Healthcare data breaches lead more patients to withhold information from doctors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.welivesecurity.com/2016/02/18/security-privacy-patients-withholding/

As 2015 slides into the cybersecurity history books as “the year of the
healthcare breach” I decided to examine one aspect of medical data privacy
that is sometimes overlooked: the impact of breaches on patient-doctor
information exchange. Specifically, I’m concerned that high profile
healthcare-related IT security breaches may lead more people to withhold
sensitive information from their doctor because of fears that it will be
exposed due to weak privacy protection or weak security controls.

That such fears exist is all too evident when you talk to people about the
huge healthcare data breaches of 2015, the six largest of which compromised
more than 100 million records. I have spoken to numerous individuals whose
data was exposed in those attacks and who subsequently experienced one or
more forms of attempted identity theft.

Of course, it is hard to get direct evidence that ties a specific breach of
your data to a specific instance of identity theft. But if the theft comes
soon after a breach at Company A, of which you are a customer, you will
probably suspect that particular breach is the cause of your problem. When
a whole string of breaches occur in a short period of time, there is plenty
of blame to go around. Even if you are Company A and you are sure that your
breach did not result in ID theft, you may get blamed anyway.

The Withholding Problem

The need for doctors to keep patient information confidential is as old as
the practice of medicine itself. (In the original version of Hippocratic
Oath a doctor would vow to hold patient information “sacred and secret
within my own breast”.) Simply put, doctors cannot provide safe and
effective care to patients if those patients don’t share with them all of
the relevant information. Of course, there are numerous reasons why a
person might choose not to tell their doctor everything. Some reasons
predate computers and are as old as society itself, including shame,
embarrassment, and fear of censure.

However, fears about unauthorized access to, and abuse of, electronically
stored personal health information were voiced as soon as database
technologies began to emerge in the latter half of the last century. In
fact, the US government agency that was then known as the Department of
Health, Education, and Welfare (HEW) prompted some of the first serious
thinking about the impact of computer databases on society. A 1973 document
commissioned by that agency and subsequently known as the HEW Report,
examined the many fears raised by the growing computerization of personal
information.

More withholding? Survey says…

While government agencies and companies have worked for decades to reassure
people that their data privacy is protected, it seems reasonable to expect
that the recent rise in security breaches in the healthcare sector will
have fueled fears about the confidentiality of medical records, far more of
which are computerized now than in the past. To assess the scale of the
problem, last month I put the following question to 750 American adults age
18 and older:

“Have you withheld information from your healthcare provider due to
concerns about the security or privacy of your medical records?”

More than one in eight said yes, they had withheld information from their
healthcare provider due to concerns about the security or privacy of their
medical records (13.2%). Conversely, 86.8% said they had not withheld (with
a margin of error of +/-3%). The 13% figure is potentially quite
significant because previous studies reported a much lower number. For
example, from 2012 through 2014 the Office of the National Coordinator for
Health Information Technology (ONC) surveyed patients about withholding of
information from health care providers due to privacy or security concerns
and got much lower numbers: 7%, 8%, and 5% respectively (see report – PDF).
If further research bears out the higher number from my survey, it could be
argued that the large medical data breaches of 2015 have doubled patient
concerns.

Not surprisingly, the results from my survey vary somewhat according to
demographics. The folks most likely to withhold appear to be those living
in the West (18.5%) and those who are in late middle age (nationally, 15.9%
of folks age 55-64 withheld). The least likely to withhold are people in
the Midwest (7.6%) and folks age 65 and older (6.7%). Interestingly, rural
and suburb dwellers were less likely to withhold than urbanites (16.7%). In
terms of income level (annual, inferred) there was a band of trust from
$25K up to $74K, but those with incomes outside those numbers withheld at a
higher rate than the mean. Interestingly, when I ran the same survey in
Canada, I found that Canadians were less likely to withhold than their US
counterparts (10% v. 13.2%).

Given the potential for patient withholding to undermine diagnosis and
treatment, not to mention medical research, I think many folks will find
these numbers worrying. For health IT managers, these numbers suggest that
better information security could lead to better health outcomes by
reassuring people that their medical secrets are safe from prying eyes.
Conversely, what we are seeing could be an additional and potentially
serious downside to poor medical data security, in addition to the many
others (which range from reputational damage to life threatening medical
errors and medical identity theft).

Past Privacy Findings

For those who want to dig a little deeper and get some historical context
on the withholding issue, check out the study of medical privacy carried
out in 1999 by the non-profit California Healthcare Foundation (CHF). When
CHF investigated medical privacy it asked: “In recent years, do you think
it has become more difficult or less difficult for people in this country
to keep personal information private and confidential, or is it about as
difficult as it was in the past?” Almost 80% said it was more difficult.
Furthermore, more than half of all US adults said the shift from paper
record keeping systems to electronic or computer-based systems “made it
more difficult to keep personal medical information private and
confidential.”

Then CHF asked a question akin to the one I posed recently: have you ever
done “something out of the ordinary to keep personal medical information
confidential?” Fifteen percent of adults nationally (and 18% in California)
said they had done so. Steps taken to protect medical privacy that were
reported in the 1999 study included numerous behaviors that could have put
people’s health at risk. These included: “going to another doctor; paying
out-of-pocket when insured to avoid disclosure; not seeking care to avoid
disclosure to an employer; giving inaccurate or incomplete information on
medical history; and, asking a doctor to not write down the health problem
or record a less serious or embarrassing condition.”

In 2005 the study was revisited and it was found that consumers remained
concerned about the privacy of their personal health information, with
around two thirds saying they were “somewhat” or “very concerned” about the
privacy of their personal medical records. The concern was even greater
among racial and ethnic minority respondents. One out of eight consumers
reported putting their health at risk by engaging in such behaviors as:
“avoiding their regular doctor, asking their doctor to fudge a diagnosis,
paying for a test because they didn’t want to submit a claim, or avoiding a
test altogether.” These risky behaviors were more likely among the
chronically ill, younger people, and racial and ethnic minorities. In a
more recent study, half of all consumers admitted to lying or deliberately
misleading a physician during an office visit.

Clearly, this is a topic worthy of further research. I am now looking for
studies that attempt to quantify the medical importance of the information
withheld by patients. If withholding was found to be of critical importance
for just half of the people doing it, that would still amount to a
significant impediment to effective healthcare, one that is arguably
attributable to shortcomings in our efforts to ensure the privacy and
security of patient information. Among the many reasons for doing a better
job of medical data protection, this has to be near the top.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.