Big Tech is poised to rake in tens of billions of dollars from a new healthcare recordkeeping standard that scorns privacy for convenience, creating massive opportunities for extortion and other abuses by criminals and government.
“Wouldn’t life be easier if you could view your full medical history with a few taps on your smartphone?” an upbeat piece touting Fast Healthcare Interoperability Resources (FHIR) – a new data standard for healthcare patient data – asked, somewhat rhetorically, on Tuesday in Kaiser Health News. This oversimplified, no-downside spin on a truly ominous technology neglects to warn anyone who’s ever used a health clinic that the medical details of their private life are about to get a lot more public, data-privacy laws be damned, and there will be no putting this particular genie back in the bottle.
The analog doctor's office, an endangered species © Global Look / Danita Delimont
The US government has officially thrown its weight behind the rollout of FHIR, mandating in 2020 that all medical providers who receive government funding make patient data available through FHIR-compatible apps. This move cements an unspoken alliance between Big Tech and Big Brother that has repeatedly seen the former deployed to circumvent troublesome constitutional restrictions imposed on the latter. The government may not be able to violate Fourth Amendment provisions against unreasonable search and seizure, but if, say, the FBI wants access to a target’s health records, it no longer has to show up at their doctor’s office with a warrant – those records will be sitting in an unsecured corporate database on the cloud, if history isanyguide. Unless the medical records industry seriously overhauls its idea of what constitutes information security, patient data will be fair game for everyone from the NSA to the lowliest basement-bound hacker.
Americans’ health data is supposed to be protected under a law called HIPAA (Health Insurance Portability and Accountability Act) that, at least in theory, gives the patient autonomy over how and where their records are shared. The US Department of Health and Human Services claims 2018 was the biggest year yet for HIPAA enforcement, and a glimpse at the agency’s newsroom shows a constant stream of multi-million-dollar payouts from companies found guilty of treating patient privacy like an afterthought, even a nuisance. Keeping in mind that even this lengthy list only represents the violators who got caught, it’s safe to assume that healthcare providers violate patient privacy on an almost-daily basis, whether by failing to encrypt or otherwise secure patient data or failing to ensure those accessing the data have the authority to do so. FHIR lacks any sort of new provisions to hold these companies responsible for data breaches, which with every patient’s information on the same server will be orders of magnitude more devastating than they already are. FHIR is also expected to stream data from wearable devices like fitness trackers directly into patients’ medical records, opening up a whole new dimension of surveillance.
Without the new government mandate, healthcare providers had been slow to embrace the idea of Google or Microsoft essentially sticking a billion-dollar straw into their patient records and slurping heartily. Health Level Seven International, the private company that devised FHIR, has boasted of the “public treasure” of information exchange that will result from “breaking open the silos” and unleashing decades of stored health data on the world. Paper-based records are described as “chaos,” and even electronic records are lamentably “isolated in electronic silos.” Inert data is not “working for the industry” – never mind that the data legally belongs to patient and practitioner, not “the industry,” and that under FHIR it will be leveraged by private-sector players with no intention of paying any of the parties whose data makes the system valuable. Providers who don’t want to participate in this orgy of financial speculation (the electronic health record “market” is predicted to be worth $38 billion by 2025) aren’t protecting their patients – they’re “information blocking,” according to financial penalties Congress has imposed since 2016. With the 2020 mandate, they’ll be exiled from government pastures entirely, unless they give up their data. Your data.
If this all sounds like paranoid technophobia, look no further than Blue Button, the government-backed initiative to create consumer demand for FHIR by making it the go-to standard for patients to download their personal health records. Microsoft, Google, Amazon, IBM, Oracle, and Salesforce plus the US government have thrown their considerable resources behind this surveillance-state bonanza, which seems designed to trick consumers into prioritizing convenience over safety. The project’s webpage informs patients that the onus is on them to protect their medical data once downloaded, even though the average US internet user knows next to nothing about information security and their government likes to keep things that way. One need only witness US Attorney General William Barr lecturing Apple about the evils of encryption last week in regard to an already-solved case to observe how information security is treated by Washington as an obstacle to what was once called Total Information Awareness before some clever soul in the Pentagon decided the name (but not the concept) was too Orwellian for the public.
FHIR is hardly the first attempt to sell a privacy-destroying technology using convenience, or the first attempt to specifically target medical privacy as a sort of ‘final frontier’ of the surveillance state. But anyone who doesn’t want their latest STD test, abortion, rehab stay, life-threatening allergy, Viagra prescription, or other formerly-private clinical experience ending up in the public domain would be wise to advocate for stricter privacy protections – and steeper penalties for violators, especially app developers – before it’s too late.