A lot of good minds are trying to figure out how to make health information more secure. But it’s complicated, in part because there are advantages to not locking up medical information too tightly. You want online medical records that are “privacy- and security-protective, but also facilitate research and medical care,” says Michelle De Mooy, deputy director of the Consumer Privacy Project at the nonprofit Center for Democracy & Technology.
For prompt and accurate medical care, your doctors may sometimes need to send information back and forth to each other. Or, in an emergency, doctors may have to quickly determine whether you have specific medication allergies.
“A banker has the time to go through four layers of security before accessing data,” says Eric Perakslis, Ph.D., executive director of the Center for Biomedical Informatics and the Francis A. Countway Library at Harvard Medical School. “In an ICU, a doctor needs instant and timely access.”
Until we have solid solutions, guard your financial and health information with the same rigor, and consider the following advice:
1. Share only what you have to
Share as little personal data as you can at doctor’s offices and hospitals, and with insurers. For example, don’t give your Social Security number to health care providers unless you must, and ask whether other information, such as your date of birth and driver’s license number, is really needed before you provide it. Be especially careful on the phone. After the Anthem breach, consumers posted comments on the Federal Trade Commission’s website describing phone inquiries from callers who claimed to be Anthem representatives asking for personal identifying information. But Anthem says it made no such calls.
2. Be e-mail savvy
Anthem customers affected by the breach also received phishing e-mails. Don’t click on e-mails you don’t recognize and, if you do, don’t provide information unless you have verified that the source is real. Consider creating one e-mail account for health care and banking, and another for social media. "Change your e-mail password often and use 2-factor authentication for e-mail and other accounts when available and possible," Perakslis says. Two-factor identification uses two different password types—such as a regular password and a one-time-use code that expires within minutes—and offers more security than one password.
3. Store carefully
“Whether paper records, medical scans on a DVD, or records in a computer file, treat medical data like you would treat your tax returns," Perakslis says. "Carefully file and manage them." Electronic records should be encrypted and stored on a password-protected external hard drive. Store paper records and CDs in a locked file cabinet. Shred paper or destroy discs before throwing them away.
Don’t log into health or financial accounts on public Wi-Fi. “Using public Wi-Fi is like sharing a bathtub,” Perakslis says. For anyone using a Wi-Fi-enabled device on any public or free Wi-Fi, clean the device with protection software beforehand. Do the same afterward, before reconnecting the device to the home network.
7. Watch the cloud
If you use cloud services to connect your devices and accounts, remember that all are not created equal. Exclude sensitive accounts and store important files encrypted on a physical external hard drive at home that is password protected. With online storage accounts, look for services that require 2-factor password authentication. “Having too many things in one online digital place is like one-stop-shopping for a hacker if the data is not secured properly,” Perakslis says.
Since many data breaches and cases of identity theft are not discovered for months, check your credit history to see if someone is using your health and financial data improperly. You are entitled to a free credit report once a year from each of the three credit reporting agencies. Stagger the free annual reports and get one from a different credit bureau every four months. You are also entitled to one additional free report from each agency if you have been the victim of identity theft and place a fraud alert on your credit report.
10. Check your records
Check all your health-related mail, e-mail, and health records. Look closely at statements and other communications from your insurance company and health care providers for strange items or services and for health conditions that you don’t have. Look at your electronic health records, too. Ann Patterson, senior vice president at the health industry group Medical Identity Fraud Alliance, suggests that consumers review their health records by using the patient portals that are increasingly coming online with healthcare providers. If you have access to a portal, look at your online medical records monthly, as you would your financial statements. If your primary health care provider doesn’t have an online system, ask for an annual summary of your records—or ask quarterly if you suspect you’ve been a fraud victim. Sometimes, providers charge a nominal fee for a summary of your medical records.
Finally, if you spot something worrisome, call your primary-care provider and insurance company promptly. In addition, maintain a list of your accounts, so you can quickly ask for new credit and debit cards, change online user names and passwords, and ask credit bureaus to put a fraud alert on your records.