New technological advancements can be exciting, especially in the healthcare industry. They can improve the patient experience while also enabling physicians to make the most of their time and optimize their treatment decisions.
Big tech companies are always on the hunt for more information, and data-rich healthcare providers are on their radar. However, for the healthcare industry, partnering with big tech could bring a lot of risks.
Demand for hospital data is on the rise
Hospital records contain sensitive personal information, and being able to integrate that data with the latest-and-greatest technologies often means making that data accessible to tech companies.
Stephen Klasko, CEO of Jefferson Health, which has 14 hospitals across New Jersey and Pennsylvania, said there are many companies looking for access to hospital records. "We are getting inundated with requests from companies who tell us they want to make our medical record more searchable," he said.
While searchable records would certainly help speed up efficiency, ensuring that information is well-protected is no small challenge. However, one of the things that tech companies need to be cognizant of is the Health Insurance Portability and Accountability Act (HIPAA) and the need to ensure that proper controls safeguards are in place to protect health information. Understanding and complying with HIPAA is a necessary component for companies that collect and store health data, and they need to show they take the risks seriously. Since patient data includes personal information, one of the biggest risks for patients, like with any other possible breach, is the possibility for identity theft if the information lands in the wrong hands.
Even de-identifying data to try keeping a person's information confidential is far from a guaranteed way to ensure that records are secure. A study in Europe published in July found that 15 demographic attributes would be enough to identify nearly 100% of patients, even if the data were anonymized.
In some cases, tech companies promise to de-identify records and fail to do so, which allegedly happened with Alphabet-owned Google (NASDAQ:GOOG) (NASDAQ:GOOGL) and the University of Chicago Medical Center. The tech giant now faces a class-action lawsuit initiated by Matt Dinerstein, who was a patient of Chicago University Medical Center in 2015. The suit suggests HIPAA violations and that, "In reality, these records were not sufficiently anonymized and put the patients' privacy at grave risk."
Breaches present additional risk
Breaches and failing to protect data adequately are not new concerns for the tech industry. Facebook's (NASDAQ:FB) Cambridge Analytica scandal offers investors a reminder of just how important it is for companies to ensure the data is adequately protected. In that situation, data for 87 million Facebook users was compromised, but Facebook hasn't backed down on its own foray into healthcare by launching a Preventative Health tool.
But even a company like Equifax, that's in the business of protecting information, failed to do so in a breach that took place a few years ago and involved almost 150 million people. In that situation, criminals gained access to sensitive information, including credit card numbers and Social Security numbers.
If top tech companies and credit agencies can't ensure safeguards are adequately in place, then hospitals and healthcare providers aren't likely to be in better shape. That makes it all the more important to ensure the risk is minimal right from the start, and that means not making personal health information available without the proper safeguards in place.
Why this matters to investors
HCA Healthcare (NYSE:HCA), which has 185 hospitals and 119 surgical centers in its portfolio, is a great example of a company that would have a lot to lose in the case of a breach, as it claims to have more than 28 million patient encounters every year.
The company has done a good job of steadily growing its profits and sales over the years, but one way that it could pad those results is by making technological improvements to improve its operations.
HCA could look to the Amazon (NASDAQ:AMZN) scribing service, which automatically transcribes conversations between patients and doctors and stores the information. It would free up doctors' time and allow them to see more patients. But that additional revenue could expose the company to risk, as utilizing the service would mean putting confidential patient information into the Amazon-hosted cloud. The service is HIPAA eligible and the company states in its frequently asked questions that "We do not use any personally identifiable information that may be contained in your content to target products, services, or marketing to you or your end users." Users retain ownership of the content and they can request that it be deleted.
If that data were compromised, it could discourage patients from visiting their hospitals which would, in turn, hurt the business. While HCA doesn't appear to be going down that route today, it may only be a matter of time before there's more integration between hospitals and tech companies.
One company that is familiar with protecting data for the life sciences industry is Veeva Systems (NYSE:VEEV), which aims to protect information through a "comprehensive security program based on ISO 27001" that includes onsite monitoring to prevent against unauthorized access. The company is transparent about the information it collects and what it uses it for so that users are aware of what information Veeva may have.
Healthcare stocks are typically seen as good defensive stocks to hold since they generally don't have a lot of volatility. However, stocks can quickly become risky if the underlying companies fail to adequately protect patient information.
That's why it's important for HCA's investors and owners of any other healthcare stocks to be cognizant of any deals that may impact their investments, especially if they involve tech companies and accessing patient information. Getting involved with big tech could make healthcare companies much riskier investments.
Investors should analyze any potential deals involving the two industries to assess what, if any, safeguards are noted, the reputation of the companies involved with respect to data protection, and whether the products or services are inherently vulnerable. By doing such an analysis, investors can have a clearer picture of the risk involved in a deal and sell any shares that become too risky because they're risking patient data.