SPONSORED:

Pressure builds to secure health care data

Pressure builds to secure health care data
© iStock, The Hill illustration

Momentum is growing on Capitol Hill to provide more protections for personal medical information as lawmakers work on drafting the first national data privacy law.

Recent health data breaches have put a spotlight on the issue, which is likely to grow in importance as medical professionals shift more of their work online and increasingly turn to data and analytics to treat patients.

Key congressional committees including the Senate Commerce Committee and the House Energy and Commerce Committee have been working to put together data privacy legislation since the start of the new Congress, with health data privacy likely to be in the spotlight.

ADVERTISEMENT

Both panels already held hearings on the topic of data privacy this Congress, with the House committee appearing to take the lead on the issue of securing health data.

A spokesperson for House Energy and Commerce Committee Chairman Frank Pallone Jr.Frank Joseph PalloneHouse Democrats urge Amazon to investigate, recall 'defective' products Asbestos ban stalls in Congress amid partisan fight Pharma execs say FDA will not lower standards for coronavirus vaccine MORE (D-N.J.) told The Hill that the committee “plans on including meaningful protections and consumer control for health data not covered” by the Health Insurance Portability and Accountability Act (HIPAA) in upcoming “comprehensive privacy legislation.”

HIPAA, signed into law in 1996, required the secretary of the Department of Health and Human Services (HHS) to create regulations to protect the privacy and security of health information. According to HHS, prior to HIPAA there was no general set of national security standards to protect health information.

Updating the nation’s laws to account for developments in new health care technologies and practices will be critical, experts say.

Steve Grobman, the senior vice president and chief technology officer at cybersecurity group McAfee, said the risks around securing health data are likely to grow with the digitization of the medical industry.

“When medical records were handwritten notes in a filing drawer in a doctor’s office, it would be difficult for an adversary to get access to medical data at scale, the amount of medical data that they would actually be able to take would be limited,” Grobman said. “With the digitization of data it enables massive amounts of data to be stolen.”

ADVERTISEMENT

In Congress, much of the momentum for a data privacy law has been focused on the sale and use of data by social media giants, web companies and internet service providers. But a spate of recent breaches involving health care groups has drawn attention to the importance of securing medical data.

One major recent data breach led to the personal information of 20 million customers of blood testing groups Quest Diagnostics, LabCorp and Opko Health being exposed. The breach was due to an unauthorized user gaining access to a third-party billing collection group, the American Medical Collection Agency (AMCA), that was used by those organizations.

The breach alarmed lawmakers. Sens. Bob MenendezRobert (Bob) MenendezDemocrats urge YouTube to remove election misinformation, step up efforts ahead of Georgia runoff Democratic senators urge Facebook to take action on anti-Muslim bigotry Trump appointee sparks bipartisan furor for politicizing media agency MORE (D-N.J.) and Cory BookerCory BookerBiden budget pick sparks battle with GOP Senate Policy center calls for new lawmakers to make diverse hires Dangerously fast slaughter speeds are putting animals, people at greater risk during COVID-19 crisis MORE (D-N.J.) wrote to the AMCA demanding answers about how the data breach occurred and what measures were being taken in response.

One critical question is whether lawmakers will tie health data into the larger privacy bill they are working on or focus their efforts on stand-alone legislation addressing medical data issues.

Menendez told The Hill last week that he wanted to find out more information on the breach before he made a decision on this topic.

Sen. Mark WarnerMark Robert WarnerOvernight Health Care: Moderna to apply for emergency use authorization for COVID-19 vaccine candidate | Hospitals brace for COVID-19 surge | US more than doubles highest number of monthly COVID-19 cases Bipartisan Senate group holding coronavirus relief talks amid stalemate Harris shares Thanksgiving recipe: 'During difficult times I have always turned to cooking' MORE (D-Va.), the ranking member of the Senate Intelligence Committee, has also been involved in demanding answers around the AMCA breach, sending a letter to Quest on the topic earlier this month.

Warner has generally been one of the more visible members of Congress in addressing privacy concerns with health data.

In February, Warner sent letters to a dozen large health care groups asking for input to create a “short and long-term strategy” to reduce cybersecurity vulnerabilities and attacks on the health care sector. Warner has also been pressuring federal agencies to take notice, sending similar letters to agencies including HHS and the Food and Drug Administration.

Warner told The Hill that his office is still getting answers from these organizations and agencies but described the response as “overwhelming.”

Warner emphasized that while he was not sure if the next step would be legislation or a white paper, “it’s a huge issue.”

Lawmakers, though, have already taken some steps to address the issue, including bills to force companies to better secure health data on apps.

Sens. Amy KlobucharAmy KlobucharHillicon Valley: YouTube suspends OANN amid lawmaker pressure | Dems probe Facebook, Twitter over Georgia runoff | FCC reaffirms ZTE's national security risk Democrats urge YouTube to remove election misinformation, step up efforts ahead of Georgia runoff YouTube temporarily suspends OANN account after spreading coronavirus misinformation MORE (D-Minn.) and Lisa MurkowskiLisa Ann MurkowskiMurkowski: Trump should concede White House race Graham: Trump should attend Biden inauguration 'if' Biden wins OVERNIGHT ENERGY: Trump administration proceeds with rollback of bird protections despite objections | Trump banking proposal on fossil fuels sparks backlash from libertarians | EU 2019 greenhouse gas emissions down 24 percent MORE (R-Alaska) last week introduced the bipartisan Protecting Personal Health Data Act, which would require the HHS secretary to create regulations for health data tracking apps, wearable devices such as Fitbits and genetic testing kits. The regulations would include a clause to enable consumers to review, change and delete any health data collected by companies.

This bill was referred to the Senate Health, Education, Labor and Pensions Committee, where it has not yet been marked up.

Experts say lawmakers face a challenge with medical data being stolen or compromised on networks and apps at an increasing rate, the effects of which stand to be far-reaching as more data goes online.

Grobman also noted that lawmakers must walk a tight line and not go too far in crafting legislation around protecting medical devices and around health data. He said putting too many regulations in place might limit innovation in this space or keep medical professionals from doing their job.

“One thing that concerns me is that while well intentioned, if those protections prevent the next generation of algorithmic care that would prevent a patient from identifying a disease or disorder ... that could be an unintended consequence,” Grobman said.