Cybersecurity Experts’ 9 Best Ways to Keep Your Health Data Private
Updated: Sep. 26, 2023
Healthcare data breaches can have worse consequences than you might imagine. Here's how security experts say you can protect your health data—this includes choices you make on social media.
Data breaches are becoming more common—and new reports show the healthcare sector is getting hit especially hard. In 2022, an average of 1.94 healthcare data breaches compromising more than 500 records were recorded every day, according to the HIPAA Journal. “With telemedicine being so popular now, there’s a lot more information being shared in ways it wasn’t before,” explains Amir Tarighat, Co-Founder and CEO of cybersecurity startup Agency.
Healthcare data doesn’t just refer to copies of an X-ray. It can include a vast range of private information, and once it gets out there, it can exist in perpetuity, Tarighat says. While companies like Agency help people secure their data after a leak, it can be a lengthy, difficult process, and not just logistically. Research shows that data breaches contribute to serious emotional and mental distress. “That’s why prevention is so important, making sure you don’t share your data in a nonsecure way.”
Here’s why it is so critical to protect your healthcare data
Healthcare data is in very high demand, says Lisa Melamed, president of compliance and risk management at SCALE Healthcare. “[Healthcare data] theft has become extremely lucrative, and without the proper protections, it’s easy to steal,” Melamed says. She adds that criminals who steal social security numbers get approximately $1 per number and $5 per credit card number on the Dark Web. That’s in contrast to healthcare data, which can fetch between $250 to $1,000 per record.
“Patients who have had their health data stolen can be subjected to not only identity theft, which as we all know is expensive and can draw out for years to correct,” she says. “It can also delay treatment and prescription drugs due to fraudulent insurance claims, blackmail, or financial fraud attempts.”
How to protect health data
1. Use unique passwords everywhere
“The first thing you have to do is make sure every single place you use a password, that password is unique,” Tarighat says. Making a password longer—12 characters or more—is usually the easiest way to make it safer. And a password manager can help you keep track of long, safe, unique passwords throughout your digital presence.
2. Check an app’s security processes
If you’re using a health app, review the privacy policy and terms of service to make sure you understand how your data is being collected and shared, Melamed says. “They may have a provision that allows sharing with unnamed third parties.” You’ll also want to look for things like end-to-end encryption, strong authentication protocols, and regular app updates to address vulnerabilities.
There are additional professional standards for security you can check for, Tarighat says, such as SOC 2 and ISO 27001. These are audited frameworks for security that ensure a company or app is meeting a formal standard regarding your data protection.
From READER’S DIGEST: How to Prevent Companies from Buying and Selling Your Personal Information
3. Confirm HIPAA compliance
The Health Insurance Portability and Accountability Act (HIPAA) is a set of national standards protecting patient health information from being disclosed without consent. Before sharing identifiable personal health information, it’s important to check an app’s terms and conditions to ensure it’s HIPAA-compliant, says Shashank Agarwal, a data scientist and senior decision expert at CVS Health.
Keep in mind that apps that collect non-identifiable information, like your heart rate, are not required to be HIPAA-compliant. These apps are usually cataloged under health, wellness, and fitness, but since they’re not used for medical purposes, they can get around HIPAA requirements, says Ryan Montgomery, co-founder of the cybersecurity platform Pentester. That means they may share data with third parties, so use extra discretion.
From READER’S DIGEST: 20 Cyber Security Secrets Hackers Don’t Want You to Know
4. Download apps from reliable sources
Operating systems like iOS and Windows have made it easier to understand what permissions you’re granting apps, Tarighat says. “They give you a clear disclaimer, only the operating system can really turn on those permissions.” That’s why you only want to download applications from authorized app stores like the Google Play Store or Apple App Store, he says.
From READER’S DIGEST: Someone May Be Spying on You If You Have These Apps
5. Go easy on granting app permissions
That said, any application that requests permission to access your information shouldn’t be blindly trusted, Montgomery says. “For example, you’ll see posts with titles such as, ‘How happy of a person are you? Click here to find out.’ Those apps then request unnecessary permissions, which can expose sensitive data you may not want shared or collected,” he explains.
Agarwal adds that sharing access to your stored drive folder or camera photos, in particular, exposes a high risk of personal data leakage.
6. Set up two-factor (or multi-factor) authentication
These days, many apps and digital platforms offer two-factor authentication (2FA)—so if you see it, enable it. “[This] adds an extra layer of protection to your accounts, making it harder for unauthorized users to get access even if they have the password,” Montgomery says. If a service you use doesn’t support 2FA (Twitter recently revoked this security for non-paying users,) you can use apps like Google Authenticator that generate one-time passcodes.
2FA is especially important for your social media accounts, Tarighat says. “What we often see is an attack called a SIM swap, where someone has your phone number and using that, one of the main targets is to reset your social media password,” he says. “By having 2FA, you bypass that kind of attack, which is fairly common nowadays.”
If Your Attention Span Is Burnt Out, a Leading Scientist’s Simple Fix Will Come as Relief
7. Stay ahead of common scams
“You have to be careful about emails, text messages, and other social engineering attacks where someone is contacting you,” Tarighat says. They may pretend to be from a government agency or a company you normally do business with, send fake confirmation or delivery emails, or direct you to a fake site through a misspelled URL. “If you’re unable to confirm who it is, you don’t want to share any private data,” he says. “Unfortunately, these are the most common scams where the individual is targeted in their personal lives.”
From READER’S DIGEST: 14 Online Scams You Need to Be Aware Of—and How to Avoid Them
8. Keep your software up-to-date
Software companies fix flaws in their systems via updates—and sometimes, those updates have to do with security measures. Operating systems have built-in functions to prevent attacks, but because cyber threats are always evolving, developers have to keep adapting their security, too. Skipping updates can leave your devices vulnerable to these routine privacy patches.
From READER’S DIGEST: 6 Reasons Your Phone Is So Slow—and How to Speed It Up
9. Be discrete on social media
Don’t post sensitive information, such as medical conditions, treatment plans, or lab results on social media, as they can be used to identify and exploit you, Agarwal advises. He also says it’s a good idea to tweak the default privacy settings on your social platforms to control who has access to your information.
Beyond that, “remember that if you post about a health condition online—like on a message board—it’s not protected under HIPAA or state laws,” Melamed says.
For more guidance on protecting and securing your health information online, Melamed points to OnGuardOnline.gov for extra resources.
Manage your wellness with The Healthy @Reader’s Digest newsletter and follow The Healthy on Facebook, Instagram, and Twitter. Keep reading:
People:
Amir Tarighat, Co-Founder and CEO of cybersecurity startup Agency
Lisa Melamed, President of Compliance & Risk Managemnet at SCALE Healthcare
Shashank Agarwal, a data scientist and Senior Decision Expert at CVS Health
Ryan Montgomery, Co-Founder of the cybersecurity platform Pentester
Journals:
North Carolina Journal of Law & Technology: "Psychological Data Breach Harms"
Websites:
The HIPAA Journal: "Healthcare Data Breach Statistics"
Originally Published: June 22, 2023
