As if healthcare executives needed more to worry about, the recent hacker attack on Sony Pictures should send yet another reminder that data security can’t be ignored. On an international stage, Sony management learned the hard way that their e-mails, text messages, and private conversations were vulnerable to attack. Hackers accessed everything from the company’s sensitive financial information to its confidential employee communications. In the immediate aftermath of the attack, Sony is facing government inquiries, class action lawsuits from employees and business partners, and a significantly tarnished reputation.
Many executives in our industry might think that healthcare facilities are better prepared to withstand hacker attacks, with numerous government agencies regulating how we store and transmit protected health information (PHI) and personal identifiable information (PII). In reality, a significant number of healthcare facilities have already suffered damaging hacker attacks over the last few years and expectations are that hacker attacks will be a continued threat for the foreseeable future. The question healthcare executives must ask is: “What are we going to do about it?”
On top of everything else, the Sony data breach revealed employees’ sensitive health information: Top Sony executives saw lists of named employees who had costly medical treatments and saw detailed psychiatric treatment records of one employee’s son.
Like last year’s revelation by AOL’s CEO, it shows US corporations look at employees’ health information and costs. By ‘outing’ the fact that 2 of AOL’s 5,000 employees had premature infants whose treatment cost over $1 million each, the CEO violated the employees’ rights to health information privacy.
Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii. Current US technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system.
Do you trust your employer not to snoop in your personal health information? How can you trust your employer without a ‘chain of custody’ for your health data? There is no transparency or accountability for the sale or use of our health data, even though Congress gave us the right to obtain an “Accounting for Disclosures (A4D)” for disclosures of protected health data from EHRs in the 2009 stimulus bill (the regulations have yet to be written). And we have no complete map that tracks the millions of places US citizens’ health data flows. See: TheDataMap.