Tokenizing Sensitive Medical Data
Sequent Staff • January 06, 2020
The healthcare industry has been persistently moving toward the digitization of their patients’ medical records for a decade now. But moving medical information from color coded file cabinets to color LED databases is exposing them to a new disease, data breaches. Worse, there is a disturbing pattern of repeating the mistakes of previous decades when another industry moved from carbon copies to electronic: payments.
The merchant payments business started in paper, where each purchase made with a credit card generated an "instant cheque". That cheque was signed by the shopper after the merchant called the shopper's bank and talked to Betty to get approval that the shopper had the funds. (breathe, hipsters, this is the short version of the story). The big optimization in payments came when the banks' internal computer systems directly provided the authorization code to the merchant, which open the door for merchants to deploy special point of sale equipment dedicated speed up this heavily repeated call.
Payment fraud existed in these early decades of electronic payments, but shopping online exploded the exposure to risk. Robbers didn't have to steal your credit card info one at a time, they could sit in their bedroom and break in the online merchant databases full of millions of sets of card data.
The School of Hard Knocks
The Payments industry made exponential leaps forward in security technology before allowing payment card data to be into the wallet apps on smartphones. Tokenization of credit and debit card data has fundamentally shifted the security model while cleverly still allowing the tokenized card data to still work with all of the legacy merchant and bank payment systems. In more exciting, the payments geeks are now applying tokenization science back to online purchases. There is a real possibility to fundamentally stop large scale payment card breaches in-store, in-app, and in-web-browser.
The Definition of Insanity
Hospitals, clinics, labs, insurers all now have millions of digital health records in databases. With names on them. And government ID numbers. And your actual weight. Can some healthcare providers implement best practices for data protection? Surely, just as some merchants successfully prevent payment card breaches. Just like in payments, the risk is the breadth of the ecosystem that is storing and sharing the data. The hacker hyenas single out the weak, the less diligent on the wide open plains of the internet. And the hyenas have been very successful in these early years of digital health.
The healthcare industry doesn't have to repeat the painful growing pains eCommerce decades. Here are two ways to learn from payments' past:
HIPAA Hoppa Hooray
The payments industry established the payment card info security standards council (PCI-SSC). This self-governing council creates and enforces policies and procedures to protect payment card data at every stop in the payments ecosystem. Started in 2006 in response to the growing breaches, this group has progressively made the security requirements and the auditing requirements more stringent for any company that has exposure the payment card data.
HIPPA has data protection rules and enforcement team in the US Department of Health and Human Services (HHS). However the enforcement action usually starts with a complaint after a breach has already occurred. Requiring all businesses at risk to pass a yearly audit administrated by professional auditors would move the industry to a prevention footing and help not repeat the same mistakes that the payments industry made in the past.
The Full Monty
It took until 2005 for the payments industry to break some long-standing technical principals that eventual led to tokenization in payments. 10 years later, Apple Pay, Mastercard, Visa and some early US banks were ready to implement tokenization on a mass scale. The health care industry is attempting "de-identification" of health records which is a half-step in the right direction. Fully embracing tokenization as a method to remove patient's names, government identifiers, and other identifying information would remove the breach risk from the entire industry altogether.