Viewing Health IT Privacy as a Purchase Decision

Recent privacy storms around government surveillance, big data / analytics, social media and so forth have led many media publications to proclaim “privacy is dead.” To cope with these trends, as well as wearables, drones, Internet of Things (IoT) and other technologies just around the corner we need to move beyond a view of privacy in absolutes. If we truly had no privacy, and all of our personal information was available to anyone that wanted it then we would be in much worse shape from a privacy standpoint than we currently are.

Research studies have shown that users are increasingly empowered with mobile devices, apps, social media, and new trends around wearables and IoT are sure to compound this. This empowerment has enabled users to be productive in ways we couldn’t imagine a decade ago. However, this has also provided a lot of rope with which users can, mostly inadvertently, hurt themselves and others from a privacy standpoint. This is evident in studies such as Workarounds in Healthcare, a Risky Trend that shows that when usability is lacking in solutions or security, or IT departments get in the way of healthcare workers they find alternative workarounds that get the job done, unfortunately also adding non-compliance issues and additional privacy and security risk. This trend is particularly acute in healthcare where personal information can be very sensitive and is heavily regulated, for example by HIPAA, and healthcare and wellness apps working with such information are proliferating at an amazing pace.

To cope with this increasing empowerment of users, and the fact that user behavior is a major and growing source of privacy risk, users need to make better decisions regarding how to engage in technologies. Consumers make purchasing decisions every day, where they evaluate the value of the purchase against the cost and make a decision whether to buy or not. Viewing decisions whether to engage in technologies through this metaphor we can think of the purchase as the potential engagement in technology, the value as the benefit of the engagement, and the cost as what privacy we are giving up by engaging which depends on the personal information that will be shared as part of the engagement.

In many technology engagements today users pay little to no attention to the “privacy cost” as evidenced by studies that show little attention to permissions granted to apps being installed on mobile devices. To address this we need to improve technologies that show end users the “privacy cost” of their decisions. Further, effective privacy and security awareness training for users is much needed. We can learn from the gaming industry where gamers, including young children, learn highly complex games “on the go” without ever reading a manual.

Technologies such as app permission watchers, ad network detectors, site advisors, endpoint DLP have started to shine a light on “privacy cost” and risks and thereby influence users to make better decisions regarding where and how they engage including what apps they use, what websites they visit, and what actions they perform on their devices.

Much work remains to be done here to help users make better decisions about what technologies they want to engage with, and how they want to engage including how they will configure and use the technologies to both achieve their goals, while minimizing the privacy cost and risk.

What questions do you have?