Murky third-party agreements weaken healthcare privacy controls

The healthcare industry is a vulnerable target of cybercriminals, but not for the reasons most business sectors are. Between 80 and 90 percent of all cybercrime results from people not following basic cyber hygiene practices, but in healthcare criminals gain access to information through infrastructure weaknesses and the murky third-party agreements.

The U.S. Health and Human Services breach portal said of the 863 reported breaches to healthcare organizations in 2023, 726 were due to weaknesses in hardware and software infrastructure. Those weaknesses can be in the form of outdated technology and unpatched software.

The third-party problem

The bigger problem — technology— is gradually, being resolved. The three big changes are in advanced antivirus software with behavioral analysis, machine learning, and threat intelligence to protect computers, servers, and medical devices. Encryption for sensitive data both in transit and at rest safeguards patient information, while encrypted messaging and email services protect conversations and data exchange between healthcare professionals. Finally, identity and access management (IAM) implementing multi-factor and biometric authentication, role-based access controls, and regular access reviews ensures that only authorized personnel have access to sensitive information.

However, the problem of unchecked third-party access to patient data is beyond personal and technological intervention.

Whenever you sign up for a new online service, whether through a website or a mobile app, there is always that moment when they ask you to agree to the “terms and conditions” or ToCs. Most of the terms are understandable, but they all have a clause that sends you into the turkey world of third-party agreements.

There is one boilerplate sentence in all of them that says something like, “Please note that third parties’ use of cookies and information that you provide to them is subject to their privacy policies.”

That is problematic in many ways, but in the case of working with healthcare providers, that can be very dangerous.

2024 year for 3rd- party breaches

In the first week in February, the Connecticut Attorney General issued a private enforcement update based on a complaint from a consumer who wound up on a list based on a terminal cancer diagnosis Apparently, one of the third-party providers to the doctor took information provided by the doctor and used an AI marketing tool to offer the patient cremation services.

That same week, ad agency Publicis Health agreed to pay $350 million for using recorded conversations between patients and doctors prescribing Oxycontin to advertise how “safe” the drug was.

In both of these cases, the disclaimer in the ToCs protected the healthcare provider from prosecution because they essentially said, “Hey, we had no idea what they were doing with it.” The law, in this case, says ignorance is an excuse.

The European Union, even with the GDRP, is still vulnerable. France’s National Commission for Information Technology and Liberties (CNIL) issued a notice that two major healthcare payment service providers, Viamedis and Almerys, suffered cyber-attacks that affected the data of more than 33 million people. CNIL noted that the attack took place at the end of January 2024, with the compromised data relating to policyholders and their family members.

Users in the dark

App users have no idea what third parties have agreements with the providers or what the limitations are, if any. To find out the user must contact the provider and ask, specifically, who they are working with, and then contact the third party to see what their privacy practices are.

Some providers do add a measure of patient protection to their ToCs. For example, Alignment Health says they share patient data with contractors and service providers supporting their business, but they are “contractually obligated to keep Personal Information confidential and use it only for the purposes for which we disclose it to them.” Those third parties include websites, data hosting and customer support, and various other IT service providers. The question is, what are “the purposes.” (Note, several calls to Alignment and other health services providers have produced no responses at the time of publication.)

Yosi Health

Hari Prasad, CEO of Yosi Health, pointed out that the FTC has taken strong stands against companies like Google and Facebook sharing personal data, the HIPAA standard lacks the framework for controlling what third parties can share. “HIPAA does not apply to those entities that are non-business associates (third parties). They’re allowed to share patient information (including) children’s information with other third-party vendors. That’s a huge cause of concern because our information could be used by others when they’re not supposed to be gaining access to it.”

Yosi Health provides software and services for collecting patient information, allowing them to enter their information digitally once, and then never again. Yosi stores that data and manages to share it with a medical team. Prasad said their privacy policy is to not share data with anyone but a patient’s medical team. But their effort plugs only one of the holes.

Prasad explained some of their customers, because they are so focused on providing care, do not know their third-party contracts gave them the right to share. “Three in four people don’t read all of the legal language. They end up providing consent by default. That’s the opportunity to allow patient data to be harvested and shared with others for revenue change.”

Legislation needed

Prasad believes those consents must give users the option to give explicit consent if their information needs to be shared and identify who it is being shared with but still use the service.

The European Union has that provision hardwired into the GDPR, but much of the U.S. privacy laws still favor the data gatherers. To change the paradigm, new laws must be enacted.

“There needs to be a legal framework and common sense laws that makes it very easy for patients to fully understand who has access to their personal information,” Prasad said the company is actively working with legislators in this effort. Easier said than done.

In 2021, U.S. representatives Anna Eshoo and Zoe Lofgren introduced the Online Privacy Act (OPA), a comprehensive piece of privacy legislation creating user data rights, that places limitations and obligations on the ability of companies to collect and use user data. It also established a Digital Privacy Agency (DPA) to enforce privacy laws. It died in committee after the Republicans took control of the House. Eshoo and Lofgren reintroduced the bill with a few changes in April 2023. It still lies in committee and has a 1 percent chance of reaching the House floor by

Calls to Eshoo’s and Lofgren’s offices have not produced any comment. Eshoo is retiring after the end of the year and none of the candidates for her seat have offered any comment.

Until governments get serious about privacy legislation, the holes will remain rather cavernous.

Lou Covey

Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

To read the full article, Click Here