What is Snowden's impact on health IT?

Keyboard photo from Shutterstock.com.Keyboard photo from Shutterstock.com.

'Our ethics, principles and fundamental rights should be applied to the uses of technology'

Whether Americans see Edward Snowden as a hero or a traitor, the ongoing story of his deliberate leak of classified defense information has caused some to sit up and take stock of all matters related to information technology, data and privacy.

Recent reports from the Huffington Post have Snowden saying he deliberately got a job at federal contractor Booz Allen Hamilton to hack information on the National Security Agency, data he intended to leak over what he claims is a matter of principle and defense of American rights.

A June 27 story in The New York Times reported that President Barack Obama was trying to play down the highly controversial and publicized incident. "This is something that routinely is dealt with," Obama was quoted as saying. "This is not exceptional from a legal perspective. I'm not going to have one case suddenly being elevated to the point where I have to do wheeling and dealing and trading."

[See also: FDA urges cybersecurity for devices.]

Deborah Peel, MD, founder of Patient Privacy Rights, says there are many parallels between the Snowden controversy and the U.S. healthcare system.

According to Peel, the NSA has one million people with top security clearance to 300 million people's data. The U.S. healthcare system has hundreds of millions of people — none with top security clearances, and the majority with inadequate basic training in security or privacy — who can access millions of patients' most sensitive health records. Further, we don't know how many millions of employees of BAs, subcontractors, vendors and government agencies have access to the nation's health data, she added.

"Corporations and their employees that steal or sell Americans' health data for 'research' or 'public health' uses or for 'data analytics' without patients' consent or knowledge are rewarded with millions in profits; they don't have to flee the country to avoid jail or charges of espionage," she said.

"The NSA justifies its actions using the war on terror," Peel added. "The Department of Health and Human Services claims its actions are justified to lower healthcare costs. These are obviously very different agencies collecting different kinds of very sensitive personal information, but both set up hidden, extremely intrusive surveillance systems that violate privacy rights and destroy trust in government."

"The benefits of technology can be reaped in all sectors of our economy without the harms if we restore/update our laws to assure privacy of personally identifiable information in electronic systems. Our ethics, principles, and fundamental rights should be applied to the uses of technology," Peel says.

David Kotz, associate dean of faculty for the sciences and professor of computer science at Dartmouth College, says the Snowden incident could also happen in healthcare.

"It's certainly conceivable that a technically savvy person, intent on snooping into individual health records, leaking them to unauthorized groups, or mining them for medical identity theft (a growing problem), might seek employment in an organization that provides healthcare (such as a major hospital) or in an organization that supports healthcare (such as billing-support agency or an insurance provider) simply to get 'insider' access to those records and then mis-use that access for nefarious purposes," Kotz wrote in an email to Healthcare IT News.

"I've never heard of such a thing happening," he adds, although, "there are plenty of examples of information leaks from healthcare organizations, some of them quite large, but all that I've heard are either unintentional (the proverbial laptop full of patient data that is taken off-site and then stolen) or existing insiders who break the rules."

"The latter range from employees who snoop in the records of a celebrity in for treatment, to employees who have extracted financial information from medical records and used it to commit fraud," Kotz says. "Healthcare organizations, and their business partners, are cracking down on these offenders in large part because of new penalties and breach-notification laws."

Kotz says a broader area of concern is in the area of consumer health. "The mHealth industry is booming, releasing new apps and gadgets every day. Most are sold directly to consumers in support of 'wellness' rather than medical care. Many of these apps and devices have little or no security," he says. "Furthermore, most upload personal information, health-related and otherwise, to the vendors' cloud server, where it can be analyzed and presented to the customer via a web portal. That's great, but one wonders what else are these vendors doing with that personal information. Consumers are encouraged to explore the privacy policies of these services carefully."

[See also: Washington focuses on cybersecurity.]

Keyboard photo from Shutterstock.