Why nihilistic philosophies of patient-privacy advocates are bad news for patient-privacy.
If the electronic health records industry has a nemesis, it’s Deborah Peel, the founder of Patient Privacy Rights. At a time when doctors and hospitals are digitizing their paper medical records as mandated by the government, Peel, a psychiatrist, has been the most vocal agitator against loss of patient privacy. In Peel’s world, malefic forces in the U.S. government and corporations prey on unsuspecting patients by rummaging through their history/physical. “Once your information is released, it’s like a sex tape that lives in perpetuity in cyberspace,” she once told The Dallas Morning News. See “Is this patient privacy crusader doing more harm than good?“
Root causes of patient-privacy breaches
It is no accident that the largest healthcare organizations have the highest rate of patient-privacy breaches. The old saying – “the bigger they are, the harder they fall” is true, but more than that is happening when it comes to patient-privacy breaches in America as a whole.
Patient-privacy breaches happen because of poor data handling and a large US national patient-privacy threat surface that is the result of a large, fragmented, largely incompatible US healthcare system.
The US healthcare system is plagued by a plethora of patient identifiers and the system interfaces that they require.
Obamacare efforts to socialize American medicine and apply more regulatory controls are the equivalent of pouring gasoline on a burning fire of patient-privacy breaches.
One visualizes US healthcare providers struggling to comply with meaningful use 1 and 2, HITECH, HIPAA in the analog of the Catch-22 pledge of allegiance instead of mitigating real patient-privacy vulnerabilities:
When other officers had followed his urging and introduced loyalty oaths of their own, he went them one better by making every son of a bitch who came to his intelligence tent sign two loyalty oaths, then three, then four; then he introduced the pledge of allegiance, and after that “The Star-Spangled Banner,” one chorus, two choruses, three choruses, four choruses. Excerpts from Catch-22
The US government is driving implementation of HIE (health information exchanges) that would enable patient data exchange between different health care providers); President Obama is threatening to nationalize the project and create his own Federal national HIE. If Mr Obama does that, there is a real chance that patient-privacy breaches will explode.
As we noted in our article “Healthcare information exchanges – the death of patient privacy?” A US national, Federally-operated HIE network might be the death of patient privacy.
We know that the first sin of the 7 deadly sins of software development is making the system too complex.
Complexity is the enemy of security because with complex systems and complex data models, there are more design flaws, more software defects and more interfaces where vulnerabilities can arise.
Similar to the history of data security breaches of retail systems, the healthcare IT industry is (or may soon be) facing a steeply increasing curve of data security and patient safety events.
A 1999 American law prohibits funding to promote the adoption of a unique patient identifier, despite the fact that HIPAA which enforces patient privacy and security rules is supposed to develop such an identifier.
Privacy advocates, are blocking it because of they think it creates potential for identity theft – despite not having any hard data that supports a case for continuing the current chaotic system of proprietary non-standard patient-identification.
The fact that the US is the only country in the world without a national identity number is thanks to people like PatientPrivacyRights.org who put populist emotion before security common-sense.
The amusing or perhaps tragic part of the Patient privacy rights campaign to place patients in charge of their health records, is that by opposing a national identity number, they are threatening their own agenda:
ACCOUNTABILITY – Hold every entity with access to health information accountable. We have learned the painful lessons of letting industry set its own rules. Consumers no longer trust that corporations will use personal health information only as directed or guard it from theft or loss.
CONTROL – Ensure individuals control the use of their personal health information. Fundamental to the Code of Fair Information Practices and most professional Codes of Ethics is an individual’s right to control how their personal information is used.
TRANSPARENCY – Protect consumers from abusive practices.
Personal health information should not be sold and shared as a typical commodity. Health information is different; it is extremely sensitive and can directly impact jobs, credit, and insurance coverage. Commercial transfers undermine routine privacy safeguards, including transparency and accountability.
Because the US does not have a national ID, every hospital, doctor and healthcare provider have their own keys. This requires extremely large numbers of system interfaces, many of which are maintained on poorly-maintained, highly vulnerable Windows servers in doctor practices. The more interfaces, the bigger the threat surface, the bigger the threat surface, the higher the probablity of a patient-privacy breach.
Except for cases where hospital employees breach patient-privacy by losing paper records on trains, big patient-privacy data breaches involve exploits of vulnerabilities in system interfaces or during data transfer systems.
If the United States were to institute a single national id number – 4 positive results would be achieved:
- The threat surface for patient data breach would be drastically reduced.
- The costs of health IT implementation and maintenance would be drastically reduced – since far fewer interfaces would be involved
- Security breach monitoring would be far more effective (and in line with HIPAA regulation) since systems would be monitoring for the national ID + PHI
- A vision of consumer-control would be realizable since every system a patient engages with would use the same national ID number, which would be well known to the patient. It would be as simple as calling up your doctor and saying “Please send me all my records for my national ID 982323857) under the Freedom of Information Act“.
Unfortunately, the lights are on, but no one is home when it comes to privacy in the White House as Mr. Obama, who thinks terror is for Hollywood and healthcare is for political logrolling is now more interested in reelection than protecting Americans’ patient privacy.
How to protect patient-privacy?
We definitely support enabling people to monitor and control of their own information.
This requires simple applications and accessibility:
Imagine updating your medical record was as simple as updating your status on Facebook, only totally private and secure? This is private social networking for patients and doctors.
Against the alternative of simplified systems, vendor-neutral standards and a national id number, nihilistic philosophies of patient-privacy advocates are not only ineffective, they are counter-productive.
Private social networking technologies like Pathcare that focus directly on supporting a secure, private and trustful doctor-patient relationship revolutionize the way physicians, healthcare providers and patients interact and ensure patient-privacy when required and enable patient data disclosure when valuable to the therapeutic process.
There are 3 critical success factors for this to happen.
- Healthcare IT vendors and physicians must adopt a common language
- Patient data interchange must be based on vendor-neutral standards
- Patient data interchange is best served with peer-to-peer protocols
I call on you, the reader to share your thoughts on this important issue – reach out to us at Pathcare and help us improve healthcare by supporting secure, private and trustful doctor-patient relationships.
Click here to comment - looking forward to hearing your voice!
forward to a friend- Just between us - Private messaging 1 on 1, group message from doctor to patients.
- Sharing that is so simple - Share your files, your guidance, your experience, your comments.
The author claims:
“Privacy advocates, are blocking it (national ID) because of they think it creates potential for identity theft – despite not having any hard data that supports a case for continuing the current chaotic system of proprietary non-standard patient-identification.”
Then goes on to state that result #1 (of 4 positive results) of implementing a National ID is: “The threat surface for patient data breach would be drastically reduced.”
Where are the statistics/studies to back up these two opposite claims? I don’t see any footnotes or any references to supporting info. So I can only think the author’s claim(s) lacks credibility like that he/she claims privacy advocates are making. Hmmm
Steve
Thanks for the comments. I always enjoy being called out for the errors of my writing ways and indeed I did little to base my claim on why a National ID would reduce threat surface. In the case of privacy advocates opposing national id – this is well documented on the link in the article – see http://patientprivacyrights.org/
I think the case for a National ID merits a separate paper – but I’d like you to consider the reasoning behind my claim:
Security breaches invariably occur on interfaces – the interface between a Web server and a browser or a web server and a database server or the interfaces between a downstream message queue and an upstream message queue connector – are just a few examples.
Interfaces have vulnerabilities because they are often implemented by different groups of people with different standards and specs, often guessing or sidestepping constraints in order to get things to work.
Multiple patient ids require interfaces – you have a hospital ID and you need to interface with a system that uses SSN so you have a translation table (here’s a db interface) and send a file (here’s a file transfer interface). The recipient also has a file transfer interface to receive the file. So that’s 3 interfaces. If the 2 entities used a national ID – they could use 1 interface – secure copy for example to send transactions from one socket to another.
Now when I multiply the number of organizations and systems, and sub-systems – we can see that we are talking probably about millions of interfaces in the healthcare system as a whole. If we can reduce that by a factor of 3 – we have reduced the threat surface (which is directly proportional to the number of interfaces by a factor of 3).
In addition the cost of the security countermeasures to mitigate interface vulnerabilities goes down linearly with the reduction in interfaces.
We can probably reduce the threat surface by more than 3 because of the human element and I imagine with a more detailed and quantitative threat model we may see 1 or more orders of magnitude reduction in costs and complexity because of interaction and various cascade attack effects.
Hope this helps
Danny