ONC's Joy Pritts on the privacy risks of mobile health apps

The ONC's outgoing Chief Privacy Officer Joy Pritts granted us an exit interview, and pulled no punches discussing very real health data security risks everywhere, including mobile health apps.

On her way out of the ONC, Joy Pritts, the agency’s first -- and up until now, only -- privacy officer, talked with SearchHealthIT about the key issues she sees playing out in health IT in the near and long-term future. Pritts, a Case Western Reserve-trained lawyer, started with the ONC in February 2011. Her last day is July 11. She announced her departure soon after National Coordinator for Health IT Karen DeSalvo, M.D., streamlined the agency from 17 to 10 offices. The privacy sub-office that Pritts established grew under her four year-plus tenure.

What concerns you about the new world of mobile technology that works with free smartphone apps that leverage user data? And are patients risking their privacy by downloading these apps and agreeing to user agreements without necessarily knowing how that information could be used?

Joy Pritts, ONC chief privacy officerJoy Pritts

Joy Pritts: Mobile apps have the potential to be really beneficial for people's health and their healthcare. Having said that, people really need to be careful of what they download and [need] to read both the privacy policy and the user agreement.

A lot of people probably don't take the time to do that.

Pritts: They don't. There might have been some efforts to screen apps for privacy and security in the past, which for various reasons have not yet taken off, but there seems to be a large interest in that sort of thing.

It seems like something that's going to intensify as we go forward. Do you think behavioral and reproductive health data, as well as substance abuse treatment and, in the future, genetic information, could be safely kept sequestered from the rest of a patient's medical records?

Pritts: Genetic information is obviously really getting set to take off. Genetic tests are moving from the realm of the researchers to the doctor's office.

How much confidence do you have that policymakers, IT leaders and vendors will get all this right? With mobile data sharing and data sharing in general, what gives you confidence they will get it right?

Pritts: There's a lot of public interest in these topics. And the more public interest there is, the more incentive policymakers have to get it right.

What's the biggest threat to patient health data privacy today in your view, and how can it be solved?

Pritts: It's pretty apparent when you look at the breach notification reports that have been filed on [the HHS Office of Civil Rights'] OCR's web site that the loss and theft of devices is still significant, and that there's just what I would call a general inappropriate access, which may just be snooping.

We always encourage a multi-layered approach to securing information.

These are very different things that require different solutions. So the first one, the loss and theft, can be addressed fairly easily by making sure people have in place policies and practices, that, for example, [ensure] mobile devices are encrypted, because if [they are] encrypted and then [stolen], you have protection for the data.

We all know the human being is often the vulnerability in a lot of these actions, right? So, for example, the loss and theft of devices is really human error for the most part, [or] bad human behavior, but there's a solution to that, a technical solution, which is very helpful. It's a similar paradigm when we're speaking of unauthorized access to health information. Many times unauthorized access is a result of even well-intentioned people trying to look at people's medical records that they're not really authorized to look at.

Some of that is training. Another approach to deterring that type of behavior is for offices to have very stringent penalties in place for individuals that they catch violating those rules. And there are also technological solutions that can help both prevent and detect unauthorized access.

Some hospital systems have put in social media policies that say comments by employees on their own social media channels -- even offhand -- have to be completely avoided.

Pritts: That's inappropriate disclosure. Healthcare providers are increasingly turning to social media, just like all of us are, to communicate with others. It's very important when they do, they keep the confidentiality of their patients foremost in in their minds. Deleting someone's name is not sufficient.

Medical identity theft is a big problem today, our sources tell us. What's the best tip you would offer hospital CIOs to stop identity theft or information theft?

Pritts: There are a number of different steps that hospitals can take to protect themselves. We always encourage a multi-layered approach to securing information. First and foremost, we always recommend hospitals conduct a very thorough security risk assessment so they learn where their information is, who has access to it, and how it's being transported.

They then should be looking at some other things in addition to just a good security risk assessment. Many hospitals have put into effect very good programs for checking the people they hire and seeing their qualifications, [and] also doing employment checks to make sure the individuals they hire don't have prior criminal records or things of that nature that might [be] a red flag that this individual might be interested in stealing some of their data.

For the most part right now, the source of the data for creating medical fraud seems to be coming from insider threats; for example, insiders downloading information and then selling it.

So data theft as the result of insider threats exceeds data theft resulting from outside intrusions?

Pritts: Yes.

Read part 2 here.

Let us know what you think about the story; email Shaun Sutner, news and features writer, or contact @SSutner on Twitter.

Next Steps

Patients' use of mobile apps frees up new data

How to secure a hospital messaging system

Learn how to identify a healthcare data breach

This was first published in June 2014

Dig deeper on Electronic health records security compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.