Nadine Barrett-Maitland | Critical to safeguard digital healthcare data
Digitising healthcare and health records is becoming the norm for most developed countries. Some countries are seeking to introduce technological solutions into their healthcare systems. This can improve customer service, reduce waiting time, improve accuracy, and result in a more efficient and effective healthcare sector.
However, the implementation of a digital healthcare system must be done with due caution and diligence. Over the past two and a half years, health records have been the prime target of hackers. An October 2022 report by Think Secure Network states that the hacking of heathcare systems is on the rise.
A 2022 FIERCE Healthcare Health TECH report states that in 2020, thirty-four million people were affected by heathcare hacks. This number grew to 45 million in 2021, representing a 32 per cent increase. The Fortified Health Security’s mid-year report points out that in the first half of 2022, the healthcare industry had about 337 reported breaches, with 19 million records compromised, affecting millions of people. Doug Halsall, in an article in The Gleaner titled “Data security in the advanced world”, indicated that on the black market, the average cost of a patient’s healthcare information/record can range between US$ 355 and US$ 363 compared to US$1 and US$2 for credit card information. This cost is steadily increasing as the average cost of a healthcare data breach as at September 2022 was US$10.1 million per incident. This figure represents a 9.4 per cent increase over 2021 according to IBM’s annual “Cost of a Data Breach” report.
As Jamaica takes another leap into the digital jungle by digitising health records, let us be mindful of the possible obstacles and make as many provisions as we can for the inevitable unknown. There are too many dangers lurking in the cyber jungle for us to ignore the increased risks associated with digitising healthcare. Health records contain very sensitive and private information. The breach of the JamCOVID database revealed many planning, implementation, and security issues that were not in place, thought about, or enforced.
PRIVACY AND SECURITY ISSUES
Privacy, defined as “the right to be left alone’, is a fundamental right of every human and is in chapter three of the Jamaican Constitution and under Article 12 of the United Nations’ Universal Declaration of Human Rights. The act of arbitrarily taking a person’s information and placing it in databases without their consent hinges on breaching the person’s fundamental right to privacy. People should be allowed to decide whether they want their heath information placed into a database that can be accessed by others and used for malicious reasons.
Using a database of people’s personal information can be a convenient and efficient way to access data, but its malicious use can also ruin peoples’ lives, and this should not be taken lightly. The need for protection of health information was the reason behind the implementation of the Health Insurance Portability and Accountability Act (HIPAA) by the American Congress. The General Data Protection Regulation (GDPR) has clear guidelines regarding the use of personal data and the consent required for use of this data. There are provisions allowing medical practitioners to access data without violating security guarantees if there is need to do so. The Access Control structures along with the Access Control lists can be used in these situations.
It must be clear that everyone has a right to determine if their information should be digitiesd and accessed. The GDPR states that users of personal data should be lawful and respectful of the individual’s right. It outlines six criteria and is keen to point out that public authorities may indeed have legitimate cases for wanting to access data but that they are also bound by the rule of respect for the individual’s right to privacy.
LANGUISH IN THE SYSTEM
Jamaica’s Data Protection Act is not yet/fully implemented and continues to languish in the system. We need to ensure that our policies and procedures line up with international standards. Internationally, several countries have implemented e-health systems, and research indicates that management of these systems can be very complicated, especially within a sector where there are public and private businesses and competing interests.
During the COVID-19 pandemic in 2020, India digitised their health systems under their National Digital Health Mission where everyone was given a health ID. According to the government, this would greatly improve healthcare delivery. However, in late November 2022, a massive cyberattack crippled the entire health sector. The Indian government was forced to halt the healthcare digitisation process. Ireland’s heathcare system was hacked in 2021, leaving persons needing critical care, such as radiation, in turmoil, and only pregnant mothers 38 weeks and over, along with dire emergency cases, were treated. Several healthcare systems in the United States of America and many other countries have been hacked. In Jamaica, we have had instances of real and suspected cases of breaches of personal information databases. There may be many others of which we are not even aware.
The JamCOVID incident that left thousands of persons’ medical records at risk could have cost us millions of dollars. An article in the The Gleaner in July 2021 highlighted “Staff, patients concerned about data breach at university hospital”. These are just two examples of incidents that have been reported. There may be many more instances that have not been identified. While we seek to get on the digital train, let us approach with caution, learning from our mistakes and the mistakes of others. One may ask, will we be able to stop healthcare hacking? The answer is no. But we can reduce the effects by being intentional and strategic in our approach.
Addressing the root is far more important than treating the symptoms. Stopping or reducing hacking is a marathon, not a sprint. There is a solution for every problem, and we are known to be resilient. Let us get this one right.
- Nadine Barrett-Maitland, PhD, is a senior lecturer at the School of Computing and Information Technology, University of Technology, Jamaica.