Intro to Medical Data Privacy

Tuesday , 12, November 2019

Health Information

Installing apps that “help” you with medical conditions can lead to privacy disasters. Your personal information gets shared with the world, and suddenly advertisements for your health situation follow you around the Internet. According to research firm Twinword, an estimated 83% of users searched online for health or medical information. If the average Internet user were to forget their medical issues, they could probably remember by spending an hour on the web watching advertisements.

Installing apps to help you with a pregnancy launches an avalanche of data sharing and advertising that almost defies belief. In the US there are laws that govern the use, sharing and storage of healthcare data, but it is a complex, nuanced issue.


The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the United States Congress in 1996. It aims to protect people from losing their health insurance when changing jobs or have pre-existing health conditions, creating standardized formats for many administrative transactions, and most importantly from our perspective – to protect the privacy and security of personal health information.

Individuals have certain rights under HIPAA privacy rule, which is intended to ensure the safe handling, transmission and storage of personal medical information.

These rights include the right to ask for copies of your health records from health providers, including doctors and hospitals. The HIPAA privacy rule provisions apply to healthcare plans, providers of medical services, and associates including billing agencies, accounting firms, lawyers, pharmacists and anyone else who has a contractual agreement involving the use of protected health information. This protected information coversall individual health information transmitted or maintained by a covered entity.

The HIPAA privacy rule allows the use and disclosure of personal health information without your consent when treatment is being given, when payment is being collected, for research or public health purposes, or when you bring another person into the room where health care is delivered.

An important right is that only you or your personal representative has the right to access your records. You have the right to acquire and review your health care records. Sharing your personal health data for marketing is explicitly prohibited.

Wearables and Health Apps

Some entities collect and use personal health information and are not covered by HIPAA. Companies that sell wearables, fitness trackers, and health apps are not covered even though they often track, transmit and use your personal health data.

This is increasingly a privacy problem we face. Fitness trackers, for example, can collect and make available other detailed privacy-related information as well, such as your location data over time and activity data. “Location information can reveal some of the most intimate details of a person’s life, whether you’ve visited a psychiatrist, whether you went to an A.A. meeting, who you might date,” according to US Senator Ron Wyden, who has sponsored bills to limit the collection and sale of this data.

Users need to be conscious of the settings for these devices, to ensure they are not sharing the user’s location data with the world. Common healthcare apps like the CVS app have been found to send tracking data to dozens of companies, including GPS location data. According to a 2018 story in the New York Times, “More than 1,000 popular apps contain location-sharing code from such companies …” and the numbers continue to grow.Social media platforms are not covered by HIPAA privacy or security rules either, and will almost certainly utilize your health data for business and marketing purposes if you provide it. Advertisers are eager to know about your health condition and any medical issues because this information is valuable to them.

Rapid advances in AI make it possible to identify people and infer their activities via analysis of data generated by wearable trackers, fitness apps and the like. This is a trend that is not diminishing.


According to Wikipedia, “Deoxyribonucleic acid (DNA) is a molecule composed of two chains that coil around each other to form a double helix carrying the genetic instructions used in the growth, development, functioning, and reproduction of all known living organisms….” Your DNA uniquely identifies you, and holds an incredible amount of detailed information about you and your relatives.

Stealing genetic data will be the identity theft of tomorrow. This information is already valuable. A large DNA testing company, 23 and Me, entered a partnership in 2018 with GlaxoSmithKline – a large pharmaceutical company. They agreed to share customer DNA data for some $300 million USD. The site users don’t get any profit, they’ve simply lost their data.

In fact, 23 and Me has partnerships with major pharmaceutical companies like Pfizer, Genentech, Alnylam Pharmaceuticals, and Biogen, as well as Proctor and Gamble (P&G Beauty) and several academic institutions. A competitor named Helix shares data with around 25 companies according to its co-founder.

If new pharmaceuticals result from customers’ DNA, they will pay dearly to get those specialized medicines. Ultimately we cannot keep our DNA to ourselves, but desequencing it is currently resource intensive. Hang onto
your secrets for now, and let the future take care of itself.

Medical Devices and Equipment

Medical devices continue to increase in complexity as their utility grows. With more of these devices being computerized or computer assisted, a growing number of failures is attributed to computer-related failures of one type or another. In the past few years some alarming security concerns have been raised as well, and due to the difficulty in upgrading many of these devices is cause for concern. Finally, privacy concerns are rapidly becoming an issue, as more of these devices become more capable and their computing and communications capabilities become more advanced.

Medical software of all kinds is an area of growing concern due to multiple factors. Software reliability issues, whether powering hospital equipment or Implantable Medical Devices (IMDs) is problematic due to the growing complexity, use of outdated operating systems and code libraries, and limited or non-existent upgrade paths.

We see rapidly increasing security challenges due to poor design, inability to upgrade or keep updated, and factors like the lack of technical skills necessary to keep equipment safe at medical facilities.

Privacy worries abound as well, including unprotected raw data streams, weak access controls, and even advances in artificial intelligence. Once data has been accessed by authorized parties, the secure storage and sharing of that data is also of great concern.

Reliability of the software and software supply chain and update mechanisms is a problem area even for those who have complete control over their hardware design and manufacturing processes. Medtronic, one of the largest producers of Implantable Medical Devices (IMDs), famously had an insecure update system for their pacemakers in 2017 and 2018 which led them to disable updates in the wake of BlackHat hacker conference presentations showing exploits.Medtronic had been informed of the vulnerabilities as early as January 2017 according to the presenters, who demonstrated exploits against pacemakers and insulin pumps.

Similar “critical” vulnerabilities have been found in a variety of Medtronics devices, which include insulin pumps and pacemakers and more. The company declined to fix most of the critical problems found with their IMDs, instead opting to fix things with the next generation of devices. This is not a privacy concern per se, but suggests something about the state of design around medical device software and the information it generates that is alarming.

The FDA in the United States requires companies to use encryption to safeguard wireless IMDs, but access controls are tricky and various strategies for access and authentication have tradeoffs. Protection of the data stream from malicious eavesdroppers is an area that needs attention too, as may devices simply output data for anyone in range to receive. In many ways the problems IMDs face are the same as those faced by Internet of things (IoT) devices – dedicated, low power, networked devices that are seldom updated.

Unauthorized parties ideally would not be able to determine that a person had an IMD, as it could potentially lead to discrimination by employers, insurers and others. Current devices tend to be “always on” and broadcasting data that betrays their presence. The device being in use might indicate a terminal condition, and lead to an insurer refusing coverage.

Even if it can be determined that an IMD is inside a person, it should not allow them to be tracked by a signal it emits. The device should not advertise details about itself, or the patient, or allow access to or analysis of the data it produces. These seem obvious and desirable, yet they are overshadowed by security concerns ranging from tampering to put patients at risk, to denial of service (DoS) attacks. See the FDA’s list of medical device recalls here: ListofRecalls/ucm629347.htm

Hospitals and Medical Facilities

Hospitals and medical facilities of all types are increasingly finding themselves vulnerable to issues related to their reliance on networked equipment. There are a variety of reasons software systems can be problematic, along with interoperability issues between systems and even poor network performance. All of these classes of issues potentially pose a threat to people and institutions.

Taking a look at software systems the first thing that impresses many observers is the near universal use of outdated software. Outdated operating systems abound in medical equipment, often because the custom software running on the device requires an older operating system, so upgrading the software is not an option. Updating the entire system can be prohibitively expensive, or not even be an option when product cycles are long.

Because system software is typically out of date, medical equipment is a favorite target for attackers moving laterally through a network. It also leaves systems vulnerable to ransomware attacks. Malicious actors gain access via phishing campaigns, which continue to be a favorite attack vector in general, and specifically for healthcare institutions.

More to the point – leaves your medical data exposed to anyone who wants to steal this valuable information. These devices measure, collect and store ever larger amounts of data, making them more desirable targets over time. This is a point rarely discussed because the existential risks posed to patients overshadow the privacy concerns.

The reason this is a worsening problem is of course, the continued increase in adoption rates for connected medical devices. Business Insider estimates that by the end of 2019, 87% of medical healthcare organizations will have adopted IoT technologies, and by 2020 they estimate there will be almost 650 million connected medical devices (not including wearable devices like fitness trackers) in use.

Medical facilities also extend their reach by incorporating remote access capabilities, and that poses a threat to security and privacy of patients. Both remote access portals which grant access to remote users to medical data, and remote patient monitoring potentially threaten to expose user data, but the convenience and cost savings are irresistible.

Hospitals are acutely aware of the security threats they face, such as ransomware, but seem less cognizant of privacy risks posed by connecting all devices and relying on machines with terribly outdated software. Yet the ever growing mountains of sensitive medical data stored in these institutions make them prime targets for data theft, with personal medical records fetching up to $1000 each on the dark web, depending on the level of detail. Unfortunately the prices are said to be dropping despite the growing amount of detailed information contained in them, due to overwhelming supply, with the average medical records selling for under $100 USD now according to one source.

The data in these records enables identity theft, and even establishing credit lines, as they tend to have detailed personal information. They are also used to commit medical fraud, by billing incorrectly for medical procedures, or fraudulently obtaining benefits or medications. Medical organizations also face the prospect of having patient records released if they do not pay ransom demands resulting from data thefts, as happened to Labio, a medical testing firm.