When someone says “data privacy” most people think about the information that is available on sites like Google and Facebook, or stored away in some marketing database. But when it comes to very private information, there are few things most of us would be more horrified to find floating around on the Internet than our medical data. Yet data breaches of medical businesses happen more often than many people realize.
In a previous post, we talked about how and why criminals are finding medical data such a tempting target for theft. From a miscreant’s perspective, electronic health records hold even more lucrative data than retails stores. When the Target breach made the headlines late last year, only 13% of the reported breaches in 2013 were retail businesses, while 45% were from businesses in the medical field. And once a healthcare provider has been breached, that information can be sold on the black market for fraud, or used in phishing or blackmail schemes.
Putting your sensitive data into the hands of others can be a scary thing, but there are plenty of ways to help protect your own data.
- Pick good passwords when using healthcare websites
A good password is unique, strong, memorable to you, but hard for others to guess. That means it should be long, maybe even a phrase rather than a word or two. It should contain lower- and upper-case letters, numbers and special characters. And it should be something different from other sites you log into. If you have a hard time remembering a bunch of passwords, a password manager application can help you create strong passwords and then keep track of those passwords across all your different sites and devices. - Do not share credentials unless you absolutely have to
A lot of medical fraud happens because people give their login or insurance information to friends or family members. People do not really think about the consequences of this – if someone gets medicine under your name, if will be listed for you and may mean you get misdiagnosed or get improper medical care. Or you could simply be on the hook for any fees that person does not pay. Either way, it can be bad news. So share only with great care. - Check your statements
Be sure to read thoroughly and understand the charges that come in your statements from doctors’ offices and insurance. If you do not understand what you see, or if you see something listed that you do not recall having been done, call up the doctor or insurance provider and get an explanation. - Check your apps and health data
If you use applications on your phone or computer to track health data, it is a good idea to do a little extra homework to see how well the app protects your information. Reviews online and on the app store where you downloaded the app are a good place to start. You may also wish to review the permissions for the app on your smartphone, to see what other information it may be accessing. If you are saving your health data outside of an app, you can choose to encrypt your data for extra protection. - Advocate for security and privacy
If you feel comfortable discussing security measures and privacy controls, go ahead and ask your health providers what measures they have in place to protect your data. You might be surprised at the answer, and not always for the worse. Many healthcare practitioners I have spoken with have remarkably well thought-out security in their environments. When that sort of pleasant surprise comes your way, be sure to express your appreciation!
To get the best health care, it is important to be active and involved with your healthcare provider in protecting your health. Likewise, when doctors and patients work together to protect our health-related data, we can make this valuable information more difficult for criminals to reach.
Want to hear more about this topic? Check out our 40 minute webinar on Data Privacy in Healthcare. We also have a couple of podcasts you might like to hear. I discuss HIMSS 2014: Protecting Doctors' Offices and fellow ESET researcher Stephen Cobb talks about HIMSS 2014: Protecting Medical Data.