Opinion: Make a plan for when your health technology relationship becomes dysfunctional

Jo Kline
·4 min read

Clinicians’ notes on clipboards? Handwritten prescriptions? Appointments scheduled only by phone? What is this, a rerun of "Marcus Welby, M.D."? No, these are the aftershocks of a cyberattack on the flow of electronic health information, or EHI.

As consumers, how can we reconcile the convenience and marvels of health care technology with its inherent risks?

The ransomware attack currently impacting MercyOne has grabbed our attention, but it will most assuredly not be the last cyber break-in to rock our worlds. There were 712 breaches of HIPAA-protected health care data reported last year, and so far 2022 is keeping pace. We know this because HIPAA requires regulatory and public notifications whenever the privacy of 500 or more patients is violated, and the HHS Office of Civil Rights tracks those breaches. The 2021 exposure of 45 million records may seem like a lot, but it trails far behind the granddaddy of all cyberattacks — so far. In 2015, an insurer’s employee innocently opened a phishing email and exposed the private data of 78.8 million customers. Whoa. In fact, since HIPAA took effect in 2009, the EHI of more than 340 million patients has been breached. Meanwhile, HHS is implementing a plan to have all EHI systems share data across one ginormous cyber cloud by 2023. I can’t say that prospect gives me much peace of mind.

The roots of a cyber breach may be financial gain, internal espionage, pure spite or simply the careless sharing of HIPAA-protected data with unauthorized outsiders. Regardless of its origin, any disruption to EHI access spells chaos and frustration for patients and health care professionals alike. When a Social Security number, address and credit card details turn into fraudulent identities, consequences can range from annoying to costly. But when an individual’s medical data is exposed, patient safety is stolen along with privacy. As we’ve witnessed during the MercyOne incident, crucial medical information may not be accessible for scheduled treatments or in an emergency, procedures are delayed and quality assurance that relies on hospital technology may be jeopardized. Furthermore, even once a breach has been contained, the recovered EHI may be corrupted, unusable or no longer reliable.

According to HHS, most cyberattacks could be prevented or substantially mitigated if HIPAA-covered entities would simply implement the agency’s recommended security practices. That claim is more than a little troubling and raises a myriad of questions, especially since health care is repeatedly ranked first in cyber crime costs (an average of $10 million per breach).

But if we’ve learned nothing else over the past two years, it’s that finger-wagging gets us (read: patients) nowhere. In the meantime, as consumers and as advocates for others, it is definitely possible to reduce potential harm by taking some simple action steps. We’ll just call this a personal cybersecurity plan:

  • Review medical records regularly for accuracy, report errors and keep your own up-to-date log of critical information, including physicians' names, medical history, medications, allergies and devices. You can store it on a phone app or on a flash drive—or even print it on paper.

  • If a credit card or medical bill has unusual activity, contact your providers, as it could suggest a breach of EHI and you may be the first to spot it.

  • Be aware of and practice prudent online security habits, whether teleconferencing with your doctor, co-workers or friends. If your dog has his own Facebook page, probably best to avoid his name as a password.

  • Anytime you’re fitted with an internet-connected medical device, become familiar with all precautions concerning use, alerts and cyber risks. The Food and Drug Administration has identified equipment such as an imaging system, an infusion pump and an anesthesia machine as potential hacking targets.

  • Less than half of computer users regularly back up files. Use malware scanning software and make provision for preserving data on an ongoing basis. Trust me, it takes exactly one crashed hard drive to fully appreciate the value.

  • Finally, do not open attachments in unsolicited emails. Regardless of how tempting it may be, just say “No!” to those cute baby goats.

As health care consumers, our ability to achieve best health outcomes can be easily sabotaged by the risks associated with being “invisible,” the threat of medical errors, harm from improperly managed medications and the challenges of care management. The dark side of health care technology is but one more potential threat to patient safety. Yes, being an empowered and health literate consumer does require extra diligence, but the payoff for practicing some simple strategies for self-preservation may be life-changing.

Attorney Jo Kline is a speaker, writer and advocate for health care access and patient safety. Her most recent book is "Patient or Pawn?: Epic fails in health care, the approaching perfect storm and strategies for self-preservation."www.JoKline.netJoKline@msn.com

This article originally appeared on Des Moines Register: Opinion: Amid cyber attacks, make a personal security plan