ECRI, a patient safety-focused nonprofit, recently issued an alert warning hospitals about the cybersecurity risks associated with the use of third-party analytics tools. When providers install this software on their websites and patient portals, they may be exposing patient data, ECRI warned.
This exposed patient data may be misused to tailor advertisements based on consumers’ medical conditions. These inappropriately targeted advertisements could push unproven treatments and lead patients away from seeking appropriate care, according to the alert.
Exposing patients’ sensitive information could also result in fines, legal action and patient distrust of providers, the alert pointed out.
Hospitals are not very cognizant of the dangers associated with the use of third-party web analytic tools, Chad Waters, senior cybersecurity engineer for ECRI’s device evaluation group, told MedCity News. He said that most provider websites have multiple web analytic and tracking tools installed.
“This particular issue illustrates that healthcare organizations should realize that there is more to privacy than HIPAA regulations,” Waters declared. “Analytic tools can infer sensitive health information from a user’s browsing activities on a provider’s site regardless of whether or not it is protected health information. Providers should consider their role in protecting patient privacy in that broader scope.”
Some common examples of third-party analytics software used by providers include Google Analytics, Adobe Analytics and Meta Pixel. These tools are usually free and can give providers insight into the way consumers use their websites, but the tech companies who provide this software can also use patient data to profile Internet users as they browse.
This is not the first time concerns have been raised about providers’ use of Meta Pixel. ECRI’s alert referenced a June report from The Markup, which said that the tool exposed appointment scheduling information to Meta when providers used it within their Epic MyChart patient portals.
Additionally, Advocate Aurora Health, a health system based in Wisconsin and Illinois, recently disclosed a data breach that involved Meta Pixel.
In a statement the health system posted last month, it said it had disabled the software. But a patient affected by Advocate Aurora Health’s breach has sued the health system in a class-action lawsuit. In his complaint, he claimed his private information was shared with Meta in a breach that could have affected three million patients.
ECRI’s alert encouraged hospitals to scrutinize their use of analytics tools more closely, as well as establish policies and best practices when deploying these tools.
“It is important to understand that many of these tools are free because their revenue model is dependent on building profiles of Internet users,” Waters said. “There are web analytic tools that do not use that model. Hospitals should review usage policies and be cautious on where these tools are deployed.”
Photo: anyaberkut, Getty Images