Correction: I misread an article about the 4.5 million people whose information was breached--it was their identity information, (names, addresses, birthdays) not medical records.
On Wed, Sep 24, 2014 at 11:11 PM, Kate Krauss <[email protected]> wrote: > Hi all, > > Thank you to Andrew, Dan, Brian and those who communicated off-list for > your good ideas and analysis. Based on Brian's suggestion, I found a > section on the EFF website on Medical Privacy: > https://www.eff.org/issues/medical-privacy > > I also found a section of HIPAA regulations that mandates encryption and > other (inadequate?) technical safeguards for protected health information: > http://www.hipaasurvivalguide.com/hipaa-regulations/164-312.php > > Some states are passing laws on the breach of online information; my state > has a law that requires companies that have major breaches to inform their > customers. > > A national health system was breached last month and the medical records > of 4.5 million people were stolen. Think about that for a moment. > http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/ > > It's unclear to me what the repercussions are to an organization that > encrypts and is still hacked--it seems like the law is not settled in this > area. > > But the ability of a patient to sue (for negligence?) seems like a > promising incentive to spur health organizations to try to do the right > thing--if not for the good of their patients, now and in the future. > > Not a lawyer, but feeling better informed, > > Katie > > ps: It's worth noting that the administrator I spoke to at the conference > was indeed a doctor--a doctor dazzled by the cool "privacy is dead" folks > he met at a cyber security agency and at a health insurance company--who > seemed to be the experts. > > On Wed, Sep 24, 2014 at 3:26 AM, Brian Behlendorf <[email protected]> > wrote: > >> On Tue, 23 Sep 2014, Kate Krauss wrote: >> >>> I was chatting with a health care administrator at a conference who is >>> charged with rolling out a telehealth (read: Skype) clinical program for >>> patients to communicate with doctors. >>> >> [...] >> >>> The health care administrator said that studies show that patients would >>> rather get expedient care than protect their privacy if they have to choose. >>> >> [...] >> >>> I glimpsed a yawning abyss in which the private health information of >>> hundreds of millions of people is in jeopardy because of clowns like this >>> guy at large healthcare organizations across the country/world. It already >>> is by neglect, but not yet by design. >>> >> >> Usually the "privacy is dead" types are financially incented to believe >> this due to ownership stakes in the surveillance industry, by which I also >> include social media companies. I hope this person never comes down with a >> venereal disease (especially one their partner didn't have), or a future >> employer doesn't discover how expensive they'll be for the corporate health >> plan. And in particular in your domain, AIDS policy work, there was a time >> when not only was it ignored as a disease at all, but those fighting for it >> to be recognized as a national health emergency were at risk of being >> shamed or outed against their will. >> >> What's even more worrisome are comments like Larry Page's that 100k lives >> could be saved if only Google could analyze everyone's health data: >> >> http://patientprivacyrights.org/2014/06/googles-larry- >> page-wants-save-100000-lives-analyzing-healthcare-data/ >> >> I'm a believer in the idea of using data to gain insights (if researchers >> can adequately correct for cognitive biases, which few can) but the risk of >> re-identificaton or spilling of confidential information is still too damn >> high for most. I suspect this is why Google struggled with their >> personal-health-record platform, Google Health, because few people were >> motivated to turn their patient records over to a company whose business >> model is advertising. Microsoft seems to be having more success with >> HealthVault, which is encouraging. >> >> Fortunately in the brief moment I spent focused on healthcare >> (co-designing and launching HHS's "Direct Project" effort for >> health-records-sharing over SMTP/TLS), I got the sense that this view is >> not prevalent, that most practitioners understand the value of privacy, and >> that if it's come at the cost of progress in health IT and easy transfer of >> records between doctors and clinics, it's hard to say it's not been worth >> it. Celebrity nude photos are one thing; celebrity (or non-) HIV test >> results something completely else. Encryption at rest and in transit, >> ensuring that patient records are only shared with the patients themselves >> or licensed physicians, proper de-identification - those have not been >> constraints on setting up effective health IT systems or sharing between >> doctors and patients. It's more the legacy of broken systems and >> silo-based thinking, compounded by the modern sense that "data is the new >> oil" and therefore should be hoarded rather than shared. But those are >> afflictions less of the practitioners and more of the health IT software >> vendors themselves. >> >> I said: >>> >>> 1. What are your principles for securing patient data offline? What are >>> the rights of the patient as a patient and as person? Figure those out in >>> writing and then work to encrypt data and secure patient privacy so that >>> those rights and principles are upheld. Even if it's difficult and >>> expensive to do it. >>> >>> 2. I said that asking patients to choose was a false choice--they >>> deserve good medical care and to keep their medical information private. At >>> the same time. >>> >>> 3. I said that it's not acceptable to lower the standards for patients >>> (this would be tens of thousands of patients in his case alone) just >>> because they don't understand the implications of sharing their personal >>> data. I said that he was in a position of great responsibility to protected >>> patients and that he shouldn't give up without a fight. He was >>> unconvinced--probably because it's cheaper and easier to ignore privacy >>> concerns and he's under pressure to get the ball rolling. >>> >>> What would you say in this situation? >>> >> >> If I'd had half the clarity as you did in saying what you said I would >> have considered myself lucky. That was great. I suspect this >> "administrator" wasn't actually a doctor bound to the Hippocratic oath >> earlier in their career, but should have been. But absent the oath, I >> might remind them of their duties under HIPAA and if you have skin in this >> game you might want to talk to someone at HHS to look into this >> administrator's operations. Perhaps he was scared by the paranoia-inducing >> "security researchers" at this conference, but such warnings are just a >> reminder to do his job, not abdicate responsibility for them. >> >> More specifically, compromising Skype at this point is a feature of >> commercially-available products used by despotic regimes to surveil >> activists in countries like Egypt, and likely has come down market to >> organized crime at the very least. I don't know if that means the >> encryption used in Skype would fail to be HIPAA-compliant - all encryption >> schemes are breakable given enough horsepower - but the administrator may >> want to consider the PR implications of a remote consultation between one >> of their doctors and a celebrity getting posted to 4Chan. Tunnelling a >> WebRTC-based conferencing like BigBlueButton over a VPN (maybe it supports >> SSL natively now?) or using Jitsi or another similar trustworthy tool may >> be a way to reduce that risk. >> >> Keep fighting the good fight on this. >> >> Brian >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: https://mailman.stanford.edu/ >> mailman/listinfo/liberationtech. Unsubscribe, change to digest, or >> change password by emailing moderator at [email protected]. >> >> >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
