As a co-founder of a company that helps health systems detect threats to their organization proactively, I strive to be years ahead of industry standards when it comes to protecting patient data. Therefore, rather than waiting until next year to recognize the 10th anniversary of HITECH (Health Information Technology for Economic and Clinical Health), which has fundamentally transformed health care technology, I decided that it might be more interesting to celebrate HITECH’s 9th anniversary and get a one-year head start on my reflection.

HITECH has always had a special place in my heart — I remember hearing about it while researching the American Recovery and Reinvestment Act (ARRA), our nation’s historically transformative stimulus package during the 2008 financial crisis. The HITECH provisions of ARRA were designed to provide tools and incentives to U.S. Health and Human Services (HHS) in order to effect a major shift to electronic health records, among other goals. At the time, I was a young hedge fund associate at Bridgewater, where I focused on applications of artificial intelligence for government analytics. When HITECH was passed, I was beginning a personal journey that would lead me to health IT; in many ways, HITECH’s rollout has paralleled my coming-of-age, or bildungsroman, in Health IT.

Even as someone not yet in the health care industry, I realized that these provisions could fundamentally change health care in a variety of ways. While this funding was small relative to the entirety of ARRA, the idea of moving an entire industry from paper to digitized records piqued my interest — what would all the downstream effects be? Wouldn’t opening the floodgates create a set of externalities that could hardly be anticipated? These questions led me to become a researcher at Johns Hopkins in 2010.

The world that I entered as a researcher was one of rapid change — we were partially in two worlds, one filled with paper records and another with digitized records — we were struggling to understand where we belonged. The Meaningful Use program, which distributed $30 billion in incentives for electronic health record (EHR) utilization, poured fuel onto the fires of an existing trend toward digitization. In the process, we went from 9% coverage in 2008 to 96% coverage in 2015. This digitization has empowered us to use data in all-new ways to improve patient care.

We now have the ability to look across entire populations to understand high-risk areas, to detect and eliminate operational inefficiencies and to manage chronic disease with much-improved precision. These gains are unfortunately only one side of this story. Much of what we read about rightfully focuses on the bright spots — but I feel a need to shine some light on the darker corners of this phenomenon as well.

In 2012, when I switched to medicine, I saw a challenge that came as a consequence of the digitization, data use and interconnectivity spurred on by HITECH. The HITECH provisions of ARRA also provided clarification and rulemaking on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and had the goal of improving health care privacy and security. There were many new tools provided to regulators, and expansions of definitions so HIPAA covered more employees, affiliates and business associates, all of whom directly interact with Protected Health Information (PHI) every day. Furthermore, the provisions provided for increased penalties (up to $1.5 million per violation, which could result in astronomical fines) in the case of breaches of PHI.

However, while these clarifications and new tools were helpful, they weren’t enough to counter the flood of new data and ways to access this data that were rolled out across the industry. In a rush to rulemaking, HITECH’s Meaningful Use Program had very few explicit requirements and incentives related to privacy and security. People followed the incentives instead of fearing the penalties, and there were real consequences. As a result, we created a huge amount of new health data and provided broad access to this information but had no way to understand what constituted appropriate vs. inappropriate access to PHI. As a result, more than one breach happens every day, and we know that’s just the tip of the iceberg.

One way to solve this issue comes with the promise of next-generation platforms and artificial intelligence, which can be used to tackle this challenge and gain full visibility into how patient data is being accessed (millions of accesses per day for your average health system). Through my extensive work in health data analytics (the latest chapter in my journey), I believe it is possible to protect patient data while facilitating its use; the more we trust our data is being used appropriately, the more we’re willing to share it. However, the defense of health data is about much more than just new technology.