What Doctors Wish You Knew About HIPAA and Data Security
Chris Pierson, a former Department of Homeland Security adviser and physician, is the CEO of Black Cloak, a company specializing in personal digital protection against financial fraud, cybercrime, reputational damage and identity theft. He believes vigilance is critical for both doctors and patients.
Protect your entire family
“I don’t think people realize that if someone gets their hands on just one piece of information, it can lead to someone else’s private data being opened up,” Pierson says. “It’s no longer the original person on their computer, but the identities of other family members that can be compromised.”
He explains that even if one organization keeps your data safe, another connected organization might not, and this is where criminals will strike.
“It’s not just doctor’s offices. It’s your pharmacy, your lab, your insurance company, and anyone who stores personal information. That has real value and selling is a priority.”
Identity theft victims can be victimized again if personal information ends up in multiple hands. A street address and a verified phone number can have far-reaching implications, especially if the phone contains many contacts who are then themselves vulnerable to attack.
“If you can get your mother’s information, you can get the child’s as well. An ID card, Social Security, all that, and then they have the option to collect false medical claims or just plain blackmail. It’s a two for one.”
Two-factor authentication is worth it
Pierson mentions the importance of using a multi-factor authentication system. Just by using strong passwords and one-time authentication codes, your level of protection increases significantly.
Thankfully, all of this is easier to set up than it sounds. Apps on your phone or tablet can be helpful. When Google Authenticator is paired with a service that supports authenticator apps, Google Authenticator provides a six-digit number that changes every few seconds and can keep people out of your data, even if they know your username and password. Other companies require users to enter an SMS code as a second factor of authentication in addition to a password, although SMS codes are less secure than authentication apps. Either approach is better than neither—unless a hacker has physical possession of your phone, they won’t gain access.
Social Media and Tracking
Social media is becoming an increasingly popular way for healthcare providers and entrepreneurs to connect with the public — often selling them treatments or advice. These Instagram or TikTok accounts may offer tips from someone in the medical industry that may be of interest to those facing rising healthcare costs and difficulties in accessing healthcare. However, an internet doctor’s background or popularity does not guarantee that they will adhere to strict privacy policies or secure their transactions.
My Instagram is awash with offers promising everything from better sleep to improved sexual health. It’s nice to have options, but this help and any information you receive from or send to these accounts are not covered by HIPAA. Every time you pay out-of-pocket for health-related items or services, or through a direct-to-consumer health app, there is no recourse if someone steals or shares your personal information.
Along with social media and direct-to-consumer health options comes large-scale data tracking. Outside of formal doctor’s offices, consider monitoring as an expectation, not an exception.
ask questions
When you sign up for a service, whether it’s through a new doctor’s patient portal or an online supplement store, ask how your data is being stored and where it’s going. Take a moment to read the privacy policies and preferences to find out what options you have to restrict the sale or re-use of your information. Check the default settings to make sure you’re not giving away too much information. Find out if the service or platform offers two-factor authentication and set it up if available. Be aware that no matter what a customer service representative says, it’s rare that someone will need your social security number. Date of birth and address are usually sufficient.
Pierson and others agree that we all look at security from different angles and must do our best to protect ourselves and our loved ones. “The complexity of identity attacks will continue to evolve and change. Remember, you only have to get it right once, but we always have to guess right.”
