As more nations introduce electronic health records (EHRs), many patients are wary of revealing personal health information in an electronic platform that is shared widely among providers. Succinctly put, EHRs are not yet considered trustworthy. Clearly, EHRs have significant advantages, when used properly, for recording, accessing, and the ethical/appropriate sharing of patient medical conditions and demographic information, especially as they significantly improve storage capacity, legibility, access to imaging, allow inexpensive back-up records, and may also enhance AI to indicate contraindications and alerts for unusual test results. Ethical research mining of anonymized patient health records can also help immensely in epidemiology and other forms of medical and social science research. More recently, clinical ethics consultations have also been included in many of these records helping health care workers, particularly trying to determine end-of-life preferences, honor the bioethical principle of autonomy.
Regrettably, security of these electronic records has been a significant problem as evidenced by medical cybercrime increasing ca. 600% during the pandemic. The total cost of this cybercrime in 2021 has been estimated at ca.$600 trillion worldwide. Normally, accessing of the records is digitally tracked and changes to records are continually recorded allowing forensic analysis in the case of suspected falsification of patient information or billing anomalies. Large-scale cybercriminal actions are in another category altogether.
Unfortunately, efforts to secure EHRs have not been completely successful, eroding patient trust further in major health care system integrity. Added to this mix are ancillary mega corporations whose ubiquitous software is often designed for data mining with market capitalism as an incentive. In the latest example, Facebook (Meta) has just this month been accused of gleaning private medical data using its installed Pixel tracking tool in patient EHRs. In the past, sensitive data including those related to sexually transmitted diseases has been shared on the Facebook platform by unethical healthcare workers, but this is the first report of data mining on a much larger scale. Further, cybercrime has even been extended to medical journals and consequently trust issues are not only confined to those between patient and healthcare systems, but also between physicians and their “primary” literature sources. These include not only those related to academic misconduct, but the current bane of predatory journals. Regrettably, it is now necessary to “inform and warn academics about practices used by cybercriminals who seek to profit from unwary scholars and undermine the industry of science.”
While there are technical mechanisms to help defend against cyberattacks, including anti-phishing defenses, compliance automation systems, and identity and access management, major IT and social media corporations should be expected and required to be proactive in preventing abuse. Further, IT managers in healthcare settings must be aware of ongoing and potential threats to patient data and sensitive information. Regrettably, the character of those involved in willful cyberattacks on medical and health systems is unlikely to change. Therefore, pragmatism, time, and funding must be included in strategic planning by healthcare systems to protect patient records – else, trust will continue to erode. When trust erodes, patients are more likely to withhold in formation useful in diagnoses and treatment.
“…patients with higher trust in provider confidentiality have significantly lower likelihood of reporting having ever withheld important health information and lower likelihood of thinking it is important to find out who has looked at their medical records.”
(from Lott et al., 2019)
For patients with sensitive medical and healthcare histories, the sharing of information among providers can be, frankly disconcerting. To have this information leaked or mined to social media or to ancillary corporations without express consent is clearly unethical and should have significant legal consequences.
Michael J. Murphy, PhD is a State University of New York Distinguished Teaching Professor and a Fulbright Scholar in biomedical ethics at the Slovak Medical University in Bratislava, Slovakia.