Health Data’s Power, Complexity, Value… and Danger

Of all the bits and bytes stored or streaming through the digital realm at this very moment, health data may be the most powerful, complex, valuable — and dangerous.

Health data is powerful

It can be hard to quantify the enormous impact digitalization has already made on the practice of medicine and delivery of healthcare. These applied arts and sciences have always been grounded in knowledge-building through information exchange and rigorous experimentation. But the evolution of those processes from paper to digital has resulted in a profound and continuously evolving acceleration in capability spanning electronic health records (EHRs), medical devices, sophisticated imaging, wearable monitors, surgical robotics, telehealth tools, and on and on.

More health information can be accessed and exchanged and put to use faster than was even imaginable just a few short years ago — and to powerful effect.

Digitized health data has fueled a litany of breathtaking recent accomplishments, such as the ability to sequence a patient’s genome and diagnose a rare illness in under 8 hours. Or the development of an AI tool that can predict the structure of millions of proteins. Along with another one that reduces the risk of sepsis death by 20%.

That kind of power is awesome.

Health data is complex

Much of that awesome power is newly arrived at, but none of it was easily achieved. The systems enabling all of them are incredibly complex, as are the data they use to deliver their wonders.

Health data comes in myriad forms and formats, collected for cross purposes in ever-increasing amounts, managed and housed in scores of complicated and often incompatible systems. For every impressive DeepMind breakthrough or promising EHR enhancement, there are thousands of stories of moldering health data stores or crippled health information systems — missed opportunities and data failures abound.

Compounding the traditionally tangled health data landscape are scores of new consumer health and fitness devices and applications generating enormous streams of health information on a continuous basis. For example, FitBit alone has one of the world’s largest databases of validated health data from its 93M devices sold to date globally, tracking:

●     181 billion hours of heart rate data   

●     9 billion nights of sleep

●     457 billion minutes of exercise

●     175 trillion steps

And over 2.6M Fitbit users have already connected their data to a population health platform. That’s just one company’s health data! 

Untangling and integrating and actually applying all these sources and types of data constructively and systematically is the health challenge of our age.

Health data is valuable

In spite of this complexity, health data holds enormous inherent value. Beyond facilitating amazing innovations in treatment and research, it is also creating new markets and business models spurred by

●     Massive Behavioral Shifts: Millions of people now PAY to wear continuous health monitoring devices for consumer purposes

●     Enormous New Data Streams: Invaluable swaths of health information flowing at scale to formidable technology companies like Apple and Google

●     Computational Innovation: Data-fed insights from AI/ML, Data Lakehouses, Graph Technologies

●     Amazing Speed to Market: New technologies can translate to new products and services in mere months

This value isn’t confined to the realm of opportunity and potential. Health data also serves very practical “everyday” necessities for delivering, much less optimizing and enhancing, medical practice and care delivery and administration. Hospitals, for example, are now incredibly dependent on their EHRs and telemetry systems for basic function — disruptions in data flow can be debilitating.

Which leads to a clear and present danger.

Health data is dangerous

The fact that health data is valuable makes it irresistibly attractive to cybercriminals — not just individuals and criminal gangs, but increasingly from nation state actors, too. The breadth and depth of data held in patient records, for example, is like catnip to hackers: Just consider what they could glean from your own medical file, which at the very least includes your name, birthdate, weight, height, gender, and geographical location — and as often as not, details of how you pay for your treatment.

Moreover, the exponential growth in remote access as physicians treat patients via virtual medicine, and consumer wearables transmit health-related data to clinicians, has created another enormous vulnerability, witnessed by the 2021 data breaches on Apple and Fitbit fitness trackers, which exposed the records of 61 million individuals across the globe.

Despite spending $65 billion on cybersecurity defenses over the past five years, a Cybersecurity Ventures report identified that between 2017–2020 a staggering 93% of U.S. healthcare organizations experienced a data breach (an increase of 58% in 2019–2020 alone). And recent research has indicated that U.S. healthcare organizations continue to have a greater than 90% probability of experiencing some form of cyber attack each year. 

As one cyber crisis management consultant noted, “Healthcare organizations are more vulnerable to cybersecurity attacks because of their complex technology infrastructures. Many organizations also run outdated programs on devices they use every day, which exacerbates the problem.”

The devastating impact on complex interconnected IT infrastructures and end-to-end service delivery from a cyberattack on a healthcare organization is further compounded by the reputational damage caused by a successful breach, making rising threats of crimes like ransomware attacks particularly insidious.

All of which incurs real risk to real people. The CommonSpirit Health cyberattack in October 2022 resulted in a litany of problems: “Diverted ambulances. Cancer treatment delayed. Electronic health records offline.” And the attack on Tenet Health earlier in the year impacted 1.2 million individuals, resulted in a monthlong outage that affected the delivery of patient care, and had a $100 million impact on the firm’s bottom line.

The threat continues to grow. The Hacker News reports that, “according to the FBI Internet Crime Complaint Center last year, the public health industry is the most attacked sector by ransomware attacks.” And according to the World Economic Forum, “Cybersecurity healthcare attacks that affected individuals tripled from 14 million in 2018 to 45 million in 2021.”

The financial impact on healthcare organizations is also staggering: a recent Bitglass report estimates that in 2020 alone, data breaches cost U.S. healthcare sector organizations a total of $13.2 billion. 

And the IBM Data Breach Report 2022 quantifies the illicit financial rewards that the healthcare sector can offer to cybercriminals. The report shows that the “average cost of a healthcare data breach has reached double digits for the first time ever,” estimating the average cost of a healthcare data breach is now $10.1 million. That figure is nearly $1 million over last year’s $9.23 million, and represents a 41.6% increase in cost since 2020.

In fact, the healthcare sector has had the highest average breach cost for twelve consecutive years, even higher than that of the financial services industry.

Charting a future for health data protection and utilization

Chris Krebs, former Director of the Cybersecurity and Infrastructure Security Administration (CISA), has some sage advice for confronting the scourge and protecting data and function moving forward: “Just think five years in the future, will you have more devices…or fewer? Will you have more data from which we’re deriving insights…or fewer? It’s more.” He further noted that “in years past, cybersecurity defense commonly included an identity solution, a vulnerability management solution, and a strong incident response plan. Being able to recover your operations was often overlooked, but has become critically important.” 

So what needs to be done? The healthcare sector must respond with concerted investment and adopt a multilayered approach to health data security and utilization. But it doesn’t have to reinvent the health-data wheel: The raw data on healthcare-related cybersecurity threats and risks already exists, but it needs to be continually gathered, monitored and evaluated, before being delivered as situation-aware actionable intelligence to the organizations that need it to protect their patients, devices, systems and personnel.

Furthermore, the healthcare sector must employ its traditions of knowledge-building through information exchange and rigorous experimentation to technology strategy. The focus first must be on modernizing and securing infrastructure, then incorporating breakthroughs from technology and consumer market innovations adapted to sector needs. This strategy will continue to advance clinical innovation, secure the delivery of proper patient care, and propel health system function into the future.