By Katie Dvorak
While breached healthcare organizations must attempt to do damage control after a cyberattack, the patients are the ones left wondering how their information could be left so vulnerable in the first place.
"People are dismayed, because health information is the most sensitive information of all," Deborah Peel, M.D. (pictured right), founder and chairwoman of Patient Privacy Rights, tells FierceHealthIT.
There are two problems, Peel says, that will cause hacks like the one that hit Anthem to continue. The first problem is poorly designed systems; the second is the number of people who may have access to patient data.
"We have systems that allow thousands of people to access millions of records, so the breaches are absolutely continue because they systems were designed backward," Peel says.
Access to electronic health records should be restricted only to people who are part of a patient's treatment team, she says. While there might be outlier cases--say you were unconscious in another part of the country and providers there needed access to your records--but if you design for that, you destroy the needed protections in the vast majority of situations, according to Peel.
Patient advocate Regina Holliday (pictured left) echoes Peel's sentiments, telling FierceHealthIT that the patient should be the one to make the decision about who is allowed to access his or her information.
"Almost anybody at a healthcare facility can get access to your information," she says. "Having it where the patient makes the decision as to who sees their information, in a case where they're not unconscious, is a good idea. Just random folks in a hospital shouldn't be able to get to your medical records."
Peel adds that a top consumer protection that is necessary and should be turned into regulation is patient access to an accounting for all discloses from an electronic health record for treatment, payment and healthcare operations.
"When it comes to Anthem, if we had the right to see every disclosure of our health information then we'd be able to know and detect whether the uses were appropriate," she says. "They're not watching what's happening with our data as carefully as we would."
As for actions consumers can take themselves to keep their data safe, Holliday says patients need to know their password to a patient portal, but other than that patients can only do so much without full access to their data.
"We aren't at a point yet with technology to be equal data holders to institutions," she says. "And that's something we're working toward, and as we go deeper into that world, we're going to have to take more security concerns."
Peel says patients need to educate themselves about data security--they have to ask about the security of their data and know what systems are in place to keep their data safe.
And then, she says, patients must demand systems where thousands of people can't access their records.
"Patients have to demand use and collection of our most sensitive data is not in the hands of other people," she says. "We have to get that control."
Holliday adds that healthcare entities, like Anthem, should use the communication tools they have available to them to let patients know about breaches before they hear it elsewhere.
"Nowadays we learn about a breach through the media, we don't learn about breaches through the institution we're dealing with," she says.