I was really hesitant to write anything about this topic at all, but a recent article in Gizmodo convinced me that there is something really critical here to be discussed. Yes, I am talking about the Ashley Madison data hack and its implications for the healthcare industry.
What do we know so far? Well, we know that there were approximately 35 million records dumped onto the “dark web” and that within that data was quite a bit of information. In fact, I’ve recently seen a sampling of that data including addresses and names and it’s frankly startling to see someone you know show up on the list. I don’t recommend it.
What I don’t know is anything other than the limited data that I’ve seen and what is presented by what I hope are reputable sources. What I present here is not presently vetted as it would be quite an undertaking to do so on my own. I’m hoping by publishing through this medium (heh — get it!) that we might be able to get some clarification on this topic and to help me with my own thoughts about how this impacts the healthcare industry.
First, let’s talk about privacy versus security
There is a certain amount of privacy that one should expect when engaging with a site that purports to maintain a secret for you, or to help you evade telling the truth. Privacy is “the state or condition of being free from being observed or disturbed by other people.” In contrast, security is “ the state of being free from danger or threat.” There is a nuance to the interplay between these two, but they are absolutely distinct.
In the healthcare industry, we’re well aware of the difference between these two things — or at least we should be. But all too often we confuse the strictures of HIPAA as being about privacy. That’s not inherently true. HIPAA is the Health Insurance Portability and Accountability Act. It’s about security, not necessarily privacy. In fact, HIPAA even covers how healthcare entities should handle informing their patients on how things are handled with regards to privacy because HIPAA doesn’t specifically provide for them. The “P” throws everyone off.
In fact, your Private Health Information (PHI) likely moves around the system in all kinds of ways that you may not realize. When you are seen for a service, your information probably goes to a payer on a claim form. That claim form may be accompanied by clinical documentation that may go to a Managed Care company. Your data ends up going through all kinds of people that you don’t explicitly give your permission to. All KINDS of people.
But just because your information is being moved from company to company, person to person, doesn’t mean your information isn’t secure. Most of the time, the system works just fine. Other times, you run into a problem like Anthem had where a breach in their IT structures resulted in a massive data leak. In such cases, there are actual federal guidelines as to how that breach is handled that are clearly defined. And those breaches are very expensive to the healthcare company.
The reason for that is that PHI can sometimes be more difficult to protect oneself in a breach than, say, your financial information. Because there is no national ID for the healthcare system, often a Social Security Number is used for transactions between systems. While an insurer might also provide you with an individual ID for their internal systems, for those data to move between entities, you have to use an SSN.
But even SSN can be protected against a breach with credit monitoring when it comes to your financial information. What is a little different about PHI is that it can contain deeply personal information about the individual such as diagnoses, current or past treatment, and even likelihood for future diagnoses when it comes to genetic information. Your genome can’t be changed like your SSN or bank account information. That’s all yours.
Let’s bring it back to Ashley Madison
What did Ashley Madison actually promise, then?
Ashley Madison is the most famous name in infidelity and married dating. As seen on Hannity, Howard Stern, TIME, BusinessWeek, Sports Illustrated, Maxim, USA Today. Ashley Madison is the most recognized and reputable married dating company. Our Married Dating Services for Married individuals Work. Ashley Madison is the most successful website for finding an affair and cheating partners. Have an Affair today on Ashley Madison. Thousands of cheating wivesand cheating husbands signup everyday looking for an affair. We are the most famous website for discreet encounters between married individuals. Married Dating has never been easier. With Our affair guarantee package we guarantee you will find the perfect affair partner. Sign up for Free today.
We can discuss the morality behind the purpose of the site all day long, but the site exists and people signed up for it. So let’s just move on past that topic and dig into how this is relevant to our purpose here.
After looking at the data from Annalee Newitz’s article, there’s clearly something else going on here. There are not a ton of married people who are successful in cheating on their spouses. There are a ton of married men who are flirting with the idea of cheating on their spouses.
The societal impact of the hack
Well, we know that Josh Duggar admitted to cheating on his wife andentering rehab after the hack was announced and that he was on the list. I haven’t seen that he successfully met anyone on the site, but looking at the numbers in the Gizmodo article, I’m going to guess not. And there arereports that there may be suicides that have been linked to the hack. And there has even been reporting on the pervasiveness of the use of the site by federal employees.
So, we’re seeing some significant potential impact of the site across many walks of life and affecting many groups throughout the world, in fact. But again, going back to the numbers, this probably isn’t nearly the situation that we think it is.
Let’s focus on the men that were probably brought to this site, since the Gizmodo article all but dismisses the women that were on the site — especially after highlighting that a number of those women could have been checking for cheating spouses, rather than looking to cheat.
There is the issue of Ashley Madison’s promise to its users. That it would allow for discretion in cheating. That’s a privacy promise in my opinion, and not necessarily a security one. Would one assume that their information was being secured as well? Maybe, but I don’t think that’s inherent to their brand promise. Again, I haven’t dug into the language of their policy yet — this is a working document — but there was going to be no protection when you moved from the online world to the offline world anyhow, so how one could have reasonably expected security is beyond me.
You’ll have to draw your own line as to what is considered cheating and what is not, but most of these individuals that were active on the site were more than likely talking to robots. Those that weren’t may have been casually flirting. And of those left, well, I’ll just say the proportions would show that likely if anyone was successful in cheating, they were probably 4th or 5th in line in their area.
For the first two categories, you were made a promise by Ashley Madison and you were either duped or you got exactly what you needed. If you expected you would actually find an affair, the first category; if you were looking for an outlet that let you flirt, you probably got a robot and received exactly what you needed from the site.
What this means for healthcare
Does or would the Ashley Madison hack have an effect on healthcare more broadly? I don’t know. There’s certainly a couple of considerations here.
Does this inherently decrease the public’s trust of the internet and data security generally? I hope not. You should absolutely be concerned about security, but let’s be honest — Ashley Madison is not the healthcare industry, it’s a site for people wanting to cheat. There’s an inherent, goal-oriented difference between the two, we’ll call them, “industries.”
Does the new data lessen the impact that the hack actually has on the greater societal opinion surrounding the fear of data integrity? Probably, but it really shouldn’t. This still highlights a critical misunderstanding that we have about our data and how it gets used. That’s no less true in the healthcare industry as I’ve pointed out above.
Will it change the way that healthcare handles data? I cannot imagine it would. Your data is being protected pretty well already, but this type of hack is the result of something far different than why someone would go after healthcare — that’s largely financial.
Is the Ashley Madison hack still relevant? You bet your sweet you know what it is! We’re entering a new phase in the healthcare industry’s development where you as a consumer are going to be able to make more decisions about the way in which you interface with that system. That means you have more control over who is getting your data initially, and within the new Health Information Exchange models set up in each state, maybe even after your initial input of data. Some systems are prepared to share data down to very granular levels. That means you will have to make some decisions about how you want your information to be shared.
Does this mean you shouldn’t share your data? I wouldn’t go that far. Your data, if properly secured, doesn’t need to be private from legitimate sources in the healthcare industry. That data can be very important for medical advancement for one. But there is also a possibility that your information can help providers make better decisions to help you in making decisions about your own healthcare.
— Ryan Lucas (@dz45tr) September 2, 2015