A Cybersecurity Assessment of Health Data Ecosystems

This paper is an exploratory study that investigates data collected and used by health plans and reviews the laws and regulations governing this data to identify the gaps in protections and provide recommendations for eliminating these gaps. Health insurance companies collect a wide array of data about the people they insure, data that is often only peripherally relevant to the service these companies provide. The data environment currently consists of seven categories of data: personal health information, summary health information, personally identifiable information, financial information, professional information, biometric information, and lifestyle data or social indicators of health. Much of this data is protected under the Health Insurance Portability and Accountability Act (HIPAA) and under an array of other health care laws and regulations; however, there is a category of data not covered by these protections. Lifestyle data or social indicators of health is a category of data that is readily available through digital interactions with third-party platforms, wearable devices, and internet of things devices. This data can be identifiable to the individual but lacks the most basic regulatory and security protections. Weaknesses in HIPAA provide loopholes for data traditionally thought to be protected