Data Crisis: Who Owns Your Medical Records?
Electronic records are increasingly hard to keep secure and store, especially with the proliferation of patient-generated data
We’ve all encountered issues with our medical records. Whether getting a copy for a second opinion, finding major mistakes, or changing health care providers, our access to this important set of data has been fraught with difficulties. But that’s in the past tense—it’s getting worse.
Sadly, your medical records are the property of hospitals, doctors, and health systems. Except in New Hampshire, where ownership rights are assigned to the patient, no other states recognize the individual’s right of control and ownership of their medical data.
Now that our records are electronic, which was intended to make them eminently portable and sharable, a very serious unintended problem has erupted. In the past year, more than 100 million Americans have had their electronic medical records hacked from health systems. For example, this June, Banner Health in Phoenix had a breach of 3.7 million electronic medical records.
Many hospitals throughout the country have been held hostage for their health information system by hackers and have had to pay ransom to regain control of their patients’ medical data. Such records have become remarkably alluring for hackers, since each can be sold for approximately $50—nearly ten times the value of an individual’s electronic data from a retail or credit company database. Ironically, only a small fraction of Americans have directly accessed their electronic records through direct downloads (which are uncommon) or patient portals, such that the hacking-to-patient-access ratio is likely greater than 10 to 1.
In the past year, more than 100 million Americans have had their electronic medical records hacked. Each one can be sold for $50.
At the same time as our medical record security is in jeopardy, a new path for generating medical data is taking off. Rather than being derived by doctors and hospitals, medical data is increasingly patient-driven. Today, many diabetics who use insulin have a continuous glucose sensor taking readings every five minutes. An electrocardiogram can be obtained by touching one’s fingertips to a smartphone. A person’s sleep can be monitored continuously for a drop in oxygen blood concentration and the potential diagnosis of sleep apnea.
As was covered by San Diego Magazine last year (“Health Care Goes High-Tech,” October 2015), the number of biosensors—most of them wearable—that track almost every organ and system in the body is exploding. But currently there is no place to readily archive this important, real-world data, especially now that multiple sensors are coming into play. So we are moving to “big data” at the individual level with no place to store, no less analyze, such information.
And eventually, as the era of patient-generated data takes hold, it will outstrip in mass and importance the doctor-generated data, since the latter comes from one-off or occasional office visits, while the former is more representative, contextual, and generated directly by the individual. Think of at-home blood pressure measurements as a glaring example of the difference in how, where, and when medical data can be generated.
With all these moving parts, we need a solution to preserve the privacy and security of this precious data while at the same time accommodating and integrating its new production path. Added to this challenge is the emergence of advanced forms of processing the data through artificial intelligence and machine learning—and getting that back to the individual in real time for guidance. We’re just one step away from a virtual medical coach through our smartphones, for those interested in having real-time algorithmic interpretation of all their data.
To get there, we need new federal legislation to safeguard our medical data. The Health Insurance Portability and Accountability Act was written 20 years ago, when medical records were kept on paper, and is not applicable to the contemporary digital era. Moreover, the pervasive selling of our medical data is unchecked, with no legal protection. The massive hacking of health system data has not resulted in any new legislation to date or enforcement via established laws.
We also need a technologic fix—a new home for medical data that is rightfully owned by the individual. The peer-to-peer electronic ledger technology known as “blockchain” represents one potential means of achieving this objective, whereby a person would have their medical data continually updated and archived from womb to tomb. The individual could share the data with their doctor or health professional, or donate it for medical research—with appropriate restrictions, such as preservation of anonymity. An attractive feature of this technology is its complete decentralization, forming medical data sets of one or a few instead of thousands or millions, which is a major deterrent to hacking.
Let’s hope some important legislative action and technology solutions come together to enable what is an inevitable civil right—owning your medical data.
Eric Topol, MD, is director of the Scripps Translational Science Institute, chief academic officer of Scripps Health, and professor of genomics with The Scripps Research Institute.