Malicious Hackers Resting On Their Laurels? Or Better At Hiding Their Tracks?

Is There A Balancing Act Between Sharing Health Info And Privacy?

from the how-can-it-be-dealt-with dept

Mon, Dec 18th 2006 10:37pm — Mike Masnick

Over in the UK, as they're getting ready to rollout a new electronic patient record system for healthcare, there are a number of worries that such a system will inevitably lead to huge privacy breaches. Since it will be a centralized system that many people will have access to (and which many others may eventually figure out how to access illegally), there are legitimate fears that one of these days, rather than reports about social security numbers and credit card numbers lost through a data breach, it will be your personal medical records -- which aren't as easy to change as a credit card number. However, those behind the system insist that they've built it with security and privacy in mind -- and point out that the alternatives (basically, the current system) is that much worse. While it may not be as accessible, the paper records system is slow, inefficient, doesn't help you very much when you're at a different location -- and not all that secure in the first place. But the real question is whether or not this needs to be a balancing act. Are there better ways to construct a system that has the benefits of making information available while also protecting your privacy from prying eyes? Or are these two things mutually exclusive?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

SecurityDog, 18 Dec 2006 @ 11:26pm

Well...
As long as people want the information, they will find ways to get it. Doesn't matter what system is in place, the paranoia and the actual threat will always exist.
[ link to this | view in thread ]
reed, 18 Dec 2006 @ 11:54pm

Bigger questions
I think there may even be a bigger question going on here than just are they mutually exclusive.

As every piece of your personal information is converted into 1's and 0's you are fighting a losing battle for privacy. Technology has changed how privacy is percieved and ultimately it will elimanate privacy as we know it.

I think the real question is are we going to allow these closed networks of information to benefit everyone or just a select few. The digital age is all about knowledge and whoever knows what is going on has the upper hand.

I guess what I am saying is whats the point of hiding medical records when any insurance company can still look them up? Whats the point is worrying about privacy when programs like echelon, carnivour, and now the newly formed Homeland security violate it on a regular basis?

It is too late to look back to a time when confidentiality once existed. I think it time for a new way of thinking. We need to open up to each other and live our lives as a open book. Of course this should start at the top and work its way down not the other way around!

So I say we all use technology to spy on every major corporation, every politician, and every government official and then make that information available to everyone. It is time for technology to even the playing field between the haves and the have-nots!
[ link to this | view in thread ]
Compound, 19 Dec 2006 @ 12:43am

The digital age is all about knowledge and whoever knows what is going on has the upper hand.
[ link to this | view in thread ]
Efficiency Expert, 19 Dec 2006 @ 1:03am

We need to open up to each other and live our lives as a open book
[ link to this | view in thread ]
Effucuency Failure, 19 Dec 2006 @ 3:28am

Re: (Blankness)
The human race is still too 'tribal' in nature for that to work. You'll need to wait a good 100-200 years until most of the color differences are gone and everyone is kinda of a neutral tan color. There probably wont be any more blonds left, but at least we all look the same and we can share our thoughts like the hippies would of wanted!
[ link to this | view in thread ]
The infamous Joe, 19 Dec 2006 @ 3:59am

I don't mean to downplay..
I understand that it's a matter of privacy, but who would want my medical records? I mean, besides the sensitive numbers that aren't medical record specific (e.g. Social security) knowing I have had my nose broken a lot helps a would be criminal how, exactly?

Just asking, it's early-- I hope it's not obvious. :)
[ link to this | view in thread ]
qaqwex, 19 Dec 2006 @ 4:15am

People are the problem
The general idea of the Health db is a good idea. I live in London and have an accident in Glasgow they will have access to medical records that show medication I am on and thus maybe avoid any potential side affects. Likewise if I go into a diabetic coma it will be recognised as that and not passed out drunk especially as I am tee-total now.

However, it is all the others that have gained access through scope creep such as social services, police, taxmen and virtually anyone other department in the public sector. We have problems with the abuse of the DVLA db, the CRB db, PNCU et al yet the health department are taking the 'King Canute' approach that it won't happen to the health db. I have news for them any time you involve people in a IT system it has the potential to be insecure and this one will be no different.

Also the police initially will need a warrant to access it, but soon either in the name of "the war on terror" or "protect the children" (whichever is the current money spinner for them) they will gain unlimited warrantless access. Do you really want that and all it implies?

Also the private sector will have a foot in the door as well and, like baliffs, once they have a foot in the door they force their way in and grab the lot. My guess the excuse will be 'preventing fraud' or "making the system revenue neutral". So you develop MS and can't work any more. You claim on your critical illness policy, the insurance companies grabs the DNA test results on your file and discovers a gentetic pre-disposition you never knew about and rejects your claim.

It will happen, access to DNA results is the Holy Grail for insurance companies becouse of the potential to reject claims. An Insurance underclass is the inevitable result and it will be the taxpayer that picks up the bill.

I have already informed my GP that my data is not to go on the "Spine". If I need to carry important data about medication or the fact I am diabetic I will do what I do at the moment and have it on a 'medic-alert' bracelet.
[ link to this | view in thread ]
SD, 19 Dec 2006 @ 5:00am

Is it any less secure?
Why is everyone so sure that centralising medical records onto a database makes the information any less secure than it already is? What makes paper so secure? Recently my local GP was burgled. Admittedly the thieves were probably after drugs as they ransacked the pharmacy but what could have stopped them rifling through doctor's filing cabinets? Personally I feel that my records are probably a bit more secure stored on a multi billion pounds database than in a hundred pound filing cabinet. It would take more than a two bit thief to break into the Spine (I work in very closely with those that are developing the technology, the people and the kit are among the very best I have ever encountered.)

I also think that it is worth the risk. I like anybody else do not want my personal details out there, but if that is the trade off for a system that may well save my life, I think it is worth it.
[ link to this | view in thread ]
Nobody Special, 19 Dec 2006 @ 5:27am

health privacy does matter
Contrary to a few posts, your privacy does matter if you have a socially unacceptable disease. And it matters if you face discrimination because of health issues.

The problem against which people must fight though is the idea that every doctor needs to have all of your health record or even cares. The simple fact is that most of the time your doctor doctors only care about a few things which all fit on about a half sheet of paper. They don't care to look at the entire history.

Centralized databases should follow a number of things:

1) Allow the patient to opt out.
2) Only contain the limited information that is typically "pre-loaded" into the system.
3) Become de-centralized for all other tasks.

It would be beneficial to make all health databases follow a common schema. That way your information can be easily imported into another doctor's records. (Or carried around for those who wish to do so.) But there is no need for a centralized database outside auditing the doctors.
[ link to this | view in thread ]
Alex, 19 Dec 2006 @ 5:43am

Can't it just be the same system we have now, except digital? The data could all be held in a centralised database, but health professionals would have to "sign out" every record they need, thus keeping total control over the information. Obviously this doesn't prevent against attacks against the database itself, but decent encryption could cover that hole I'd imagine.
[ link to this | view in thread ]
SD, 19 Dec 2006 @ 6:04am

Re: health privacy does matter
The points you raise here are quite correct. What you must understand is that a doctor will only have the same access to records that he/she has now. Just because the records are centralised it does not mean that those accessing the data automatically have carte blache to see whatever they want. In fact, it is more likely that doctor or a medical practitioner will not be able to access data that would be useful due to the cautious nature in which the project has been set up.

As a point of note I think that you are right that you should be able to opt out and this is indeed the case.

In terms of privacy I feel that there is an unjustified assumption that someone will make this data public somehow. Breaking into an encrypted and secure network is not like it is in the movies where some geeky looking actor taps a few keys and access to the entire database of the Pentagon! I will however concede that there will be individuals out there who will a project of this magnitude as a challenge and that it will require vigilance in order to protect it.
[ link to this | view in thread ]
Anonymous Coward, 19 Dec 2006 @ 6:43am

Re: I don't mean to downplay..
Well, let's say that it's something a bit more personal than a broken nose. Let's say you were treated for an STD. Or that a young woman had an abortion she didn't want anyone to know about. Or that you were treated for a psychiatric condition that you're embarrased about. Can you say "extortion" boys and girls?
[ link to this | view in thread ]
The infamous Joe, 19 Dec 2006 @ 9:10am

Re: Re: I don't mean to downplay..
That's just silly. Hiding the fact that I have an STD or had an abortion doesn't change the fact that I had them...

It seems like people want privacy to protect their vanity/pride/self image. I assumed it was some type of identity theft issue.

I agree with whomever said it above: If this prevents lost information, and helps them get my record faster, let's do it.
[ link to this | view in thread ]
Davey, 19 Dec 2006 @ 9:13am

Re: Re: I don't mean to downplay..
It ain't just about embarrassment. America has always fancied itself as the land of second chances. With med info dragging after you like a millstone all your life, you're at the mercy of all kinds of bad intentions. A religious nut employer knows whether you're circumsized, or had a miscarriage or donated eggs or sperm, or attempted suicide, or had a scrip for prozak, for example. None of his damn business, but once it's out it's out and you're economically damaged. Or think about similar info in the hands of a typical bigoted American sherrif -- "equal justice under law" is only a fantasy. The reality is what kind of impression you make on the powers that be.

And then, of course, there's the question of whether insurance cos. have any right to any information. I think not. They managed for centuries without it, they'll just have to adapt again. The whole problem could probably be solved by deeply encrypting the information and making the password available only to the patient and perhaps a trustee designated by the patient. All other access would bring down extreme criminal penalties.
[ link to this | view in thread ]
eb, 19 Dec 2006 @ 11:14am

Bad Here in US
With the costs of health care in the U.S. escalating out of sight for businesses, many companies would love nothing more than to see if you have a history of chronic disease before hiring you--or not hiring you if they had access to the information. I think discrimination on the basis of health problems is going to become a real economic problem in the next 10 years, in addition to the fact that more and more people are not going to have health insurance.
[ link to this | view in thread ]
Sample Accounting Resume, 29 Nov 2010 @ 3:47pm

hi..
Great web page! I don`t imagine Ive seen every one of the angles of this theme the way in which you`ve pointed them out. You`re a accurate star, a rock star guy. You`ve got a great deal to say and know so much about the subject that i think you ought to just teach a class about it.
[ link to this | view in thread ]
Sample Accounting Resume, 29 Nov 2010 @ 3:48pm

hi..
Great web page! I don`t imagine Ive seen every one of the angles of this theme the way in which you`ve pointed them out. You`re a accurate star, a rock star guy. You`ve got a great deal to say and know so much about the subject that i think you ought to just teach a class about it.
[ link to this | view in thread ]