Analysis Report Four - Health Privacy and Data Profiling

Author

Ryder Ward

Executive Summary

As with any data systems, hacking, ransomware, Trojan Horses and many other technological methods of breaking into a database is of constant worry. (Sittig and Singh (2016)) Many healthcare systems have been effected by such events and this results in a lot of work to figure out what was accessed, how it was accessed, and who they need to notify (i.e. patients). Not to mention healthcare systems contain vast amounts of personal information for each individual that has been entered into the system. This information can range from addresses or Social Security Numbers to current diagnoses and procedures. Nonetheless, it is the healthcare system’s duty to ensure they are providing effective and safe management of the data in their database. However, an cyber attack is not a question of if, it is of when. (Sittig and Singh (2016)) Healthcare systems have to be hyper-vigilant in the protection of patient data. Without this protection the health system will not only face federal charges for violating HIPAA but will likely lose patients as the public will lose trust in the system. Overall, with the amount of data collected and contained in a health system’s electronic health record, the system has no choice but to have major protective mechanisms in place for when a cyber attack occurs.

Introduction

AS technology has progressed, so has the ability for healthcare systems to be able to create and maintain large databases that contain the most sensitive of information for the patients the system has to care for. (Dubovitskaya et al. (2020)) From various diagnoses to just a patient’s address this information is all electronically stored and that means it is vulnerable to an electronic attack or cyber attack. In more recent history, ransomware has shown up in cyber attacks on the healthcare system’s database(s). (Sittig and Singh (2016)) This allows the hacker to try and receive funds from the organization to essentially pay them to get out of the database and “return” any information they may have extracted. () Not shockingly, paying the ransom doesn’t get you anywhere except for less money in the corporate bank account and a large privacy breach of undetermined extent. (Yankson et al. (2025))

Hackers are very intelligent individuals and typically strike after collecting what information they were looking for. Many reports explain how the information technologists of a healthcare system had not even known a hacker was in the database for days or weeks until a ransomware attack occured. This leaves many hard questions for upper level management to answer. How much information was collected by the hacker? How did invade the database? How many individual patients were exposed? Does this attack need to be reported to the federal government? This is just a few questions that have to be answered in a timely manner to ensure patient information is protected as soon as possible. (Yankson et al. (2025))

The Healthcare Context

The burden of implementing an electronic health record can be quite troublesome for some healthcare systems, but the real issues arise in protecting the information found in these EHRs. Patients fill out various forms that provide their address, phone number, gender, marital status, ethnicity, etc. when being treated in a healthcare system. (Alarfaj and Rahman (2024)) Getting buy in from various stakeholders like clinicians, nurses, and pharmacists isn’t the biggest hurdle that chief technology officers, information analysts, and healthcare leaders face. (Walsh (2004)) It is much easier to teach those who are involved on the direct patient care side of the EHR to input patient data, fulfill orders, and document whatever is necessary for the patient’s encounter. Protecting all this information is where healthcare systems have quite the challenge. (Alarfaj and Rahman (2024)) With ever advancing technology and integration of this technology the management of a database comprised of sensitive patient information should be in the forefront of healthcare leaders’ minds.

Cyber attacks can lead to the complete demolition of the EHR and leave patient information poorly protected. Some of these attacks on healthcare databases work to disable certain parts of the software and databases. (Sittig and Singh (2016)) This leads to practitioners having to go back to paper charts during these attacks that usually have no end in site. (Dubovitskaya et al. (2020)) Many healthcare systems not only have electronic health records but many devices that integrate into the record to help record everything that happened during a patient’s visit. For example, robotic surgeries and all scans (X-ray, CT, MRI, etc) can all be disabled in the case of a cyber attack. With the advancements in technology alone who is to say that a hacker couldn’t hack into one of the robots used for laproscopic robotic cholecystectomy and cause physical damage to a patient. (Yankson et al. (2025)) Statements like the one above send shivers down the spines of healthcare managers. Not only can these hackers damage a database but they can possibly damage patients, whether emotional, physical, or mental damage. Overall, healthcare systems have a duty to provide a safe environment for its patients to heal and not have to worry whether their information will be found on the black market.

Data Visualizations

Choosing a Patient:


SELECT admissions.subject_id, dob, dod, dod_hosp, gender, language, religion, ethnicity, marital_status, diagnosis, admittime, dischtime, CAST(los AS INTEGER) as Length_of_Stay_Days, CAST((julianday(dod) - julianday(dob)) / 365 AS INTEGER) as life_span
FROM ADMISSIONS
INNER JOIN PATIENTS
ON ADMISSIONS.subject_id = PATIENTS.subject_id
INNER JOIN ICUSTAYS
ON ADMISSIONS.hadm_id = ICUSTAYS.hadm_id
WHERE MARITAL_STATUS = "MARRIED"
AND DIAGNOSIS LIKE "CHEST%"
AND GENDER = "F"
ORDER BY DOD_HOSP
1 records
subject_id dob dod dod_hosp gender language religion ethnicity marital_status diagnosis admittime dischtime Length_of_Stay_Days life_span
42199 2044-06-27 00:00:00 2117-04-04 00:00:00 2117-04-04 00:00:00 F ENGL PROTESTANT QUAKER WHITE MARRIED CHEST PAIN 2117-03-21 12:55:00 2117-03-31 12:10:00 5 72

Using the query above, this extracts a single patient from the MIMIC-III database. Specifically, the patient with the subject_id of “42199.” Along with this patient’s subject_ID there is much more data that can be extracted from the database. This includes the patient’s date of birth, date of death, marital status, language spoken, diagnoses, religion, ethnicity, and admission time. That is a lot of data that is easily extracted from the database when the correct commands are provided. The problem with this information is that it shows users of this database the ease to get all this protected information out of the database. This leaves the question, will some users take their skills and try to hack into other healthcare databases? Time will tell but learning how to extract the data for use in the management sector of healthcare can provide you the knowledge of how to prepare for, respond to, and prevent a cyber attack.

Determining Drugs Given during Admission:

SELECT prescriptions.subject_ID, drug, caregivers.label as CAREGIVER, COUNT(*) as DOSESGIVEN, startdate
FROM PRESCRIPTIONS
INNER JOIN inputevents_MV
ON prescriptions.icustay_id = INPUTEVENTS_MV.icustay_id
INNER JOIN CAREGIVERS
ON inputevents_MV.cgid = CAREGIVERS.cgid
WHERE prescriptions.subject_id = "42199"
GROUP by drug, startdate
ggplot(data = pt_42199 ,
       aes(x = DOSESGIVEN, y = drug, fill = startdate)) +
  geom_col() +
theme_minimal() +
  theme(axis.text.x = element_text(size = 10)) +
  labs(
    title = "Medications Administered to Patient 42199 \n During Their Terminal Visit",
    subtitle = "Data taken from PRESCRIPTIONS, \n INPUTEVENTS_MV,& CAREGIVERS",
    x = "Doses Administered",
    y = "Drugs Administered",
    caption = "Source: MIMIC-III Clinical Database v1.4",
    fill = "Drug Start Date")

During patient “42199’s” terminal stay for a diagnosis of chest pain, the patient received many medications. This query produces the exact medications the patient was given, along with the number of doses, and on what days those doses started. This information alone provides quite a look into the patients care. For example, if a healthcare leader needed to determine how much Metoprolol Tartrate was given and which day(s) this report expresses clearly. Metoprolol Tartrate is a beta-blocker used to slow heart rate and increase cardiac output. Drugs like Metoprolol Tartrate are used a lot in the cases of patients having chest pain. Another angle of this report is to provide the medications that helped this patient pass away peacefully. Specifically, scopolamine, morphine sulfate, and lorazepam. This is a typical hospice combination that aids in decreasing the work of breathing and easing the strain on a patient’s body near time of death.

Recommendations for Industry

Healthcare is an ever evolving field with medical advancements in ranging from new medications to new heart valves. Along with health care’s advancements, other fields, such as technology have also evolved significantly. This has been beneficial in numerous ways to the health care system as it has created things like electronic health records, technology that produces better imaging scans, and even clinical decision making when it comes to a practitioner choosing a patient’s treatment plan. (Dubovitskaya et al. (2020)) All of the benefits certainly do not outweigh the risk. With that biggest risk being a cyber attack. Health care systems are large repositories of data that is deemed as protected under HIPAA. (Yankson et al. (2025)) With the federal government ensuring that health care organizations abide by HIPAA and protect patient data it is no surprise that with the increase in the use of technology in healthcare has only increased the risk of a patient’s data being leaked.

As with any new program or device implementation in healthcare safeguards must be put in place. Specifically, for the data that is collected via an electronic health record there must be protective mechanisms stronger than a firewall that stands in the way of hackers from accessing the information the healthcare system stores. These mechanisms are expensive but there is no price on ensuring a patient’s information is safe. Healthcare systems must remember that without patients there would be no healthcare system. Overall, with the expansion of artificial intelligence and healthcare EHR integration, healthcare systems must be armed and ready for when a cyber attack occurs.

References

Alarfaj, Khalid A, and MM Hafizur Rahman. 2024. “The Risk Assessment of the Security of Electronic Health Records Using Risk Matrix.” Applied Sciences 14 (13): 5785.
Dubovitskaya, Alevtina, Furqan Baig, Zhigang Xu, Rohit Shukla, Pratik Sushil Zambani, Arun Swaminathan, Md Majid Jahangir, et al. 2020. “ACTION-EHR: Patient-Centric Blockchain-Based Electronic Health Record Data Management for Cancer Care.” Journal of Medical Internet Research 22 (8): e13598.
Sittig, Dean F, and Hardeep Singh. 2016. “A Socio-Technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks.” Applied Clinical Informatics 7 (02): 624–32.
Walsh, Stephen H. 2004. “The Clinician’s Perspective on Electronic Health Records and How They Can Affect Patient Care.” Bmj 328 (7449): 1184–87.
Yankson, Benjamin, Mehdi Barati, Rebecca Bondzie, and Ram Madani. 2025. “The Rise of Hacking in Integrated EHR Systems: A Trend Analysis of US Healthcare Data Breaches.” Journal of Cybersecurity and Privacy 5 (3): 70.