Health IT Roundup—Apps share sensitive health data with Facebook; Stanford issues ethical guidelines for digital health

11.5M healthcare records exposed in 2018; hacking accounts for nearly half of data breaches

The number of reported healthcare breaches in 2018 reached a three-year low of 290, but the number of healthcare records breached has more than doubled since 2017, according to a report from Bitglass.

According to Bitglass’ fifth annual healthcare breach report, which analyzes data from the U.S. Department of Health and Human Services’ breach portal, 11.5 million healthcare records were exposed last year, up significantly compared to 4.7 million records exposed in 2017.

Hacking and IT incidents accounted for nearly half (46%) of breaches, followed by unauthorized access and disclosure accounting for 36% of breach incidents, according to the report. The number of breaches caused by lost and stolen devices has decreased by almost 70% since 2014.

The average number of individuals affected per breach was 39,739 in 2018—more than twice the average of 2017. (Report)

Sen. Mark Warner seeking feedback on improving healthcare cybersecurity

U.S. Senator Mark Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is soliciting feedback from healthcare and health IT industry groups about ways to best improve cybersecurity in the healthcare industry, according to a press release. Sen Warner sent letters to healthcare stakeholders, including the American Hospital Association, American Medical Association, AdvaMed, America’s Health Insurance Plans and the Healthcare Information and Management Systems Society, among others.

“The increased use of technology in healthcare certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending. However, the increased use of technology has also left the healthcare industry more vulnerable to attack,” Sen. Warner said in a statement.

According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyber attacks would cost the healthcare system $305 million over a five-year period, according to the press release.

Sen. Warner said he wants to work with industry stakeholders on developing a short and long-term strategy for reducing cybersecurity vulnerabilities in the healthcare sector. (Press release)

Health and fitness apps have been sharing sensitive health data with Facebook, WSJ reports

An investigation by the Wall Street Journal has revealed that apps tracking information as sensitive as users’ body weight, blood pressure, menstrual cycles or pregnancy status are sending that information back to Facebook unbeknownst to the people using them.

The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal and published in an article on Friday. The apps often send the data without any prominent or specific disclosure, the testing showed, according to WSJ.

A recent complaint filed with the Federal Trade Commission also accused Facebook of misleading its users regarding the private nature of closed Facebook groups and exposing users’ sensitive health data.

In an updated story published Sunday, WSJ reported that since Friday, at least four of the apps that the Journal had identified and contacted as part of its reporting issued updates to cut off transmission of sensitive data to Facebook. Facebook itself contacted some large advertisers and developers in response to the Journal’s reporting, telling them it prohibits partners from sending Facebook any sensitive information about users.

The company said it is working on new systems to detect and block uploads of such information by apps, according to a person whose company was contacted by Facebook. (The Wall Street Journal)

Stanford, partners develop guiding principles for ethical use of digital health

Consumers are increasingly using digital health apps and wearables, which raises ethical issues that need to be addressed, including how consumer data is used and protecting patient privacy. There is a need for healthcare organizations to be transparent about how they use consumer health data, following ethical principles that everyone understands.

At a recent seminar hosted by Stanford University and held at Stanford Libraries, 30 industry stakeholders representing technology, pharmaceutical, healthcare and nonprofit organizations developed 10 guiding principles on ethics in digital health. The initial guiding principles represent a digital health patients’ bill of rights of sorts and the 10 principles are:

  • The products of digital health companies should always work in patients’ interests.
  • Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  • “Do no harm” should apply to the use and sharing of all digital health information.
  • Patients should never be forced to use digital health products against their wishes.
  • Patients should be able to decide whether their information is shared and to know how a digital health company uses the information to generate revenues.
  • Digital health information should be accurate.
  • Digital health information should be protected with strong security tools.
  • Security violations should be reported promptly along with what is being done to fix them.
  • Digital health products should allow patients to be more connected to their caregivers.
  • Patients should be actively engaged in the community that is shaping digital health products. (Report)