Electronic Health Record Security Analysis

In British Columbia:

When Auditor-General John Doyle and his staff investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority, they found trouble everywhere they looked.

“In every key area we examined, we found serious weaknesses,” wrote Doyle. “Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information without the authority even being aware of it.”

[…]

“No intrusion prevention and detection systems exist to prevent or detect certain types of [online] attacks. Open network connections in common business areas. Dial-in remote access servers that bypass security. Open accounts existing, allowing health care data to be copied even outside the Vancouver Coastal Health Care authority at any time.”

More than 4,000 users were found to have access to the records in the database, many of them at a far higher level than necessary.

[…]

“Former client records and irrelevant records for current clients are still accessible to system users. Hundreds of former users, both employees and contractors, still have access to resources through active accounts, network accounts, and virtual private network accounts.”

While this report is from Canada, the same issues apply to any electronic patient record system in the U.S. What I find really interesting is that the Canadian government actually conducted a security analysis of the system, rather than just maintaining that everything would be fine. I wish the U.S. would do something similar.

The report, “The PARIS System for Community Care Services: Access and Security,” is here.

Tags: , , , , ,

Posted on March 23, 2010 at 12:23 PM53 Comments

Comments

John March 23, 2010 1:34 PM

and in the UK there will be the NHS National Data Spine containing summary records. I wonder if that’s been looked at from a security point of view. IIRC BT are involved in one of the consortia

Clive Robinson March 23, 2010 2:00 PM

@ Bruce,

I don’t know why Governments are so keen on putting peoples medical records into a central target (DB).

The usualy touted reason is “if you have an accident” has actually be proved to be not a good idea. Simply because if a hospital treats you based on a healthcare record without veryfing it’s actualy yours they are looking at a large law suit. And if they can verify it’s your medical record 99 times out of 100 they will get the information faster by asking…

Thus things like the NHS spine actually have no “value added” to those who are paying for them (ie the tax payer).

However to various people the records are worth a lot of money, provided they can get permission to use them.

As has been seen the likes of Patrica Hewit and the other Blair Puke Babes have ulterior motives when pushing through access to medical records. And various Gov Ministers have knowingly broken EU legislation and Court findings to make the data available.

Unfortunatly the data is not even well anonymized by standards of ten years ago, and we currently know that anonymization just does not work…

And to be quite honest I think the latest MP scandle involving Patricia Hewit is well overdue.

But importantly there should be a review of all decisions she and the other latest group of “crook MPs” have been involved with…

Oh and by the way to all those of you in the US congratulations on getting your foot on the first rung of “medical treatment” for all, it will make a lot of difference to a lot of peoples lives, and hopefully in a few years everyone will look back scratch their heads and wonder what the heck all the fuss was about.

BF Skinner March 23, 2010 2:55 PM

Ah the old days…Got a question from a client who had a good program in good shape looking to release an RFP who asked “So what’s the next phase?”

I looked at my CISO who did an eyeroll and said “We don’t really know. With most of our clients we keep doing phase 1 over and over and over again.”

AppSec March 23, 2010 3:03 PM

@Clive:
If done right, managed health care data would be extremely beneficial.

Imagine where your child’s (or your) doctor could have a view into your parents history and your siblings? Or where you had to run from doctor to doctor (I believe you have) and rather than repeatedly filling out forms where there’s opportunity for human error (did I forget something? did I not think something was valid?) there’s simply a verification of shared data. Imagine when you tranfer doctors you don’t have to deal with wondering when will your records get shipped over (or managing it yourself). Imagine you have the ability at any point in time to access and download your own records.

I do agree that the “expediting of access in emergency situations” is overstated, but then I find more value in it from the day to day and normal usage rather than that.

Of course, I’m also imagining a time when none of that data is really any value at all to anyone else but you and the doctor you are seeing for treating you. So, that just shows my romantic idealism!

GreenSquirrel March 23, 2010 3:11 PM

Slightly OT (and to be on topic, I broadly agree with Clive).

One of the things I actually hope is that Hell is a real place and Patricia Hewitt will go there (along with Meg Hillier and the rest of the bunch of )

Electric Landlady March 23, 2010 3:46 PM

We love the Auditor General! (Pedantic note: this report was produced by the Auditor General of the province of British Columbia, not his federal counterpart. Although she also rocks.)

Not Anonymous March 23, 2010 4:27 PM

Why should my doctor have any access to my relatives’ medical records? I certainly don’t want random doctors to have access to mine just because someone claims to be a relative of some sort.

Rob Lewis March 23, 2010 4:54 PM

Ah yes, the Facebook standard of privacy might be a bit of a problem for governments as they adopt the electronic medical health record.

It is sort of ironic that the biggest problem in Ontario Canada is a privacy provision called “Lockbox” where a patient can deny specific authorized users in the system, such as their Dad’s best friend, or a neighbor, from accessing their record and the institution must be able to prove it.

lenticular March 23, 2010 7:05 PM

I want to chose which parts of my medical history I reveal to which doctors. There is a GE ad on tv for online medical records in which a doctor is interviewing a patient to get his history. Instead of getting it from the patient, the doctors in the audience, who have presumably treated the patient in the past, pipe up with the information through the magic of online shared records. This seems like extreme loss of privacy for me.

I want the option for a doctor to evaluate me with fresh eyes, not in the light of 40 years of medical history from online records. If a doctor gives me a recommendation for medical marijuana, I don’t want every doctor I see for the rest of my life to know about it. If I was treated for depression 30 years ago it should be my choice whether to share that with my current doctor. I want to be able to get a second opinion from a doctor without having him read the first opinion.

Incorrect diagnoses and the findings of incompetent doctors would follow you forever.

I think that much of the battle has already been lost due to the records the insurance companies keep on us, but to intentionally push this even further is a nightmare in my eyes.

Peter Hillier March 23, 2010 8:00 PM

Anyone close enough to an EMR vendor knows very well how devoid of security controls HL7 actually is. To suggest that a piece of software would get treated like medical hardware in it’s evaluation is nonsense. This has been about the control of standards by the medical community for the most part and this kind of worldwide exposure is needed for things to change!

AppSec March 23, 2010 9:40 PM

@NotAnonymous – not even close to what I was refering to. Again, if done right, there would be the ability to see certain aspects of data and would authorization.

@lenticular – That’s simple. You don’t grant the doctor access to your medical files until you’ve talked to him/her. When you visit the doctor and they went to set up your information, you’d simply say: I want a fresh opinion. If they request tests which you know have been done, you an share those results if you wish.

Again, I’m talking about if done right. I’m not talking about a freely open system which is why I don’t think Clive’s point would apply. I’m not talking about every doctor having rights simply because they are a doctor. Even in an ER situation, it would still require your permission.

AppSec March 23, 2010 9:41 PM

Just to clarify.. Clive’s point being the whole whole “if you had an accident”.. Which he and I agree on..

I just think they do serve some value.

John Moehrke March 23, 2010 10:54 PM

As someone who works closely with Healthcare Standards development and government initiatives on Healthcare IT, I found this report somewhat fun. I can’t count the number of times that I have had to explain that POLICIES must be written else everything else falls apart. I write specification after specification on how to utilize standards to mitigate risks, but if there is no policy or execution these standards are useless. There is little use to further analysis once they determined that policies are not in place.

No question things need to be better. No question that in so many ways general IT security best-practice should be put in place.

As to the ’emergency’ situations. No emergency room spends time looking at records or waiting on records access. They deal with the information they have right at their finger tips. Amazing people at dealing with a lack of historical information. If the EHR brings in this historical data and checks the doctors work, that is a benefit.

Besides these.. I am really surprised at the lack of audit log monitoring. See my blog for more details http://healthcaresecprivacy.blogspot.com/2010/03/e-health-security-problem-at-vancouver.html

Winter March 24, 2010 2:22 AM

@Clive Robinson et al
Why centralized medical reports?

This discussion is doing the rounds in the Netherlands. The answer is that medical data gets lost between health providers. And it gets lost much too frequently.

There are quite a number of cases where even MRI or CAT scans are inaccessible stored somewhere else from where they are needed. And too often they are really lost.

Maybe you have been lucky, but I have seen enough people who needed complex treatments at different hospitals with different specialists over long periods of time. And quite often data, test results, and reports are missing.

This goes as far as people with known high medical risks being sent home when they report “ambiguous” symptoms. Errors made because the MD in charge was unaware of the records. It is well known in medical circles that patients should be acutely aware of the importance of their own medical history when visiting a hospital. If they are not, they will have a high risk of getting unnecessary or wrong treatments.

About the security. The Dutch discussion is interesting. They want a fully end-to-end encrypted system. The patient determines what health care providers get access. Inappropriate access is a criminal offense, eg, a MD who “spies” for an employer or insurance company.

Finally, the system must be set up with an indelible log of ALL attempts to access the data with a full record of who does the access.

In short, it can be done if you think it through. It will not be perfect, but it should only be secure enough. And the problem is not in the technology, nor the economics. These are easy.

The problem is in the politics and management.

Sentab March 24, 2010 3:36 AM

Some years ago a similar report on hospital security was presented regarding one of the major hospitals in Stockholm, Sweden. There were open wireless access points giving access to some of the LANs (bypassing DMZ).

Many accounts with weak passwords and lots of databases that where easy to extract data from. In practice anyone with a wireless enabled computer and knowledge in how to query a database could see any patient’s medical records.

If my memory serves me some politicians medical details was revealed. Which in turn put some pressure to do something on the matter?

David March 24, 2010 4:02 AM

and the UK Government is planning on creating a database holding 60 million medical records accessible by millions of ‘health’ staff, and they tell us it will be secure. Not a hope in hell! Join me and thousands of others and choose to opt out. You can download the form from here http://www.neilb.demon.co.uk/

DaveShaw March 24, 2010 4:42 AM

@Clive.

The “Spine” is a transport mechanism for electronic health data. The centralised health record that is shared in cases you mentioned is the SCR project (Shared Care Record). The spine is used in many other NHS IT projects, to transmit data. I don’t know where the mix up in terminology has come from (probably the British press).

yt March 24, 2010 5:14 AM

I know there are shared records between hospitals and clinics in the Finnish public healthcare system, but now that I think about it, I’m not sure how the system is implemented. I vaguely remember when the separate systems at individual clinics and hospitals were linked, and I can recall being asked to explicitly authorize the sharing of the details of my treatment with other doctors, for example, after surgery. Presumably it’s all done in accordance with privacy laws, but it’s kind of unsettling that I’m not really sure of the details.

thinker March 24, 2010 5:45 AM

central storing of health data is a security nightmare. I will admit that there are benefits like better transfer of information between different doctors and hospitals. But these benefits could be achieved without centralized storage – it is a matter of regulation, backup and protocol. Just like the intertubes: you have lots of servers and clients and yet nowbody claims it would be best to use just 1 big datacenter. All that is needed is the DNS and linking for referencing whos got what and where and how to obtain it. There is no need for a one-knows-all kind of instance.

Putting all data together in one centralized infrastructure is quite dangerous. It WILL wet the appetite to use this data beyond the strict treatment of the patient. Nothing and nobody can prevent this. Insurance companies would pay big bucks for such informations: what does a data set consisting of valid name, adress, age and contact details net on the grey market? Imagine this value multiplied by 10 or more if it also contains medical history records, diagnoses, references to family members in case of genetic diseases etc.pp.
We had enough stories of loss of critical data, from the military (lost notebooks, harddrives etc.) to the government to banking (think credit card infos) to business (think economic espionage and customer databases) to know for sure that at no level we are able to give sufficient security to those kind of sensible data.

Then there are the current projects testing electronic health documents like in germany: on the health card there are different ‘vaults’ containing the keys for the centralized data, locked with the patients key. It should the patient enable to decide which data the doctor could see. Prescriptions should be stored directly on the chipcard.
Turned out, that during the first months of the test period nearly half the doctors shut themselves out of the system (forgot/wrong PIN), the patient were unable to remember another PIN (so phamacies could not read out the prescription sector of the chip card) and handling people with problems like alzheimer or simply old people (they are the ones who use the health system the most) became increasingly difficult.
Add the inherent flaws of the centralized system (how about redundancy, backup, guranteed access of the data in emergency and offroad situations?) and one sees why it has all boiled down to “the new card will have the patients photo printed on it”. A big fail story which cost so far serveral hundreds of millions of euro.

I once read a very nice statement: private data (and medical data is no less sensitive) is like plutonium – if too much is accumulated in one spot it gets critical.

Clive Robinson March 24, 2010 6:45 AM

@ DaveShaw,

“The “Spine” is a transport mechanism for electronic health data… …I don’t know where the mix up in terminology has come from (probably the British press).

Not just the press but the politicos and others not “ICT” at places like Richmond house (DoH HQ).

It appears to be a deliberate policy to hide or morph a 12billionGBP (and rapidly rising) cost.

As you may be aware there are many other systems that use it just try and justify it’s expense.

As a jorno Simon Jenkins of the Evening Standard put it just yseterdayday,

“Meanwhile out-of-their-depth health secretaries such as Patricia Hewitt, Alan Johnson and Andy Burnham have simply capitulated to high-pressure salesmanship on a £12 billion NHS computer, for which no sane person has a good word.”

So logicaly he is saying that Patsy Hewitt is either not sane or has been “gulled” by salesmen…

But what would they be selling to Health Secretaries?

He goes on to say by way of distraction,

“Everyone’s healty record will be hacked and available to every credit and insurance company within days.”

Which although not directly true (ie not within days more like weeks) makes a side refrence to where Patsy Hewitt comes from. That is she want’s to sell these records to make money (of which she wants a £5,000/day slice and has done for years),

He goes on to say,

“Experts from the Audit Commission to Computer Weekly have howled warnings but nobody in government takes notice. The money is too good.”

Note the last bit “The money is too good”, Health Secretaries and Senior Civil Servants are responsable for placing the £12 billion of contracts. What kind of inducments could the “high preasure salesmen” be offering?

Well Patsy was caught on camera prostituting herself as being able to influance decisions not just about contracts but actual law making…

In the US such behaviour is illegal and would (in theory) get significant punishment.

However Tony Blair has turned it into an art form, as another journo noted about the difference between Tony and the likes of Patsy, Tony has done it big style (and continues to do so) whilst Patsy is small time and thus has had her collar felt…

Tony is acording to John Hemming MP “now making money as if it was going out of fashion.”

Oddly most of it appears to be in the US where he is riding the back of the “war on terror” and his part in the whole sorry shambles of body bags and corruption it now is.

Worse Tony has been caught out “fiddling expenses” yet again. His “body guards” etc are being paid for out of the public purse yet… by far the majority of his and his wifes aperances are for “private gain”…

John Moehrke March 24, 2010 6:53 AM

@thinker

Good point about centralizing the data vs federating the data; I also prefer a federated approach. There are also legal medical record advantages to a federated approach.

But, their problems start with a lack of Policy, and include lack of basic IT security. Both of these would still be big issues.

Mark R March 24, 2010 7:25 AM

The problem of thinking that a massive, centralized database will magically solve complex problems, while introducing none of its own, seems to afflict so many different fields that I think we need a standard term by which to call out this kind of thinking.

How about “the magic database fallacy?”

thinker March 24, 2010 7:39 AM

@John Moehrke
I don’t want to sound too pessimistic about new technology but imho the problem seems to be the differences in the objectives of storing health data. From a patients view one wants to be able to control ones data. That is easy – simply do not tell the next doctor your previous medications. No changes needed. If you are unsure what is necessary for a new doctor simply ask your normal doctor for a referral or a copy of your file.
From a doctors or hospitals perspective one wants access to medical history of a patient. This could be managed as well: make a policy for transferring the data on request with authorisation (by the patient or his selected physician with his permit). that is just a matter of protocol and regulation (e.g. force doctors to convey data on authorised requests – fax should do the trick).

From an industry POV one would want the need for big investments. This would be achieved by lobby pressure and technology fairy tales about how much better and brighter everything will be with computers.
Given the incline of politics towards lobby and the covetousness of industry towards big government fundet projects and data aggregation one can see where this will lead.

Interesting side note: in the proposals for the new health card in germany the given reasons where all in the line of “developing modern technology”, “giving the own industry an edge”, “reducing costs” (hah! seriously?!) and “beneficial side effects” (like installment of a nationwide PKI) – see the absence of a point like “better healthcare”?

Mike B March 24, 2010 8:05 AM

One interesting trend is towards making medical information increasingly less private in order to better tailor treatments. Some pilot studies have shown when doctors have access to detailed treatment data they can dramatically increase the effectiveness of treatments and cut costs by matching the circumstances of the new patient to those of similar patients in the past.

I know we’d all love to design a system that securely delivers the healthcare providers for tasks like this, but the sheer numbers of people who will NEED to have access to the information pretty much means that one’s health information will be out there and accessible. If people have to choose between giving up some privacy and being dead I think they will probably choose to share their info.

I think the stigma behind most medical conditions is rapidly fading and people are increasingly protected by anti discrimination laws. As long as people have the ability to opt in to a sharing regime the benefits will outweigh the costs. I mean what’s the point of security if it ends up killing people.

thinker March 24, 2010 8:50 AM

@Mike B “If people have to choose between giving up some privacy and being dead I think they will probably choose to share their info.”
unfortunatly this is not the given choice. It is not giving up “some privacy” like lets say the number of pillows on your bed – it is the most sensitive private data. Medications of long overcome illnesses, current treatments of socially stigmatized conditions (AIDS being prime example) and genetic conditions which do not constitute an illness but merely statistical risks.
And the alternative is not “being dead” but the hassle of organizing the transfer of data – which can be regulated quite well without central storage.

And regarding the fading of stigma and protection by anti discrimination laws: whishful thinking.
It only makes insurance companies or employers a little bit more careful in the phrasing of their rejections. And you can not prove that the record of the short term treatment at a psychiatrist due to stress 15 years ago was not the reason.
Regarding the opt-in: only if NOT opting-in has no negative effects. But how likely is that?
“what’s the point of security if it ends up killing people” – this can only be a poor attempt at trolling. The death of people is a statistical number in society. Arguing “but it can save lives” is fruitless. Banning individual transport by car could save ten thousands of lives.

Winter March 24, 2010 8:58 AM

Some other database nightmares whose usefulness outweighs their risks:
– Tax records
– Banking records
– Birth registers
– Debet card payments

Modern society runs on the communication of information. This holds for health care too. Why should health care be different from the financial sector?

Communication problems do harm patients. They really do. I do not know how things are in the UK or USA, but over here it is very common for a patient to visit several specialists and several hospitals over a complex treatment. For chronic diseases this is convoluted by changes over decades. Just saying:

“make a policy for transferring the data on request with authorisation (by the patient or his selected physician with his permit). that is just a matter of protocol and regulation (e.g. force doctors to convey data on authorised requests – fax should do the trick).”

That will not do it. That is what we have now. And that simply does not work for a host of reasons:
1 Format incompatibilities
2 Communication incompatibilities
3 You CANNOT fax a MRI scan
4 Time (doctors do have more to do than digging up records)

The failures seen in the NHS and other large institutions are not caused by the ICT. They are symptoms of a larger failure of public health policies (patient and health care workers rights) and an inability to handle national projects in general.

You simply cannot treat a national health care database as if it was some grocer’s ERP system implementation. You should treat it like ICT of your national tax records. (which will fail too, but less disastrous)

Hal March 24, 2010 9:02 AM

Don’t forget the health care law just signed by Obama puts the IRS in charge of American health insurance records.

http://www.gao.gov/new.items/d10355.pdf

“While IRS has corrected 28 control weaknesses and program deficiencies, 61 of them — or about 69 percent — remain unresolved or unmitigated,” the report states. “For example, IRS continued to install patches in an untimely manner and used passwords that were not complex. In addition, IRS did not always verify that remedial actions were implemented, or effectively mitigate the security weaknesses.”

Weaknesses in IRS systems “continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information,” the GAO says. “IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information.

Winter March 24, 2010 9:27 AM

@Hal
“Don’t forget the health care law just signed by Obama puts the IRS in charge of American health insurance records. ”

I think that is good.

This is NOT about a perfect system that will never ever fail. This is about a system that gives the population the benefits of a smooth communication between health care givers. We know the tax system can fail. But overall, it is not as if peoples tax records are on the streets.

At least the responsibilities are given in the hands of people who are very well aware (and experienced) of the problems in handling population wide sensitive data stores. They will fumble, but they WILL know their responsibilities.

thinker March 24, 2010 9:39 AM

@Winter: why should health data be different from financial data? Lots of reasons spring to mind. Leaked credit card data or dispute with your bank? Open a new account in a different bank. Sue rating agencies to correct your record. Surely a hassle but manageable.

Leaked health data of you? Medical conditions, diagnoses (even when proved false afterwards?), medications etc.? No way of getting the p*ss out of the pool ever again. Try to get an insurance ever again. Ruin the prospects of your kids to get an insurance (genetic predisposition anyone?).

Current transfer of data does not work due to format incompatibilities? Change the official requirements to open standards. MRI scans can not be faxed? Mail them. Send a copy with a courier. Give the patient a copy. All solutions without the need for central storage.
Time is an issue? Hone the transfer protocols. Doctors to busy for digging up records? Why not let others handle this? Besides: didn’t Dr. House teach us, that digging up stuff like a detective is the very essence of a good doctor? 😉

The problem is not doctors chasing after records it is currently patients chasing after there records. Why not give the patient an updated documentation of their file after each treatment? In best cases this is just a copied sheet of paper for the folder at home, in difficult treatment plans this might even be a burnt CD or some other data storage. Patient visits another clinic and the new doctor needs the medical history? Patient brings his own file for the short time the clinic is waiting for the ‘official copy’ via established transfer protocols.

I don’t see any need for central storage – or more specific: nothing that would justify the risks.

JimFive March 24, 2010 9:44 AM

@Winter
Re: Communication Problems.

I’m in the US. We recently took my child for an annual evaluation of a congenital condition. The process worked like this: We sat in a patient room for 6 hours (with a break for lunch), being visited one after the other by 12 specialists. All of the other patient rooms were being used for the same thing, so the specialists would make the circuit. After that the specialists would meet and discuss each case and make their recommendations which we received in the mail. So: If you have a condition that is running you all over to different specialists, find someplace that has a team of people devoted to your condition, don’t try to do it piecemeal.

JimFive

JimFive March 24, 2010 9:48 AM

@thinker
RE: Patient control of records

I agree that the patient should get a copy of their record after each visit. (Note however, that the patient’s record is probably not updated at the time of the visit, it is updated later when the staff has time to do it.) A digitally signed document transferred to the patient’s flash drive after each visit would work at least as well as paper. An 8G Flash drive will hold a lifetime of current medical records unless you have a LOT of motion imagery.

JimFive

Winter March 24, 2010 10:06 AM

@Thinker:
“Try to get an insurance ever again. Ruin the prospects of your kids to get an insurance (genetic predisposition anyone?).”

Even better, change your insurance system. We already have the system Obama tries to introduce in the US. And it is a miracle cure against this kind of insurance abuse. I can enroll with every insurance company in the country. NO questions asked (they HAVE to take me).

So, if you are afraid of insurance discrimination, change the system. If you are afraid of employer discrimination, criminalize the use of health data. Jail any employer who is in illegal possession of private health records or colludes with someone who is. Ostracize or jail doctors who illegally access patient information.

You do things like that with anyone who tries to use private tax records. It can be handled if you want.

@Thinker:
“Leaked health data of you?”

How are these different from leaked tax and financial data. Debt? Tax fraud? You bought WHAT? And the choice in banks is not that big.

@Thinker:
“Change the official requirements to open standards. MRI scans can not be faxed? Mail them. Send a copy with a courier. Give the patient a copy.”

That is the current practice. So why did we want to get rid of it again? You finally got to see that specialist on Monday morning 9PM 3 hours travel from home and she did not receive you scans? Please come back next month.

@Thinker:
“Why not give the patient an updated documentation of their file after each treatment?”

Has been tried. They lose it, they forget it, their ex-spouse takes it and posts it on the Internet. You name it, it has happened. In the end, it will not be where it should be.

But most importantly, the patient must make at least two visits: one to get the files and one to deliver them where they have to be used. Ever tried to get repeat visits? It does not work.

There are huge privacy problems with centralized health data storage. But these are not different from other systems that are used. There is a register of almost anything you bought, with your name on it. Can that be abused? Yes. Can that be handled? Yes. Is there an alternative? Hardly.

@Thinker:
“I don’t see any need for central storage – or more specific: nothing that would justify the risks.”

Maybe you should have a talk with a health care giver? There really is a need for direct access and good record keeping from anywhere.

Whether the actual data is stored in one single data center is immaterial. The effect would be the same.

I do not want to belittle the risks. They are real but can be handled. But the benefits are real too.

Winter March 24, 2010 10:12 AM

@JimFive:
“So: If you have a condition that is running you all over to different specialists, find someplace that has a team of people devoted to your condition, don’t try to do it piecemeal.”

Indeed. More of these places are coming. Sadly, many conditions require tests that take time before the results arrive. Next step depends on the test results.

Then, not all conditions can be handled by in-house specialists. You start at a local hospital. Then you are directed to several highly specialized hospitals, departments and what, that might, or might not form a single institutions.

This whole data communication idea is about making it easier to apply complicated treatments even when there are not enough patients to justify a specialized clinic.

thinker March 24, 2010 10:55 AM

@winter:
I also live in a country with a better insurance system like the US. Lucky us 🙂

I still see health data a tick more sensible like tax data or credit card data. Just the sme with biometrics vs. passwords or tokens for me: any password or bank account can be changed. It may require effort and time and money and can involve inconveniences like not having an ATM nearby, but can be done. Biometrics and health history not so. If its spilled then it is game over. No thread of prosecution will hinder interested parties to use the data. Hell, we have laws against discremination already – does this prevent the pressure on unwanted personnel e.g. in discounter stores? How widespread is the abuse of power (and knowlegde of data is power) and how often and how much are the abusers really prosecuted?
And even if so – how does this help a person whos HIVinfection is furthermore sticking on his data shadow like tar?

Patient losing their data? Tough luck for an individual. Personal responsibility and so. Losing health data on database-scale? A nightmare for society. Who will trust his doctor when not even the doctor can be held responsible for the protection of the data?
Having to miss an appointment because of missing records? Looks like a scheduling problem to me – either make sure to bring the needed copies yourself or schedule for a date after validation of successful data transfer.

The problem with having to visit just to collect your file is an organisation problem. It could be delivered to you by courier. You could pick it up the next time you have an appointment. You could call them and have them send the copy directly to the next doctor (some sort of prevention for social engineering necessary) and so on. It can be done.

And yes, I have some knowledge about the health care sector due to my family. I know how nice it would be if the data would be there at your fingertips on your screen and instantanious and correct. this will not be the case. Never. And central storage system will not solve this. Ask a doctor if he would trust the victim of an accident with the info on the his blood type. Even for legal reasons they have to check for themselves.
In an ideal world this idea sounds grand. But then again we are talking big corporations, governments, big money and diverging goals of different participants here. the ovious risks seem not to justify the possible benefits.

But I am not a doctor or a government contractor…

paul March 24, 2010 11:20 AM

If the data is centralized, it’s going to have to be redistributed for redundancy/availability anyway, and the communications links between all these redundant, distributed sites are going to have to both fat and solid. So why not just harden what already exists?

(Yes, that was a rhetorical question.)

Winter March 24, 2010 11:35 AM

@thinker:
“Biometrics and health history not so. ”

First, this is not about biometrics. Second, spilling out your health record is not different from spilling out tax records. If a tax database is spilled, the plutonium metaphor is apt. The resulting data will be radio-active and no-one will even come close to it.

Most health related information is known by friends and relatives. Many more people know intimate details about my health history than know what I put in the tax forms.

But for arguments sake, lets assume you have been treated for something very embarrassing (eg, bi-polar disorder). Some person breaks into the database and wants to publish this. Some other person breaks into the tax office and gets hold of your records. He too wants to publish that. What is the difference?

We already have centralized tax records. Why don’t we see this kind of leaks and abuses directed against, say, politicians or CEOs, or other famous people.

Personally I think because this data is radio-active. Anyone who touches it will be destroyed.

@thinker:
“The problem with having to visit just to collect your file is an organisation problem. It could be delivered to you by courier.”

Note that money spend on transferring health files is not spend on curing patients. Re-assignments cost money to.

@thinker:
“I know how nice it would be if the data would be there at your fingertips on your screen and instantanious and correct. this will not be the case.”

I know of a person who had a (very) high familiar risk to a life threatening condition who was sent home by a replacement GMD because the symptoms were ambiguous. The condition developed and invasive treatment had to be given over many years. Had the replacement MD looked at the records, treatment had begun immediately with much better results. In health care, time really does matter.

Saying that the patient has its own responsibilities is simply wrong. That is why doctors are trained for a decade of their lives. Because the patient simply cannot be held responsible.

thinker March 24, 2010 11:49 AM

@winter:
It may be a personal thing. a POV. But imho there is a difference between the tax data and the health data. Income can change – personal conditions like infections or genetic predispositions may not.
For the cost factor: maintaining a high availibility solution for stored data with redundancy, backup and security will also not come for free. Pilot projects in germany did cost so far around 2 billion euro. A lot of couriers could be paid by that 😉

And individual stories of patients are always very touching but should not be the basis for decisions on such big issues. Otherwise I will answer with a story of someone who would have survived if the national speed limit would have been 30km/h and demand the law to be changed to that speed limit on all roads.
It WILL saves thousands of lifes. Guaranteed.

AppSec March 24, 2010 1:54 PM

@thinker:
Nice hyperbole. Too bad it’s also totally irrelevant. Because not evey driver gets killed in a car, but everyone on earth dies (unless you like Duncan McCloud of the Clan McCloud).

A national health care system (I’ll put a request out there to stop with the central database since I don’t think anyone really believes that this server would live on one physical machine) isn’t just about the dying.

The validity of the system comes being (albeit potentially) to more efficiently remedy the failing quality of life of everyone through the course of some period of time.

The cost of couriers, paper, and time is ever increasing. The cost of electronics — network bandwidth, hard drive space, processing power, and even the power to power those devices — is decreasing with performance.

Of course there are considerations — just as there are considerations for physical redunancy (hope those file cabinets are fire rated to withstand a massive fire — oh wait, the doctor had your files in his office doing research and couldn’t get them back in time? sorry).

There’s arguments to both sides, nobody will say others. The question is: which has the greater potential for increasing efficency for the majority and deal with those who abuse the system.

Protonius March 24, 2010 6:39 PM

Bruce,

I’ve read of warnings — based on actual cases and apparent trends — that a likely next-step emerging from this “Obamacare”-mandated system of digitally accessing everyone’s medical records and conveying those records into some Government database(s) and, seemingly without restriction, further distributing, revealing, and sharing, them, with agencies unknown, will ALSO be the MANDATING that every American (who is now trapped inside the “Obamacare” nightmare) be IMPLANTED WITH A MEDICAL-DATA-CONTAINING MICROCHIP in order to obtain ANY medical care.

So I would like to ask you: Do you have any thoughts on this possibility? And if it might come to pass, what are your thoughts as to the potential SECURITY-issues that might be involved?

Thanks.

thinker March 25, 2010 2:46 AM

@Appsec: that is exactly my point – we have to assess the benefits and risks of the options and make a decision. Personally I tend to the conclusion that the risks are not worth it. Other opinions may differ. I only suspect that there has not been a neutral assessment yet and the pressure from lobbyists will bias any solution.

@Protonius:
“agencies unknown”? “mandating implanting microchip”? Whatever you might have taken – I recommend to change the dosis.
Try tin foil hats.

Winter March 25, 2010 3:21 AM

@Thinker:
“we have to assess the benefits and risks of the options and make a decision.”

I can only agree.

@Thinker:
“Try tin foil hats.”

Did you know that “…the US government has been operating a secret radar system for the last decade capable of tracking individual crackpots wearing tinfoil hats. “?

http://humorix.org/articles/2004/05/tinfoil/

Winter

thinker March 25, 2010 5:28 AM

@winter: [tin foil hat tracking]
thats a good one 🙂

anecdote: a friend is traveling by train and one passenger on his wagon talks annoyingly loud with his mobile phone. It is all about conspiration theories and how the government is hiding important stuff and everybody in the wagon is on the edge because of his loud talks. When the train stops at the next station the friend leaves and when going to the exit in passing the telephone guy he plants a hand on his shoulder and says gravely “and we know where you live too” and then leaves. The face of the conspiration theory guy was reported to be a priceless display of horror ^_^

Mark D March 25, 2010 9:29 AM

as one who has looked at literally hundreds of medical records (med mal defense) – much of the sensitive information is very difficult to understand without an Atlas of Anatomy and a Medical Dictionary. Most people reading a medical record are, after their eyes glaze over, totally clueless as to what they have read.
Oddly enough, studies show that EHR/EMR has, to date, had minimal impact on quality of care – for reasons that researchers are now trying to understand.
My crystal all sees more billions of dollars and millions of trees about to die to accomplish not very much.

DierdreM March 25, 2010 12:19 PM

@Bruce:
“While this report is from Canada, the same issues apply to any electronic patient record system in the U.S. What I find really interesting is that the Canadian government actually conducted a security analysis of the system, rather than just maintaining that everything would be fine. I wish the U.S. would do something similar.”

Apparently you (and a lot of other people) missed the announcement that this is exactly what is about to be done by the US: http://www.healthcareitnews.com/news/hhs-expands-focus-cybersecurity

Pat Cahalan March 28, 2010 2:51 PM

This discussion is doing the rounds in
the Netherlands. The answer is that
medical data gets lost between health
providers. And it gets lost much too
frequently.

There are two solutions here. One, dump everything in a gigantic database. Two, establish standards for information records and let all the patients carry their own.

Medical infomatics is a focus of a research group at Claremont Graduate University (I know a few of the members) and both systems have their advantages and drawbacks.

Generally, I’m more in favor of the second. Have a standard scheme for markup and storage of personal health records inside a smart card, and let each person carry their medical history around. We already need to carry proof of insurance, just make the card do both.

Yes, of course there will be security implications to carrying around your entire medical history on a smart card (just like the problems with ATM cards), but you can reduce the class break vulnerability quite a bit.

supachupa March 29, 2010 12:18 AM

I think the public may be misinformed about the idea to have a massive central database full of patient records (or maybe I’m misinformed?).

I’m sure it must be different in every country, but the real issue to tackle is creating a unique identifier (i.e. a “primary key”) that can be used in any system. This does not require any visibility into each Hospital’s PAS, but instead would be referred to when determining the identity of the patient.

A unique identifier is the holy grail of healthcare and so far it’s not happening because there is a confusion about the differences between security and privacy.

Michael Hagerty June 10, 2010 5:19 PM

A number of people have asked in other contexts, “What makes personal medical information so much more sensitive, and deserving of greater protection, than financial information?” The answer is really quite straightforward. If all of your financial accounts are wiped out or compromised, you can be made whole again, presumably after a delay, by the application of money.

To illustrate the difference with medical information, I use this example: If your spouse or significant other were murdered, it is expected that you would experience a period of clinical depression. If you don’t, the police start looking at you as a potential party to the crime. Now, fast forward a number of years and you choose to run for some political office. The information on your earlier bout of clinical depression is leaked and your opponents use that information to paint you as having been mentally unstable (remember Thomas Eagleton?) and you find you cannot win any elective office, including dog catcher. Simply put, certain pieces of medical information cannot be put back in the bottle, nor is there a mechanism to make you whole again.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.