Schneier on Security

thinker • March 24, 2010 5:45 AM

central storing of health data is a security nightmare. I will admit that there are benefits like better transfer of information between different doctors and hospitals. But these benefits could be achieved without centralized storage - it is a matter of regulation, backup and protocol. Just like the intertubes: you have lots of servers and clients and yet nowbody claims it would be best to use just 1 big datacenter. All that is needed is the DNS and linking for referencing whos got what and where and how to obtain it. There is no need for a one-knows-all kind of instance.

Putting all data together in one centralized infrastructure is quite dangerous. It WILL wet the appetite to use this data beyond the strict treatment of the patient. Nothing and nobody can prevent this. Insurance companies would pay big bucks for such informations: what does a data set consisting of valid name, adress, age and contact details net on the grey market? Imagine this value multiplied by 10 or more if it also contains medical history records, diagnoses, references to family members in case of genetic diseases etc.pp.
We had enough stories of loss of critical data, from the military (lost notebooks, harddrives etc.) to the government to banking (think credit card infos) to business (think economic espionage and customer databases) to know for sure that at no level we are able to give sufficient security to those kind of sensible data.

Then there are the current projects testing electronic health documents like in germany: on the health card there are different 'vaults' containing the keys for the centralized data, locked with the patients key. It should the patient enable to decide which data the doctor could see. Prescriptions should be stored directly on the chipcard.
Turned out, that during the first months of the test period nearly half the doctors shut themselves out of the system (forgot/wrong PIN), the patient were unable to remember another PIN (so phamacies could not read out the prescription sector of the chip card) and handling people with problems like alzheimer or simply old people (they are the ones who use the health system the most) became increasingly difficult.
Add the inherent flaws of the centralized system (how about redundancy, backup, guranteed access of the data in emergency and offroad situations?) and one sees why it has all boiled down to "the new card will have the patients photo printed on it". A big fail story which cost so far serveral hundreds of millions of euro.

I once read a very nice statement: private data (and medical data is no less sensitive) is like plutonium - if too much is accumulated in one spot it gets critical.

thinker • March 24, 2010 7:39 AM

@John Moehrke
I don't want to sound too pessimistic about new technology but imho the problem seems to be the differences in the objectives of storing health data. From a patients view one wants to be able to control ones data. That is easy - simply do not tell the next doctor your previous medications. No changes needed. If you are unsure what is necessary for a new doctor simply ask your normal doctor for a referral or a copy of your file.
From a doctors or hospitals perspective one wants access to medical history of a patient. This could be managed as well: make a policy for transferring the data on request with authorisation (by the patient or his selected physician with his permit). that is just a matter of protocol and regulation (e.g. force doctors to convey data on authorised requests - fax should do the trick).

From an industry POV one would want the need for big investments. This would be achieved by lobby pressure and technology fairy tales about how much better and brighter everything will be with computers.
Given the incline of politics towards lobby and the covetousness of industry towards big government fundet projects and data aggregation one can see where this will lead.

Interesting side note: in the proposals for the new health card in germany the given reasons where all in the line of "developing modern technology", "giving the own industry an edge", "reducing costs" (hah! seriously?!) and "beneficial side effects" (like installment of a nationwide PKI) - see the absence of a point like "better healthcare"?

thinker • March 24, 2010 8:50 AM

@Mike B "If people have to choose between giving up some privacy and being dead I think they will probably choose to share their info."
unfortunatly this is not the given choice. It is not giving up "some privacy" like lets say the number of pillows on your bed - it is the most sensitive private data. Medications of long overcome illnesses, current treatments of socially stigmatized conditions (AIDS being prime example) and genetic conditions which do not constitute an illness but merely statistical risks.
And the alternative is not "being dead" but the hassle of organizing the transfer of data - which can be regulated quite well without central storage.

And regarding the fading of stigma and protection by anti discrimination laws: whishful thinking.
It only makes insurance companies or employers a little bit more careful in the phrasing of their rejections. And you can not prove that the record of the short term treatment at a psychiatrist due to stress 15 years ago was not the reason.
Regarding the opt-in: only if NOT opting-in has no negative effects. But how likely is that?
"what's the point of security if it ends up killing people" - this can only be a poor attempt at trolling. The death of people is a statistical number in society. Arguing "but it can save lives" is fruitless. Banning individual transport by car could save ten thousands of lives.

thinker • March 24, 2010 9:39 AM

@Winter: why should health data be different from financial data? Lots of reasons spring to mind. Leaked credit card data or dispute with your bank? Open a new account in a different bank. Sue rating agencies to correct your record. Surely a hassle but manageable.

Leaked health data of you? Medical conditions, diagnoses (even when proved false afterwards?), medications etc.? No way of getting the p*ss out of the pool ever again. Try to get an insurance ever again. Ruin the prospects of your kids to get an insurance (genetic predisposition anyone?).

Current transfer of data does not work due to format incompatibilities? Change the official requirements to open standards. MRI scans can not be faxed? Mail them. Send a copy with a courier. Give the patient a copy. All solutions without the need for central storage.
Time is an issue? Hone the transfer protocols. Doctors to busy for digging up records? Why not let others handle this? Besides: didn't Dr. House teach us, that digging up stuff like a detective is the very essence of a good doctor? ;-)

The problem is not doctors chasing after records it is currently patients chasing after there records. Why not give the patient an updated documentation of their file after each treatment? In best cases this is just a copied sheet of paper for the folder at home, in difficult treatment plans this might even be a burnt CD or some other data storage. Patient visits another clinic and the new doctor needs the medical history? Patient brings his own file for the short time the clinic is waiting for the 'official copy' via established transfer protocols.

I don't see any need for central storage - or more specific: nothing that would justify the risks.

thinker • March 24, 2010 10:55 AM

@winter:
I also live in a country with a better insurance system like the US. Lucky us :-)

I still see health data a tick more sensible like tax data or credit card data. Just the sme with biometrics vs. passwords or tokens for me: any password or bank account can be changed. It may require effort and time and money and can involve inconveniences like not having an ATM nearby, but can be done. Biometrics and health history not so. If its spilled then it is game over. No thread of prosecution will hinder interested parties to use the data. Hell, we have laws against discremination already - does this prevent the pressure on unwanted personnel e.g. in discounter stores? How widespread is the abuse of power (and knowlegde of data is power) and how often and how much are the abusers really prosecuted?
And even if so - how does this help a person whos HIVinfection is furthermore sticking on his data shadow like tar?

Patient losing their data? Tough luck for an individual. Personal responsibility and so. Losing health data on database-scale? A nightmare for society. Who will trust his doctor when not even the doctor can be held responsible for the protection of the data?
Having to miss an appointment because of missing records? Looks like a scheduling problem to me - either make sure to bring the needed copies yourself or schedule for a date after validation of successful data transfer.

The problem with having to visit just to collect your file is an organisation problem. It could be delivered to you by courier. You could pick it up the next time you have an appointment. You could call them and have them send the copy directly to the next doctor (some sort of prevention for social engineering necessary) and so on. It can be done.

And yes, I have some knowledge about the health care sector due to my family. I know how nice it would be if the data would be there at your fingertips on your screen and instantanious and correct. this will not be the case. Never. And central storage system will not solve this. Ask a doctor if he would trust the victim of an accident with the info on the his blood type. Even for legal reasons they have to check for themselves.
In an ideal world this idea sounds grand. But then again we are talking big corporations, governments, big money and diverging goals of different participants here. the ovious risks seem not to justify the possible benefits.

But I am not a doctor or a government contractor...

thinker • March 24, 2010 11:49 AM

@winter:
It may be a personal thing. a POV. But imho there is a difference between the tax data and the health data. Income can change - personal conditions like infections or genetic predispositions may not.
For the cost factor: maintaining a high availibility solution for stored data with redundancy, backup and security will also not come for free. Pilot projects in germany did cost so far around 2 billion euro. A lot of couriers could be paid by that ;-)

And individual stories of patients are always very touching but should not be the basis for decisions on such big issues. Otherwise I will answer with a story of someone who would have survived if the national speed limit would have been 30km/h and demand the law to be changed to that speed limit on all roads.
It WILL saves thousands of lifes. Guaranteed.

thinker • March 25, 2010 2:46 AM

@Appsec: that is exactly my point - we have to assess the benefits and risks of the options and make a decision. Personally I tend to the conclusion that the risks are not worth it. Other opinions may differ. I only suspect that there has not been a neutral assessment yet and the pressure from lobbyists will bias any solution.

@Protonius:
"agencies unknown"? "mandating implanting microchip"? Whatever you might have taken - I recommend to change the dosis.
Try tin foil hats.

thinker • March 25, 2010 5:28 AM

@winter: [tin foil hat tracking]
thats a good one :-)

anecdote: a friend is traveling by train and one passenger on his wagon talks annoyingly loud with his mobile phone. It is all about conspiration theories and how the government is hiding important stuff and everybody in the wagon is on the edge because of his loud talks. When the train stops at the next station the friend leaves and when going to the exit in passing the telephone guy he plants a hand on his shoulder and says gravely "and we know where you live too" and then leaves. The face of the conspiration theory guy was reported to be a priceless display of horror ^_^