Here’s why it is so critical to protect your healthcare data
Healthcare data is in very high demand, says Lisa Melamed, president of compliance and risk management at SCALE Healthcare. “[Healthcare data] theft has become extremely lucrative, and without the proper protections, it’s easy to steal,” Melamed says. She adds that criminals who steal social security numbers get approximately $1 per number and $5 per credit card number on the Dark Web. That’s in contrast to healthcare data, which can fetch between $250 to $1,000 per record.
“Patients who have had their health data stolen can be subjected to not only identity theft, which as we all know is expensive and can draw out for years to correct,” she says. “It can also delay treatment and prescription drugs due to fraudulent insurance claims, blackmail, or financial fraud attempts.”
How to protect health data
1. Use unique passwords everywhere
“The first thing you have to do is make sure every single place you use a password, that password is unique,” Tarighat says. Making a password longer—12 characters or more—is usually the easiest way to make it safer. And a password manager can help you keep track of long, safe, unique passwords throughout your digital presence.
2. Check an app’s security processes
There are additional professional standards for security you can check for, Tarighat says, such as SOC 2 and ISO 27001. These are audited frameworks for security that ensure a company or app is meeting a formal standard regarding your data protection.
3. Confirm HIPAA compliance
The Health Insurance Portability and Accountability Act (HIPAA) is a set of national standards protecting patient health information from being disclosed without consent. Before sharing identifiable personal health information, it’s important to check an app’s terms and conditions to ensure it’s HIPAA-compliant, says Shashank Agarwal, a data scientist and senior decision expert at CVS Health.
Keep in mind that apps that collect non-identifiable information, like your heart rate, are not required to be HIPAA-compliant. These apps are usually cataloged under health, wellness, and fitness, but since they’re not used for medical purposes, they can get around HIPAA requirements, says Ryan Montgomery, co-founder of the cybersecurity platform Pentester. That means they may share data with third parties, so use extra discretion.
4. Download apps from reliable sources
Operating systems like iOS and Windows have made it easier to understand what permissions you’re granting apps, Tarighat says. “They give you a clear disclaimer, only the operating system can really turn on those permissions.” That’s why you only want to download applications from authorized app stores like the Google Play Store or Apple App Store, he says.
5. Go easy on granting app permissions
That said, any application that requests permission to access your information shouldn’t be blindly trusted, Montgomery says. “For example, you’ll see posts with titles such as, ‘How happy of a person are you? Click here to find out.’ Those apps then request unnecessary permissions, which can expose sensitive data you may not want shared or collected,” he explains.
Agarwal adds that sharing access to your stored drive folder or camera photos, in particular, exposes a high risk of personal data leakage.
6. Set up two-factor (or multi-factor) authentication
These days, many apps and digital platforms offer two-factor authentication (2FA)—so if you see it, enable it. “[This] adds an extra layer of protection to your accounts, making it harder for unauthorized users to get access even if they have the password,” Montgomery says. If a service you use doesn’t support 2FA (Twitter recently revoked this security for non-paying users,) you can use apps like Google Authenticator that generate one-time passcodes.
2FA is especially important for your social media accounts, Tarighat says. “What we often see is an attack called a SIM swap, where someone has your phone number and using that, one of the main targets is to reset your social media password,” he says. “By having 2FA, you bypass that kind of attack, which is fairly common nowadays.”
7. Stay ahead of common scams
“You have to be careful about emails, text messages, and other social engineering attacks where someone is contacting you,” Tarighat says. They may pretend to be from a government agency or a company you normally do business with, send fake confirmation or delivery emails, or direct you to a fake site through a misspelled URL. “If you’re unable to confirm who it is, you don’t want to share any private data,” he says. “Unfortunately, these are the most common scams where the individual is targeted in their personal lives.”
8. Keep your software up-to-date
Software companies fix flaws in their systems via updates—and sometimes, those updates have to do with security measures. Operating systems have built-in functions to prevent attacks, but because cyber threats are always evolving, developers have to keep adapting their security, too. Skipping updates can leave your devices vulnerable to these routine privacy patches.
9. Be discrete on social media
Don’t post sensitive information, such as medical conditions, treatment plans, or lab results on social media, as they can be used to identify and exploit you, Agarwal advises. He also says it’s a good idea to tweak the default privacy settings on your social platforms to control who has access to your information.
Beyond that, “remember that if you post about a health condition online—like on a message board—it’s not protected under HIPAA or state laws,” Melamed says.
For more guidance on protecting and securing your health information online, Melamed points to OnGuardOnline.gov for extra resources.