How a Advertising and marketing Software is Turning into the Healthcare Trade’s Safety Nightmare

October 28, 2022

1

In October, non-profit well being system Advocate Aurora Well being notified sufferers of an information leak associated to its use of monitoring pixels from Google and Fb’s mum or dad firm Meta. These applied sciences, put in on the corporate’s affected person portals, transmitted private well being info (PHI) to the third-party corporations offering the pixels.

Advocate Aurora Well being has 27 hospitals throughout Illinois and Wisconsin, and the information publicity affected as much as 3 million people.

Monitoring pixels
are 1×1 pixel-sized graphics, typically invisible to the consumer and embedded into web sites, adverts, and emails. They’re used primarily to gather knowledge about consumer conduct — like readership patterns and publication engagement — and ship that knowledge to an exterior server.

Monitoring pixels are generally used for advertising and marketing functions, however Advocate Aurora Well being is just not the primary well being system to expertise a PHI leak associated to the usage of this expertise.

Utilizing Monitoring Pixels in Healthcare

Advocate Aurora was utilizing monitoring pixels to “higher perceive affected person wants and preferences to offer wanted care to our affected person inhabitants,” in response to the well being system’s knowledge breach notification. And it isn’t alone.

WakeMed, a well being system primarily based in Raleigh, North Carolina, positioned pixels from Fb on its web site and its MyChart affected person portal in March 2018. It disabled the usage of pixels in Might 2022, however this month, it reported that info entered into its affected person portal and scheduling web page could have been despatched to Fb.

In August, Novant Well being, additionally primarily based in North Carolina, notified sufferers of the potential disclosure of PHI associated to make use of of Meta monitoring pixels.

In every of those incidents, the well being techniques reported that the disclosed info, for probably the most half, didn’t embrace Social Safety numbers or monetary info. Somewhat, the PHI disclosed included info equivalent to e-mail addresses, IP addresses, and scheduling particulars. The Aurora notification states that appointment/process information and affected person communications on MyChart may also have been uncovered.

This sequence of comparable incidents calls into query the position monitoring pixels play in healthcare, a sector wealthy with info valued by cyberattackers.

“Client exercise monitoring for the aim of promoting is just not a match for the well being sector,” Mike Hamilton, CISO of cybersecurity agency Vital Perception and former CISO for town of Seattle, argues. “Due to regulatory oversight by the [US] Division of Well being and Human Companies, in addition to the privateness statutes popping out of states, just like the California Client Privateness Act, this isn’t info that’s germane to the well being sector mission, and its possession creates vital legal responsibility.”

These breaches may have been prevented with the usage of a special type of expertise, in response to Hamilton. “This might have been prevented by way of different analytic instruments to grasp affected person utilization fairly than a advertising and marketing approach that’s designed to collect and share a lot info that’s exterior the scope of the meant objective.”

“At the least dozens of the nation’s high hospitals use monitoring pixels for hundreds of thousands of sufferers. Which may be altering quick on account of new legal guidelines and lawsuits that can power organizations to alter course drastically,” Paul Innella, CEO of TDI, a world cybersecurity firm within the banking and healthcare areas, tells InformationWeek.

Class motion lawsuits, just like the one filed in opposition to Meta and the College of Pittsburgh Medical Heart (UPMC), have sprung up within the wake of breaches associated to pixel use by well being techniques. Chicago hospital Northwestern Memorial Hospital is going through a related class motion lawsuit associated to its use of Meta pixels.

Incident Response

Advocate Aurora Well being, WakeMed, and Novant Well being all disabled the monitoring pixels following their respective knowledge leaks. WakeMed “has no plans to make use of it sooner or later with out affirmation that the pixel not has the capability to transmit doubtlessly delicate or identifiable info,” in response to its information launch.

Whereas these incidents are a cautionary story, monitoring pixels are doubtless nonetheless in use at different well being techniques. “Organizations deploying monitoring pixels must do their due diligence to make sure PHI is correctly secured and solely approved customers have entry,” says Oscar Miranda, CTO for healthcare at cybersecurity firm Armis.

Moreover, Innella advocates for board-level involvement in terms of these varieties of knowledge exposures. “Within the case of this explicit breach, hospital board administrators must be demanding solutions. Which third-party tech and add-ons are we utilizing? Have they been reviewed and accredited, to incorporate any settings, from a safety and danger perspective?” he says.

Cybersecurity Vulnerabilities in Healthcare

Pixels are instruments for understanding consumer conduct, which in flip can assist well being techniques with focused advertising and marketing. However the healthcare business should stability the usage of modern expertise with each regulatory compliance and affected person belief. Misconfigured monitoring pixels put well being techniques susceptible to violating HIPAA, in addition to state and federal privateness legal guidelines, in response to Miranda.

“This occasion is indicative of a giant development within the healthcare business, as innovation will increase and new instruments are carried out into care practices, it is important that these related medical gadgets don’t go unmanaged with outdated software program and vulnerabilities left unpatched,” he says.

A complete of 337 knowledge breaches impacting 500 or extra affected person information have been reported within the first half of this 12 months, in response to the 2022 Mid-12 months Horizon Report: The State of Cybersecurity in Healthcare from healthcare cybersecurity firm Fortified Well being Safety.

Using pixels is only one potential vulnerability in an business with a rising assault floor fueled by the adoption of applied sciences like IoT and IoMT.

“This newest breach is one more unlucky reminder that cybersecurity throughout healthcare is an ongoing problem; the funding and experience isn’t the place it must be, and stakeholders are realizing how they may profit from implementing a cybersecurity efficiency administration mindset,” says Innella.