The mass digitization of medical data expanded the possibility of improving healthcare through the application of big data analytics. However, personal medical issues are considered private matters and as a result, the use of patient data is highly regulated by privacy laws such as HIPAA and HITECH. On top of that, any data with value is a target for criminals, and thus, healthcare data must be kept secure. While striving to meet security and privacy challenges, the medical community is trying to get the most out of its valuable data. 

Technical capabilities in healthcare also led to an increased focus and evidence-based decisions. Health care researchers and professionals are seeing data as the key to improving care, informing clinical decisions, tracking disease, and monitoring adverse effects of drugs or medical devices.

None of these improvements are possible if healthcare data cannot be shared or operationalized without ensuring both security and privacy. This means that leveraging big data requires systems that not only unlock new insights, but also protect the privacy of patients.

Since threats to privacy and security keep evolving, stakeholders must also actively refine their protective methods. With the COVID-19 pandemic leading to a pronounced reliance on digital technology, hackers leveraged cyber crime opportunities According to a report from Critical Insights, data breaches reached an all-time high in 2021, exposing a record amount of sensitive data.

In trying to combat the threat of cyberattacks, organizations have been finding that relying on a bottom-up, reactive, and technically focused protection strategy is not enough to address big data security and privacy issues in healthcare. Instead, experts are recommending a proactive, top-down approach that includes proper training of employees and other non-technical methods.

 

The Differences Between Big Data Security and Privacy

Security and privacy may seem like very similar concepts, but in the context of healthcare data, there are important distinctions between them.

• Security of healthcare data. Healthcare security measures are designed to prevent unauthorized access, data theft and cyberattacks that could expose data.
• Privacy of healthcare data. Privacy measures are designed to prevent  connections between personal medical information and specific individuals. While security measures may be focused on shielding data from intentional attacks and theft, privacy measures are focused on the ways for data to be handled and used safely. Privacy measures outline the ways in which patient data can be collected, transferred, and used with respect to both privacy regulations and ethical behavior.

 

The distinctions between these two concepts are particularly relevant when trying to address big data security and privacy in healthcare. Security measures must be designed to ensure the integrity and confidentiality of data. Measures like firewalls and encryption prevent data from corruption and unauthorized access. In some ways, security measures for protecting healthcare data also support privacy. Administrative structures and techniques like anonymization are designed to prevent organizations that handle patient data from using that data against patients’ wishes.

It is important to note that a patient can waive some degree of privacy by giving consent to an individual or organization. For instance, a patient could authorize their provider to share the results of a medical test with clinical researchers. If you’re interested in learning more about what disclosures are permitted for personal health information, check out this Ultimate Guide to Healthcare Data Security.

 

Securing the Entire Data Lifecycle

Companies that handle healthcare data must use security methods that protect both their assets and satisfy compliance concerns. Experts recommend that organizations consider the entire lifecycle of the data when applying security measures. The typical life cycle of healthcare data contains four phases: collection, storage, processing, and knowledge creation.

Data collection can involve gathering data in various formats from multiple sources. From a security standpoint, this should mean collecting data from reliable sources in a secure manner. Importantly, healthcare data may not come directly from patients, and companies receiving healthcare data must have systems in place to ensure their data collaboration is secure. Security measures for this part of the data lifecycle should prevent improper access, corruption, unauthorized disclosure, duplication, erasure, misuse, loss, and theft.

The first step of the storage phase involves filtering and characterizing the data according to predefined qualities. Some data may require preprocessing to facilitate future analysis. Preprocess steps like removing duplicate data or statistical noise are meant to improve the quality of collected data prior to any processing. This step could involve some security-related preprocessing, such as anonymization methods or data partitioning. The secure storage of data typically involves keeping it isolated and applying access control measures.

After data has been collected, preprocessed and stored securely, it is ready for the analysis phase. This stage involves the use of robust data mining techniques to generate useful knowledge and insights. The data mining process should be configured in a way that prevents mining-based attacks or breaches of this part of an organization’s network. Access control measures should also be in place to ensure that only authorized personnel can access data analysis processes.

The ideal result of a processing phase is the creation of valuable insights. These insights themselves are also regarded as valuable data that must be protected, just as the data used to create these insights must be protected by security measures.

The entire life cycle of big data in healthcare requires the ability to securely store and maintain integrity via access control. Securing the entire lifecycle becomes more complicated as more touchpoints are added by different organizations. Data providers, collectors, analyzers, and any other stakeholders must all play their responsible part in keeping healthcare data secure. Some collaborations use business associate agreements (BAAs) to hold parties accountable for unauthorized use, but these agreements only establish a reactive mechanism for addressing security malpractice.

 

Privacy Issues with Big Data in Healthcare

Any discussion about maintaining patient privacy in the United States must include the Health Insurance Portability and Accountability Act (HIPAA). Enacted into U.S. law in 1996, HIPPA established national standards for ensuring patient privacy. In Europe, the General Data Protection Regulation (GDPR) has established a strict standard for ensuring patient privacy.   

HIPAA and GDPR have made it compulsory for healthcare organizations to address privacy concerns with big data in healthcare by establishing a robust privacy policy. In addition to addressing security concerns, employee training and access control systems can go a long way to addressing the privacy risks of big data in healthcare.

As you are well aware, organizations that handle healthcare data should be using HIPAA-compliant software and IT solutions. Any systems or applications developed by a company must prioritize privacy, compliance, and any privacy agreements. When there is significant overlapping privacy protection provided by technical security measures, companies should use anonymization techniques, which aim to remove any identifying information that could be traced back to a specific individual. However, removing potentially identifying information from patient records can result in a significant loss of value. For example, a cancer diagnosis for a female patient in a certain hospital could be traced back to identify a specific person but removing that diagnosis from the record results in a loss of value for cancer research purposes. Other anonymization efforts add statistical noise to data to obfuscate any attempts at identification, but the addition of noise too can diminish the value of the original dataset. There are other approaches to big data security and protection of privacy in healthcare, until now, all have had disadvantages along with their advantages.

 

Addressing Big Data Security and Privacy Issues in Healthcare with TripleBlind

Ensuring the security and privacy of big data in healthcare is a complicated undertaking, and one that gets even more complicated as more entities get involved. However, for organizations in healthcare, not making use of big data simply isn’t an option anymore.

The innovative TripleBlind Solution is designed to simplify both the security and privacy of big data analytics for data collaborations. Our privacy-enhancing approach allows data collaborators to protect both valuable data and algorithms used to process that data, avoiding the need for addressing security concerns with BAAs. TripleBlind’s innovations build on well understood principles, such as federated learning and multi-party compute. Our innovations radically improve the practical use of privacy preserving technology, by adding true scalability and faster processing, with support for all data and algorithm types, including such as medical imaging or genomic data. 

In addition to preserving security and privacy, our one-way encryption approach helps to retain a high level of data utility, unlike anonymization techniques. 

If you would like to learn more about how the TripleBlind Solution can address your big data security and privacy issues in healthcare, please contact us today.

Introduction

What opportunities remain for the future of a healthcare industry that has faced decades of change in two short years? Countless –– as long as organizations remain dynamic and leverage digital opportunities. From optimizing telehealth offerings to catalyzing medical innovation, robust and reliable data is the backbone for healthcare’s advancement in 2022. In the same vein, data security is integral to ensuring the protection of confidential patient information and compliance with federal and state-level regulations. Interested in learning more about the intersection between data security and healthcare? Here’s our Ultimate Guide!

 

What is considered “healthcare data?”

Healthcare data, sometimes known as medical or clinical data, is any data related to health conditions, reproductive outcomes, causes of death, and quality of life for an individual or a population. Sources for this data include surveys, claims data, administrative and medical records, disease registries, and more.

 

What are the two federal laws that have been enacted to protect personal health information?

Numerous laws protect the privacy of health data. In the United States, The Health Insurance Portability and Accountability Act (HIPAA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act create standards that qualify and protect the privacy of identifiable health information.

HIPAA was enacted in 1996. Before its passage, hospitals, medical practices, and insurance companies complied with a variety of laws at state and federal levels. Oftentimes, patient information could be easily distributed without the patient’s authorization and for purposes unrelated to medical care. For example, lenders and employers could access an individual’s health record –– and subsequently deny a mortgage or job application based on medical history. 

To prevent these outcomes and protect patient privacy, legislators drafted HIPAA’s privacy rule and security rule. The privacy rule allows patients to decide who has access to their medical records, such as a primary care provider or a team of specialists. It also places specific limits on how a provider can access, use, or store patient data. The security rule ensures that electronically transmitted patient data is protected through appropriate administrative, physical, and technical safeguards.

In 2009, HITECH was also passed to ensure the confidentiality, integrity, and security of electronic health information. HITECH promoted and expanded the adoption of electronic health records (EHRs), clarified language in HIPAA to close potential loopholes, and created tougher penalties for HIPAA violations to incentivize compliance with privacy and security rules. Prior to HITECH, only 10% of hospitals adopted EHRs –– leaving healthcare out of the digital age. HITECH encouraged digital transformation through financial incentives, ultimately improving healthcare efficiency and coordination. 

 

What is Protected Health Information (PHI)?

Any health information that includes individual identifiers is considered PHI, including demographic information. Under HIPAA, the 18 identifiers of PHI are:

1. Names 
2. Dates, with exception to year
3. Telephone numbers
4. FAX numbers
5. Geographic information
6. Social Security numbers
7. Email addresses
8. Medical record numbers
9. Account numbers
10. Health plan beneficiary numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers including license plates
13. Web URLs
14. Device identifiers and serial numbers
15. Internet protocol addresses
16. Full face photos and comparable images
17. Biometric identifiers (i.e. retinal scans and fingerprints)
18. Any unique identifying number or code

 

What distinguishes Protected Health Information (PHI) from healthcare data?

All PHI is healthcare data, but not all healthcare data is PHI. PHI refers to any past, present, or future identifiable health information that is used, maintained, or stored by a HIPAA-covered entity. Physical records, electronic records, and spoken information regarding a patient’s medical conditions, provisions of care, or payment of care are all considered PHI. Examples of PHI include:

• Phone records between an individual and a healthcare provider
• Billing information from a doctor
• Diagnosis of a medical condition
• Results from a blood test

 

What isn’t considered PHI? 

Two conditions determine what qualifies as PHI: who records the information, and whether or not the information is stripped of all identifiers that could tie the information to an individual. HIPAA applies to HIPAA-covered entities and their business associates. This does not pertain to education or employment records, which may retain certain information about an individual’s health, such as allergies or blood type. Information is only considered PHI if the information was recorded by a healthcare provider or used by a health plan. Additionally, if the 18 identifiers of PHI are stripped from the health information, HIPAA does not apply. The data is then considered de-identified PHI. It is important to note that certain characteristics that could uniquely identify an individual cannot be reasonably stripped from data, as context clues and introducing additional publicly available information can lead to re-identification of an individual. This highlights how HIPAA typically does apply when using patient information, and how healthcare institutions should take appropriate and proactive measures to ensure compliance.

 

When are disclosures permitted for PHI?

There are, of course, instances where disclosure of PHI is required by law. Typically, these types of disclosures handle circumstances that involve public policy, safety, or other legal concerns that compete with a patients’ need for medical confidentiality. HIPAA permits disclosures under the following provisions:

• Public health activities, such as those involving disease control, product recalls, or work-related illnesses
• Suspected abuse, neglect, or domestic violence
• Health oversight activities of the healthcare system, government benefit programs, or civil rights law;
• Judicial or administrative proceedings in response to a court order or subpoena;
• Law enforcement purposes when the PHI is relevant and material to a criminal investigation;
• Deceased patients (to coroners, medical examiners, or funeral directors);
• Organ donation;
• Research, provided specific requirements are met; and
• Government functions such as national security or intelligence activities

With such a specific and limited list of permitted reasons for disclosure, sharing data for medical research or other industry-related developments requires a careful, privacy-by-design approach. So how do organizations collaborate with data? First, let’s start by exploring why data collaboration is important in the first place.

 

What are the benefits of data collaboration in healthcare?

Data collaboration is critical for healthcare institutions. Interoperability –– the ability of two or more systems to exchange and use health information –– allows for increased clinic/hospital efficiency, reduced visits and admissions, improved diagnostic accuracy, and more. This host of potential benefits for patients’ health and well-being depends on private, secure, and streamlined sharing between healthcare providers. 

One key example of the benefits of data collaboration in healthcare is this study, conducted by researchers at Stanford University and the Houston Methodist Research Institute in 2016. By examining more than 16 million electronic health records of 2.9 million people to probe the link between common gastroesophageal reflux disease treatments and heart attacks, they found that individuals taking proton pump inhibitors (Nexium, Prilosec, and Prevacid) were 16 percent more likely to have a heart attack than those who did not take these drugs. While the study does not establish that these drugs cause heart attacks, the findings catalyze a closer examination of a potential cause-and-effect relationship between proton pump inhibitors and future heart attacks.

This example highlights how collaboration and secure information sharing can also vastly improve wider-level medical research, in addition to population health management and epidemiology/disease tracking. Access to transparent and informative data can improve the accuracy of research, provide a backbone for risk/benefit analysis of treatment options, and strengthen clinical research collaborations between healthcare providers. 

 

What is the biggest threat to the security of healthcare data?

Healthcare organizations are continually at risk for cyberthreats due to their possession of information that is of high monetary and intelligence value to hackers, cyber-thieves, and other bad actors. Protected health information, financial information such as credit card and bank account numbers, Social Security numbers, and intellectual property are all forms of targeted data. Ransomware, credential harvesting, and device theft are top mechanisms for stealing patient health information.

Immediate patient outcomes are often impacted by cyber crimes. In May of 2017, the “WannaCry” ransomware attack targeted computer systems in 150 countries, hitting over 230,000 computers globally. American hospitals and healthcare systems faced diverted ambulances, canceled surgeries, and disrupted operations –– consequences that could have been avoided through updated software and education on data security. In 2021, a Critical Insights report found that cybersecurity breaches hit an all-time high, with over 45 million individuals impacted by healthcare attacks. This number has tripled in the past three years, partially resulting from the unprecedented stress hospital and health systems faced during COVID-19. As healthcare systems continue to shore up defenses, the U.S. Department of Health & Human Services Office of Civil Rights (OCR) recommends vigilance around these top cybersecurity threats:

• IoT-connected medical devices
• Mobile/Telehealth technologies
• Understaffed and underfunded IT departments
• Lack of employee security training

 

What types of data security does the healthcare industry currently implement?

Protecting data in the healthcare industry is a serious challenge, and as regulatory requirements for data protections increase, healthcare organizations must take a proactive approach to implement best-practices for data security. Currently, these are steps healthcare organizations take to remain compliant and lower the risk of data breaches:

• Educating healthcare staff
  Human error can lead to catastrophic and costly consequences. Through robust security awareness training, healthcare employees can independently make critical and careful decisions when handling sensitive patient data.
• Implementing access and usage controls
  Data controls allow healthcare organizations to restrict access to patient information and applications to users who require access to perform their roles, or block specific actions (such as web uploads, copying to external drives, or unauthorized email sends) altogether. Data discovery and classification can also ensure that sensitive data is identified and tagged according to the level of protection necessary for the information.
• Logging and monitoring the use of data
  An audit trail allows healthcare providers to identify which users are accessing patient information, pinpoint areas of concern in security, and strengthen protective measures. 
• Encrypting data at-rest and in-transit
  Encryption makes deciphering patient information more difficult for attackers. By encoding data so that only authorized parties can receive and understand information, healthcare providers can prevent unauthorized persons or applications from gaining access to PHI.
• Securing mobile devices and applications
  Smartphones and other devices are commonplace in 21st-century healthcare, with patients, physicians, and insurance providers inputting and receiving information to increase operational efficiency. Mobile device security requires a range of measures, such as encryption of application data, installation of mobile security software, and enablement of remote-wipe or lock applications for lost or stolen devices. 
• Conduct Frequent and Thorough Risk Assessments
  Regular risk assessments encourage proactive measures against potential data breaches and cyber attacks. Locating vulnerabilities in security, growth points in employee education, and other areas of concern can reduce the risk of costly penalties from regulatory agencies and the reputational damage associated with a breach.

 

How can we improve data security in healthcare?

Scaling digital transformations, increasing cyberattacks, and rapidly changing technologies in healthcare all reinforce the need for innovative and reliable data security solutions. Ideally, these solutions should also promote interoperability between hospitals, research institutions, and other healthcare providers to maximize value derived from healthcare data –– without compromising patient privacy or incurring severe penalties after a breach.

According to the American Hospital Association, “the key to leveraging health data’s full potential for improving patient care is the establishment of a framework for compatible technical and linguistic (semantic) standards adopted by all parties that leads us to a generic, vendor-neutral data exchange program. We currently lack universally agreed upon ways of sharing and using information.”

TripleBlind is a software-only solution that can unlock the intellectual property of health data without compromising PHI or violating HIPAA. By keeping data private and in place while allowing authorized operations on the data, healthcare providers can collaborate around sensitive information and ensure compliance with regional and national privacy regulations.

Take, for example, this use case in hospital and pharmacy analytics. A critical pain point for hospital and life science researchers is the need for detailed information about patient drug purchases and usage. While these researchers often know what drugs have been prescribed to patients, they have little information about actual purchase or use rates –– information that pharmacies possess, but struggle to or cannot share due to interoperability challenges or legal barriers. 

Using TripleBlind, the hospital can run a “fuzzy match” (or exact) to identify the intersection of their customers and the pharmacy’s customers. The pharmacy can also set permissions on what data the hospital is able to see on their shared patients’ customers, allowing the pharmacy to have full access and usage controls. Through this data collaboration, the hospital can then gain insights into what medications patients are actually purchasing and taking after receiving a prescription, then incorporate their findings into future research and models.

With our privacy enhancing computation solution, no exchange of raw data ever takes place. Permissions on how data is used can be set to per-use authorization, ongoing permissions, or anything in-between –– giving data owners full autonomy over data and algorithms, while allowing data collaboration and innovation to take place. The TripleBlind Solution offers the following additional advantages:

• Streamlined interoperability between healthcare organizations –– Using or combining PHI and PII is often a compliance migraine for healthcare professionals. The TripleBlind Solution reduces time and resource cost, allowing organizations to extract insight from data without compromising or relinquishing control over proprietary information.
• Exceptional AI/ML modeling and analysis toolset –– TripleBlind enables all data operations to occur on any type of data, without adding speed penalties or requiring additional storage. Train AI models and find healthcare solutions faster than and with greater accuracy than ever before.
• Aggregation of granular-level patient data while ensuring HIPAA/HITECH compliance –– Since PHI is protected by design and never moved, shared, or seen by any parties, critical information can be included in every research process –– including early indication clinical trial reporting, pharmaceuticals, and more.

Are you ready to learn more about how TripleBlind can support your organization in joining the future of healthcare data security? Check out our use cases or contact us for a demo of our next-generation product.