Why should hackers have easier access to EHRs than patients?

Eric Topol and Kathryn Haun make the case for keeping medical data in personal clouds or digital wallets, empowering patients and removing centralized targets for cybercrooks, in a New York Times op-ed piece.
By Mike Miliard
11:02 AM

In a Jan. 2 New York Times opinion piece, Eric Topol, MD, professor at the Scripps Research Institute, and Kathryn Haun, a federal prosecutor who teaches a course on cybercrime at Stanford Law, take aim at what they call "quite a paradox": the fact that most patients still can't readily access their own health data, even as there's "an epidemic of cybercriminals and thieves hacking and stealing this most personal information."

The value of health data to cybercriminals is well-known by now -- as is the fact that the industry's oft-lagging security practices have made it an easy task for bad actors to access it.

"It is common for millions of patients’ health records to be stored together in huge central databases that, once breached, yield a trove of information," Haun and Topol write in The Health Data Conundrum

While it's become "increasingly difficult to combat this problem using traditional methods of enforcement and deterrence," they write, there are some strategies that could help -- especially disaggregation of data storage.

By allowing patient data to be kept in "individual or family units rather than in centralized databases," each patient "would have medical data in a personal cloud or a digital wallet," enabling them to share data with family and clinicians in the ways they see fit.

Emerging tech such as blockchain, with its "tamper-proof" encrypted platform, offers one way to enable that approach, they write

Topol and Hahn mention several EHR vendors by name, noting that their business success is thanks, in part, to an "old, paternalistic model" where data is "generated and owned by doctors and hospitals."

Instead, they call for a new approach: "Giving consumers control of their own medical data would revolutionize who owns medical data and how it is used."