Listen Up

Sunday, February 16, 2020

Your Poorly Secured Medical Credit Score Could Deny You Care

There is now a number, that you can't see, that follows you wherever you go.


Your Poorly Secured Medical Credit Score Could Deny You Care

Private hospitals are now consulting a secret medical credit score from Experian before you even see a doctor. As a patient you do not have access to this score, nor can you see how it is generated. All you know is that you may be denied care, or receive different care, because of it.  
In our backward health care system, neither the hospitals nor Experian see any potential issue with this. It helps a hospital's bottom line and that's what counts. They're actually pretty excited about it:
I spoke with Ashley Reede, information systems and privacy consultant, who worked with a private hospital in California as they were onboarding Experian's 'Financial Clearance' system. What she saw was quite upsetting and she wants people to know what's happening with their data.
"The revenue department came to me and said they were going to start sharing data with Experian," she says. "They wanted approval to send data from reception/patient admittance to Experian to check a medical credit score that's generated and assigned by Experian. Then Experian would send that score back to the hospital."
The Financial Clearance system combines medical records along with the financial records Experian already has on you to calculate the score. Since they have a network of hospitals reporting this kind of data, separate visits to different hospitals by a patient are no longer siloed. There is now a number, that you can't see, that follows you wherever you go.
"The central issue is that we don't have any actual transparency on what's in the record," says Reede. "I can't see what this is being evaluated on."
And have you ever found anything inaccurate on your credit report? The process to get it expunged is so onerous that many people just leave the false item on the report. But at least in that case you can see what other people see. With this new, arguably more important score, it's secret.
"What if you paid a medical bill and now it's reported that you didn't?" says Reede. "You'd be totally unaware that you have medical delinquency on your report. You have no recourse and you don't know what you don't know."

The Worst of a Bad Situation

Let's all keep in mind under what circumstances one would be approaching reception at a hospital. There is something wrong with your health, or the health of someone you love, and you're seeking medical care. Under these heightened circumstances, you now have to wait to see if a company thinks you're a good customer for them.
While Reede says this is likely not an issue for larger hospitals that have less financial pressure (although Kaiser Permanente uses this system), it's definitely appealing for smaller hospitals that will notice a hit to their finances if a patient defaults. She also points out that this is for private hospitals, not public.
But without any public pushback, it could conceivably be used for public hospitals as well. In a time where we seem to be burning down any regulation we can find and trying to privatize everything, this is a window into a possible future.

At Least It's Secure, Right?

There are security certifications that most big vendors of Experian's size have. Google, Salesforce, and AWS all have it, and they have dedicated teams that works year-round to get them. As part of her consulting with the hospital in California, Reede had to discuss this certification with Experian.
"Experian had issues with getting their certifications," says Reede. "There were discrepancies. They were having difficulty administering and patching servers within their environment. While that is a common occurrence in IT Security, it does create vulnerabilities and can create opportunities for data loss."
Experian's infrastructure that handles regular credit scores does have these certifications, but the medical score system did not.
We expect our personal data to stay at the hospital. We don't anticipate that it might be shipped to a less secure third-party.
Google secretly gathered millions of patient records across 21 states on behalf of a health care provider, in an effort dubbed “Project Nightingale,” reports The Wall Street JournalNeither the provider’s doctors nor patients were made aware of the effort, according to the report.
The Wall Street Journal’s Rob Copeland wrote that the data amassed in the program include “lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, complete with patient names and dates of birth,” and that as many as 150 Google employees may have had access to the data.
The New York Times corroborated much of the report later in the day, writing that “dozens of Google employees” may have access to sensitive patient data, and that there are concerns that some Google employees may have downloaded some of that data
Standard Industry Practices, according to But Google tells The Verge that despite the surprise, it’s standard industry practice for a health care provider to share highly sensitive health records with tech workers under an agreement like the kind it signed — one that narrowly allows Google to build tools for that health care provider by using the private medical data of its patients, and one that doesn’t require patients to be notified, the company claims.
Many of health care entities attempt to partner with Google in order to use tools such as search, artificial intelligence as an API to harness tools not present in their EHR. This may well be all good in other industries however it is akin to opening Pandora's Box which contains your medical records.

It is doubtful that all the details have been carefully examined by HHS and HIPAA.
There is no more security than a file locked in a steel cabinet. The more complex a system is the more likely it won't work. To get at a file in the office the intruder breaks the door, jimmies the file cabinet and your records are exposed Once your data is digitized, sent to the cloud and many other entities the risks escalate enormously.
You do own your private data, BUT so do many other entities and hackers


No comments: