Our health exposed!
For years, many, especially among healthcare professionals, have been dreaming of having a single data repository for the healthcare-related data of each patient. This would make diagnosis and treatment easier, more reliable and more secure. By having more data, healthcare professionals would be in a better position to know the medical history of each patient and anticipate the effects of the treatments they prescribe. In addition, in case of emergency, being able to access electronic health records of each person would guarantee a better attention to the specifics of each case.
Governments and health organizations have taken different paths towards these goals. For instance, under HIPAA (Health Insurance Portability and Accountability Act), the US have defined EHRs (Electronic Health Records) as a digital version of a patient’s paper chart that may contain their medical and treatment histories. Typically, they contain patient's medical records including past and present diagnosis, medical care, treatments, allergies, medication history including prescribed or over the counter medication, … They are used not only to improve diagnosis and medical care but also by the health insurances to evaluate claims.
However, health records attract the interests of more than traditional players, which include patients, healthcare professionals, pharmaceutical companies and public and private insurances. According to HealthcareITNews, Google is recruiting users to evaluate how they want to interact with their own medical data… Analysts anticipate they could come up with a revamped version of Google Cloud for Healthcare, which is already proposed as a repository of health-related data allowing patients to make their records available to healthcare professionals. Google's offer also includes Google Healthcare Data Engine which is meant to help researchers and clinicians to gain access to medical information. Google has signed agreements on data sharing with various healthcare stakeholders, monetizing this way sensitive patient data from millions of people. Google swears confidentiality and integrity of data are perfect, but who trusts them?
On the other side of the Atlantic, the French government-managed Assurance Maladie and the Health ministry are launching "Mon espace Santé" (My Health Space), at first a storage for patient-related data that is expected to be extended with various dedicated healthcare applications. The system will keep track of all medical history, including visits to doctors, reports on hospitalization, test results, vaccinations, as well as allergies and family history. The administrations that set up the projects say they totally guarantee medical confidentiality and that control remains in patient's hands.
Civic rights organizations such as La Quadrature du Net claim that, in the "Mon espace Santé" project, respect of consent is improperly taken care of and that data management does not bring enough confidentiality guarantees. For instance, the system allows any healthcare professional to have a full access to patient data in case of emergency but does not define what is a case of emergency, thus opening the door to abuses. Also, parents are given a full access to data of their dependents, i.e. their children. Moreover, future apps may have access to medical data without patient's explicit consent.
The occurrences of undue access to healthcare data are alarming enough. For instance, data representing at least 500,000 French residents have been stolen from CNAM (Caisse Nationale d'Assurance Maladie – National health insurance system) thanks to an unauthorized access to 19 healthcare professional accounts associated with a brute force attack on national identity numbers. Stolen data include identity and identifiers of policyholders, thus opening way to more numerous and harmful phishing campaigns. Even worse, due to a cyberattack, full medical records of more than 40,000 residents of Neuchatel Canton in Switzerland are now fully exposed on the darknet.
So, while there is no doubt having better access to medical records will go in the direction of better medicine, the need for security is always more present. The secure transactions industry has got solutions!