150 million exposed accounts is far too many. It’s time for patients, tech companies, and healthcare organizations to adapt.
Editor’s note: This is a column written by Jack Murtha, senior editor of Healthcare Analytics News™. His analysis reflects his views, not necessarily those of the magazine.
For the past 81 days, I’ve logged every bite of food and every minute of exercise in the fitness-tracking app Lose It! Its red and green bar graphs—visual representations of how many calories I’ve consumed compared to my target intake—have nudged me to do the right thing, over and over again. If I drank a few beers or ate fried fish tacos, Lose It! reminded me, often immediately, of the undesirable consequences. But when I’ve done the right thing, the app has responded with an encouraging reminder of how much closer I am to my goal.
As a result, I’ve lost roughly 30 pounds. I fit into khakis that I bought when I was fresh out of undergrad, on the night before my first day of white-collar work. I’m more prepared for spring hiking than I was in years. I feel great. And I doubt I would’ve reached this point without my fitness tracker.
So, then, news of the MyFitnessPal data breach, which affected 150 million accounts, hit me with a particular sort of unease. Although the hackers didn’t target my fitness-tracking app, another attack certainly could. For the first time, after 6 months of reporting on cybersecurity and the better part of a decade spent discussing how journalists may best cover their digital footprints, I felt vulnerable. I understood that I could become the app user, the patient, the unsuspecting victim whose most sensitive information is ripped from a place that I assumed to be secure.
That it took some time to internalize warnings that I encounter every day was unsettling, so I decided to do something—anything. I was powerless to prevent a hack against an institution holding my data, but I could take steps to ensure that hackers, some of whom will inevitably obtain some form of my personal information, won’t capitalize on the theft without a fight.
Strengthening my passwords, I figured, was the quickest and simplest option. I downloaded a password vault and began chopping up any phrase that I’d used more than once. Then I changed the ones that seemed too easy to guess. Finally, I committed to burning it all down, replacing the passwords for every last account with a computer-generated string of gibberish.
My new cybersecurity strategy isn’t a cure-all. It requires more work, and, after a cyber lifetime of half-measures, adaptation. But it is a strategy, and that’s a start.
On my commute to work this morning, I thought more about the idea of strategic adaptation. Whenever a new threat has risen to prominence, humans and all other successful species have pivoted, changing not only their reactions but often their proactive processes. Life that hasn’t adapted hasn’t survived. What, then, will healthcare do in the face of the cybersecurity threat?
There’s no question that healthcare organizations must adapt. Of course, institutions in every field must shore up their cyber defenses, but hackers have hammered healthcare particularly hard. Time and again, medicine tops lists of sectors most affected by data breaches and the like. Protected health information commands a high price in online black markets, and malicious actors have taken to swarming medical websites to an alarming degree. Given the nature of medicine and its increasing use of connected devices, cyberattacks could prove deadly in a hospital setting.
Perhaps, as some cybersecurity experts and health systems in damage-control mode have said, cyberattacks and exposed patient data are inescapable side effects of innovation—the cost of doing business, or receiving medical care, in the 21st century. The problem could be one of misaligned incentives, with cybersecurity looking like nothing more than drain on the budget, as one privacy and security expert told me during HIMSS18. Or maybe healthcare is only beginning to recognize that it has become prey.
No matter the cause, all healthcare stakeholders, from large institutions to individual patients, must make conscious efforts to adapt. Many healthcare organizations—payers, health systems, vendors, and others—have realized this, and they have taken action. In some cases, like earlier this year in Oklahoma, a data breach served as the unfortunate jolt to shock reform into a system. But the ever-swelling number of privacy violations signals a need to do better, to adapt better, across the board.
Stronger cybersecurity is essential for patients and organizations alike. If Under Armour, the company that owns MyFitnessPal, and its competitors want to continue to grow the fitness-tracking and wearable tech business, they must sow trust among the public. (They must also protect themselves from the costly, humiliating lawsuits that tend to crop up after major breaches.) Wearables already suffer from high dropout rates, and users typically track meals less often as time progresses.
No one has all of the answers. In the course of my reporting, however, pieces of the solution come into view. Health systems and medical tech companies can look to penetration testing, for example, a level beyond vulnerability scanning. Despite its lack of use cases, blockchain might prove useful, empowering data sharing along the way. Researchers are even trying to build the “unhackable computer.” More fundamentally, proper computer hygiene, like keeping software up to date, can help ward off attackers.
Like the dieters who use digital fitness trackers and wearable devices, healthcare and its high-tech partners will only succeed if they acclimate to a new way of thinking and acting. A new reality. The difference is, simply exercising portion control—or changing a few passwords—isn’t enough.
Get the best insights in healthcare analytics directly to your inbox.