The issue of data privacy on mobile phones has been brought to public and judicial debate again with Apple’s AAPL 0.22% refusal to create a backdoor into its operating systems. The debates so far have failed to highlight that granting governments access to mobile phone data opens access to not only sensitive financial and personal information, but also the crown jewels of healthcare: patient health records. Now that the majority of patients and doctors are accessing, storing, and transmitting healthcare information via mobile phones and connected medical devices, smartphone security has become a lynchpin of patient data security.
Healthcare data breaches are a real and serious threat and have already led to identity theft, financial loss, civil rights and employment discrimination, and even a risk to patient safety. In addition to the moral responsibility of protecting these data, the Health Insurance Portability and Accountability Act (HIPAA) specifically mandates that patient data be encrypted and assigns meaningful fines to violations. These breaches by hospitals, companies and doctors can add up to multi-million dollar liabilities.
Last year saw the active theft of over 100 million health records, as reported in Health IT Security, with the vast majority from malicious hacking. These data breaches involved electronic medical records, which can sell for more than 20 times the value of a stolen credit card. Today, most hospital and medical records systems have created smartphone apps and web portals for both patients and doctors to access via the smartphone in their pockets, enabling smartphones to be the new weakest link protecting personal health information.
Healthcare records contain mission critical and sensitive information, including social security numbers, financial information, diagnostic test results, medical diagnoses, and the correct dosages of hazardous drugs. Dr. John Halamka, a professor at Harvard Medical School and CIO of Beth Israel Deaconess Medical Center, wrote about his hospital’s experiences with internet-connected drug infusion pumps, which have been compromised. In extreme cases, malicious hacking also could be used to disrupt the workings of a heart pacemaker or drug infusion pump to deliver the wrong amounts of hazardous drugs.
Asking Apple to create backdoors into iPhones for the sake of learning more about crime and terrorism may sound reasonable, but citizens and policy-makers should consider the risks to sensitive health information. In a 2015 MIT technical report entitled “Keys Under Doormats” by Daniel J. Weitzner, head of the MIT Cybersecurity and Internet Policy Research Initiative and a former deputy chief technology officer at the White House, an all-star team of cryptography experts refuted the logic that government access increases security, and instead “mandates insecurity.” Co-author and University of Cambridge professor, Ross Anderson, concludes: “The government’s proposals for exceptional access are wrong in principle and unworkable in practice.”
In contrast to the political noise of the current debate, mandating access by U.S. agencies in reality reduces security for law-abiding citizens around the world. In a Washington Post editorial last July, three former heads of the National Security Agency, Homeland Security, and the Defense Department lay out the logic that opening back doors will fail to prevent serious terrorism and crimes, and instead prompt foreign governments to request similar access, thus reducing security for citizens and businesses.
More than ever, mandating insecurity on smartphones and the precedent it sets for other connected devices has broad implications for sensitive health data, extending to the clinicians and patients that depend on that data. This is a matter of public safety and the protection of citizens’ most private information. Apple, Google and other critical technology vendors should reject demands from governments to compromise security. It really could be a matter of life and death impacting far beyond a terrorist’s cell phone.