You’ve heard about how many healthcare organizations have suffered breaches — and how dangerous that can be for patients — but those organizations, as well as Congress, have been working pretty feverishly to head off any potential disasters, with bills such as CISA.
As well-intentioned as those many maneuvers are, it’s still inevitably the case that adequate disaster preparedness is oftentimes borne out of initially inadequate disaster response. You wouldn’t be faulted for your hurricane preparations if you’d never experienced one before — but you’d be ready the next time one came around.
In this case, what compounds the problem is that the proverbial hurricane — the warp speed march of digitized health information — is one that no one has ever experienced. And so preparations for the so-called “worst” that could happen are necessarily a little weak in certain places.
What’s sure to infuriate medical professionals and patients alike, however, are unforced errors. And that's what makes this story from Consumerist about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) not covering health apps, wearables, at-home paternity tests and fitness trackers so troubling.
SEE ALSO: Cyber Threat Detection
Originally appearing in ProPublica and Washington Post, Consumerist Content Editor, Kate Cox, relayed the story about how a simple paternity test, being used to review the tech and have a little bit of fun, led security expert Jacqueline Stokes to make an interesting discovery.
“She bought a home paternity test for fun, to experiment with the tech. And when she went to look at the results, she discovered a Maury-friendly surprise: one little tweak in her browser’s address bar gave her instant access to an enormous directory containing over 6000 customers’ data.”
As Cox goes on to explain, contrary to popular opinion, “ … HIPAA isn’t universal; not all businesses have to adhere to it. Covered entities — the people and organizations that are subject to following HIPAA restrictions — include healthcare practitioners, health insurance companies and plans and ‘healthcare clearinghouses,’ which are businesses that process health information between other health companies.”
See the problem? While the government offers a handy flowchart to anyone curious about which types of entities may or may not be covered, the Department of Health and Human Services’ response to Stokes when she reported what she’d assumed to be a violation was telling — it wasn’t a violation, “ … because use-at-home tests sold to consumers aren’t covered entities.”
While the 1996 HIPAA law has been updated over time, its last such accommodation was made in 2009. Nearly seven years later and in a day and age where more and more of us are volunteering our healthcare information to these apps and portable devices, Cox concludes that it’s overdue for another.
“In 2009, Congress passed a law updating HIPAA and requiring HHS and the FTC, which has oversight of privacy and data breaches, to work together and submit recommendations on how to handle sensitive health data that isn’t covered under HIPAA. Six years later, that report is still in progress.”