Patient Care, Security, and Equity

Whenever I walk into a new doctor’s office for the first time, the receptionist hands me a stack of paperwork to complete. I’ve learned to anticipate these forms and their thorough questions now; they list questions about my medical history, current medication, insurance information, and emergency contact. Usually at the bottom of the stack are pages about the office’s privacy practices and a request for authorizing the release of identifying health information, with dotted lines for my signature. I sign away—the potential that I may be, in the words of New America’s Cybersecurity Initiative Fellow Robert Lord, “essentially giving all the rights away to every one of the most sensitive pieces of data that might be in [my] life” isn’t exactly top of mind for me as a patient seeking care. I’ve given little thought to who has access to my healthcare records, and what they could possibly be doing with this data.

While most comparable industries dedicate about eight percent of their budgets on addressing basic cybersecurity hygiene and protection, the healthcare industry dedicates only about half a percentage. 

Other patients and stakeholders, however, have raised these very questions to healthcare providers. Lord and Sonia Sarkar, New America’s Public Interest Technology Fellow, spoke about the questions they heard while working in Baltimore, Maryland with Millennial Public Policy Fellow Dillon Roseen at New America’s Millennial Public Policy Symposium in April. As a first-year medical student working at a HIV clinic, Lord was shocked that he had access to these sensitive patient data—in fact, in most hospitals across the nation, it may be the case that even volunteers would have access. Understandably, patients were hesitant to share information that would then be recorded in their health records. Similarly, in her former role as the Chief Policy and Engagement Officer for the Baltimore City Health Department, Sarkar participated in a coalition of healthcare and social program providers in which a representative from House of Ruth Maryland, an organization that does work around domestic violence, raised questions about the extent of data collection and the mechanisms in place to ensure that the right level of data was getting to the right people.

Unfortunately, these issues of consent and security do not appear to be a top priority within the healthcare industry. Lord pointed out that while most comparable industries dedicate about eight percent of their budgets on addressing basic cybersecurity hygiene and protection, the healthcare industry dedicates only about half a percentage. Despite these risks to patient privacy, the move from paper to electronic health records (EHR) has been transformative, with increased opportunities for collaboration that make a critical difference in patients’ health.

With much of what impacts health outcomes—things like diet, work, and transportation—lying outside the medical care system, the opportunities for leveraging the technology and data to provide more holistic care are certainly exciting. Through programs like Accountable Health Communities implemented by the Baltimore City Health Department, EHR can increase collaboration between the healthcare network and social services to more comprehensively address individuals’ health-related social needs. For a patient at a clinic in East Baltimore, a community where there are significant health disparities, having a module in the EHR for food needs helps identify a patient’s social needs, enabling the clinic to refer them to government programs and resources in the community such as a local food bank or a urban garden program. By addressing an individual’s overall health as a person and not just as a patient, Sarkar noted, we can link healthcare issues to food advocacy efforts around food deserts and disparities that send individuals struggling to put food on the table at the end of the month to the emergency room, integrating information about social programs into healthcare providers’ standard of care.

Similarly, community organizations are interested in this data as well. Health issues may also be related to housing access, and using technology in the healthcare system may be one way to track the number of referrals to housing assistance programs that are getting met. This holistic approach to healthcare, Sarkar said, may also inspire unlikely allies at hospitals and clinics who may not be actively involved in housing advocacy work.

Lord pointed to this culture of open collaboration in healthcare as responsible in part for the prevalence of security risks in the field. The lack of protections can also be contributed to the urgency of some healthcare scenarios: the medical team may need access to a patient’s EHR to check for allergies to certain medications before administering it. In other words, healthcare systems would prefer the risk of an insider threat to patient privacy and security over a patient’s death—especially one that would’ve been easily avoidable.

The question that remains is, how do we manage these risks while still leveraging the benefits of technology and data in healthcare?

The question that remains is, how do we manage these risks while still leveraging the benefits of technology and data in healthcare? One problem, Lord noted, is that the usual security protocols for protecting data in institutions do not apply to the healthcare setting because of the complex nature of healthcare workflows. In other sectors, it might make sense to grant permission settings according to an employee’s role and the level of access needed to complete his or her job effectively. This segmenting is called role-based access control (RBAC). In healthcare, nurses and doctors work across a variety of practices, from inpatient care to outpatient care, in oncology wards and operating rooms, each dealing with different contexts and different types of patients. These differentiated roles might seem like the perfect opportunity to implement the traditional RBACs that are used in other sectors. However, this doesn’t work in healthcare given the legitimate need to keep patient records readily available; this makes sense when considering the urgency of the emergency room situation.

Nonetheless, the ways that the healthcare industry already uses data to improve outcomes and perform clinically focused analytics could also be leveraged to protect data. In this vein, Lord is working on using artificial intelligence to defend healthcare institutions with his company, Protenus.

Just as importantly, Sarkar reminded us of the importance of listening to both patients and subject matter experts. Technology can be a force for good by lifting up patient voices. In collecting data on health and social services, the healthcare system can also provide patients with the opportunity to voice opinions on how those services are or aren’t meeting their needs.

Technologists must join the conversation in a mode of learning instead of a mode of designing technological solutions. Lord echoed this sentiment and warned entrepreneurs to be mindful of cultural norms, challenges, and especially nomenclature—no surgeon wants to hear that someone is going to “disrupt” their hospital, after all.