Mark Dorner is co-founder and CEO of PreciseMDX, the leading digital health diagnostics platform. Dorner has more than 30 years of experience leading digital transformation for global businesses ranging from venture-backed start-ups to Fortune 500 companies.
The health care industry set records during 2021 that it would rather forget. More than 45 million patient records were breached during 679 total events last year—both historic highs. Although the total number of breaches only rose just over 2 percent, the number of breached records skyrocketed by 32 percent.
To put those numbers in better perspective, the records of one in eight men, women, and children in the US were breached in 2021 through unauthorized exposure, hacking attack, ransomware, or some other method.
Clinical laboratories and pharmacies are not immune to these incidents, as recent news involving CVS and Quest Diagnostics shows. The move toward interoperability means connecting disparate IT systems through APIs (application programming interfaces), which can leave systems vulnerable if the connection is not secure.
The sheer number of COVID-19 antigen tests now performed each day in the US potentially exposes millions of patient records monthly. Additionally, new types of testing, such as genomic testing, and new distribution channels for at-home testing are creating potential emerging security issues.
Therefore, it’s critical that clinical laboratory testing and reporting platforms operate at the highest levels of privacy and security, keeping data in the United States whenever possible.
Cost of health care data breaches soars
For 11 straight years, health care has had the dubious distinction of incurring the highest costs for data breaches. Between 2020 and 2021, the cost of identifying and remediating a health care data breach rose nearly 30 percent to $9.23 million. A breach typically takes more than nine months to uncover, leaving bad actors plenty of time to exploit security vulnerabilities. The impact of a breach also includes lost business costs, such as customer turnover, revenue losses, and a decrease in business reputation.
Health care data is particularly valuable because it often contains social security numbers and demographic information that can be used to create new identities.
Until health care providers, business associates, and third-party entities take data security seriously and commit sufficient resources to combat breaches, data will continue to be inadvertently exposed or deliberately exploited. In the first month of 2022, some 45 health care entities have reported breaches that exposed 2.2 million records to the Office of Civil Rights.
Laboratories and pharmacies are not immune
Quest Diagnostics was the victim of a ransomware attack in August that potentially exposed the protected health information (PHI) of 350,000 patients. The attack on ReproSource, a Quest subsidiary focused on fertility testing, exposed demographic information, birth dates, email addresses, diagnosis codes, testing requisitions and results, and insurance information, among other data types. The company acknowledged that a smaller group of patients had more sensitive data potentially compromised, such as social security numbers, driver’s license/passport numbers, and credit card information.
CVS, the nation’s largest pharmacy chain, potentially exposed more than 1 billion data points through an unsecured database breach that was revealed in March 2021. While it’s unclear how many people were potentially affected, the exposed data included searches on CVS.com and CVSHealth.com for COVID-19 vaccinations. Email addresses were included in the exposed database, which could be used to link a search with an individual. The health care company blamed a third-party vendor who was hosting the information that was left exposed.
A COVID-19 antigen testing data leak could be embarrassing (and potentially costly). How would an enemy nation react should a significant percentage of the US military fall ill?
The lesson here is that companies must remain vigilant to protect health care data. People likely don’t give much thought that when buying a test at a retail location or having blood drawn at their primary care physician the materials being tested and the subsequent results could travel anywhere in the world.
Privacy and security should be primary considerations
Most antigen tests are manufactured outside the United States, so when a consumer scans the QR code on the side of the box, the question becomes where that information goes. The consumer could have a great experience—until PHI gets out.
When seeking laboratory partners, organizations that value data security and privacy insist on working with companies based in the United States. Mental health facilities, for example, maintain stringent criteria for security and privacy. Hospitals, ambulatory care centers, post-acute care facilities, and other medical providers also have a vested interest in keeping data safe. Government testing, especially as it applies to the military, should follow the highest standards.
Companies seeking test partners should insist that the results software partner meet leading privacy and security standards such as HIPAA (US), PIPEDA (Canada), and GDPR (EU). The platform should also follow the National Institute for Standards and Technology security framework and other international standards for data security and PHI handling. Finally, companies should ask where test results reside and be sure they understand a vendor’s relationships with other vendors.
Maintaining the security and privacy of PHI
Laboratory testing volumes have skyrocketed during the pandemic, and not all testing companies exercise the same data security and privacy standards. Protected health information can be used for nefarious purposes but can also expose vulnerabilities among individual patients or employee groups.
When considering testing protocols, companies should pay attention to how test results are collected, stored, and disseminated, insisting on software platforms that have been designed to maintain the security and privacy of privileged information.