[liberationtech] If patients don't care about their privacy, should doctors?

Tue Sep 23 18:15:53 PDT 2014

Hi,

I was chatting with a health care administrator at a conference who is
charged with rolling out a telehealth (read: Skype) clinical program for
patients to communicate with doctors.

He said he'd just met with a cool "cyber security" organization--if I
understood correctly, it's part of the government (?)---and later with a
senior person at a large, well-known insurance company. Both said that it's
so easy to breach patient data (the government person bragged that he could
do it in six minutes; probably true) that we are in a new era and that
given sufficient determination, almost any patient data can be owned. I got
the impression that the insurance company is not trying very hard to
protect patient data (even thought HIPAA is supposed to protect this data).

The health care administrator said that studies show that patients would
rather get expedient care than protect their privacy if they have to
choose. He said that we need to adjust to this lack of secure communication
and go ahead with telehealth and not worry so much--patients don't even
care! It's clear that he is listening to "experts" and doesn't know much
about information security independently.

I glimpsed a yawning abyss in which the private health information of
hundreds of millions of people is in jeopardy because of clowns like this
guy at large healthcare organizations across the country/world. It already
is by neglect, but not yet by design.

I said:

1. What are your principles for securing patient data offline? What are the
rights of the patient as a patient and as person? Figure those out in
writing and then work to encrypt data and secure patient privacy so that
those rights and principles are upheld. Even if it's difficult and
expensive to do it.

2. I said that asking patients to choose was a false choice--they deserve
good medical care and to keep their medical information private. At the
same time.

3. I said that it's not acceptable to lower the standards for patients
(this would be tens of thousands of patients in his case alone) just
because they don't understand the implications of sharing their personal
data. I said that he was in a position of great responsibility to protected
patients and that he shouldn't give up without a fight. He was
unconvinced--probably because it's cheaper and easier to ignore privacy
concerns and he's under pressure to get the ball rolling.

What would you say in this situation?

Thanks,

Katie

-- 
Kate Krauss
Executive Director
AIDS Policy Project
Tel 1.215.939.7852
www.AIDSPolicyProject.org
Facebook: www.Facebook.com/AIDSPolicyProject
Follow us on Twitter: @AIDSPol
Make a donation to the AIDS Policy Project!
<https://aidspolicyproject.nationbuilder.com/donate>

I prefer to use encrypted email. My public key fingerprint is
FD77 DC45 7406 292F 7AF8 2AC5 736F 783C A9E2 7E03.
Learn how to encrypt your email with the Email Self Defense guide
<https://emailselfdefense.fsf.org/en/>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140923/5d35c4b7/attachment.html>