Hi, I was chatting with a health care administrator at a conference who is charged with rolling out a telehealth (read: Skype) clinical program for patients to communicate with doctors.
He said he'd just met with a cool "cyber security" organization--if I understood correctly, it's part of the government (?)---and later with a senior person at a large, well-known insurance company. Both said that it's so easy to breach patient data (the government person bragged that he could do it in six minutes; probably true) that we are in a new era and that given sufficient determination, almost any patient data can be owned. I got the impression that the insurance company is not trying very hard to protect patient data (even thought HIPAA is supposed to protect this data). The health care administrator said that studies show that patients would rather get expedient care than protect their privacy if they have to choose. He said that we need to adjust to this lack of secure communication and go ahead with telehealth and not worry so much--patients don't even care! It's clear that he is listening to "experts" and doesn't know much about information security independently. I glimpsed a yawning abyss in which the private health information of hundreds of millions of people is in jeopardy because of clowns like this guy at large healthcare organizations across the country/world. It already is by neglect, but not yet by design. I said: 1. What are your principles for securing patient data offline? What are the rights of the patient as a patient and as person? Figure those out in writing and then work to encrypt data and secure patient privacy so that those rights and principles are upheld. Even if it's difficult and expensive to do it. 2. I said that asking patients to choose was a false choice--they deserve good medical care and to keep their medical information private. At the same time. 3. I said that it's not acceptable to lower the standards for patients (this would be tens of thousands of patients in his case alone) just because they don't understand the implications of sharing their personal data. I said that he was in a position of great responsibility to protected patients and that he shouldn't give up without a fight. He was unconvinced--probably because it's cheaper and easier to ignore privacy concerns and he's under pressure to get the ball rolling. What would you say in this situation? Thanks, Katie -- Kate Krauss Executive Director AIDS Policy Project Tel 1.215.939.7852 www.AIDSPolicyProject.org Facebook: www.Facebook.com/AIDSPolicyProject Follow us on Twitter: @AIDSPol Make a donation to the AIDS Policy Project! <https://aidspolicyproject.nationbuilder.com/donate> I prefer to use encrypted email. My public key fingerprint is FD77 DC45 7406 292F 7AF8 2AC5 736F 783C A9E2 7E03. Learn how to encrypt your email with the Email Self Defense guide <https://emailselfdefense.fsf.org/en/>.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
