[liberationtech] If patients don't care about their privacy, should doctors?

Wed Sep 24 20:11:40 PDT 2014

Hi all,

Thank you to Andrew, Dan, Brian and those who communicated off-list for
your good ideas and analysis. Based on Brian's suggestion, I found a
section on the EFF website on Medical Privacy:
https://www.eff.org/issues/medical-privacy

I also found a section of HIPAA regulations that mandates encryption and
other (inadequate?) technical safeguards for protected health information:
http://www.hipaasurvivalguide.com/hipaa-regulations/164-312.php

Some states are passing laws on the breach of online information; my state
has a law that requires companies that have major breaches to inform their
customers.

A national health system was breached last month and the medical records of
4.5 million people were stolen. Think about that for a moment.
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/

It's unclear to me what the repercussions are to an organization that
encrypts and is still hacked--it seems like the law is not settled in this
area.

But the ability of a patient to sue (for negligence?) seems like a
promising incentive to spur health organizations to try to do the right
thing--if not for the good of their patients, now and in the future.

Not a lawyer, but feeling better informed,

Katie

ps: It's worth noting that the administrator I spoke to at the conference
was indeed a doctor--a doctor dazzled by the cool "privacy is dead" folks
he met at a cyber security agency and at a health insurance company--who
seemed to be the experts.

On Wed, Sep 24, 2014 at 3:26 AM, Brian Behlendorf <brian at behlendorf.com>
wrote:

> On Tue, 23 Sep 2014, Kate Krauss wrote:
>
>> I was chatting with a health care administrator at a conference who is
>> charged with rolling out a telehealth (read: Skype) clinical program for
>> patients to communicate with doctors.
>>
> [...]
>
>> The health care administrator said that studies show that patients would
>> rather get expedient care than protect their privacy if they have to choose.
>>
> [...]
>
>> I glimpsed a yawning abyss in which the private health information of
>> hundreds of millions of people is in jeopardy because of clowns like this
>> guy at large healthcare organizations across the country/world. It already
>> is by neglect, but not yet by design.
>>
>
> Usually the "privacy is dead" types are financially incented to believe
> this due to ownership stakes in the surveillance industry, by which I also
> include social media companies.  I hope this person never comes down with a
> venereal disease (especially one their partner didn't have), or a future
> employer doesn't discover how expensive they'll be for the corporate health
> plan.  And in particular in your domain, AIDS policy work, there was a time
> when not only was it ignored as a disease at all, but those fighting for it
> to be recognized as a national health emergency were at risk of being
> shamed or outed against their will.
>
> What's even more worrisome are comments like Larry Page's that 100k lives
> could be saved if only Google could analyze everyone's health data:
>
> http://patientprivacyrights.org/2014/06/googles-larry-
> page-wants-save-100000-lives-analyzing-healthcare-data/
>
> I'm a believer in the idea of using data to gain insights (if researchers
> can adequately correct for cognitive biases, which few can) but the risk of
> re-identificaton or spilling of confidential information is still too damn
> high for most.  I suspect this is why Google struggled with their
> personal-health-record platform, Google Health, because few people were
> motivated to turn their patient records over to a company whose business
> model is advertising.  Microsoft seems to be having more success with
> HealthVault, which is encouraging.
>
> Fortunately in the brief moment I spent focused on healthcare
> (co-designing and launching HHS's "Direct Project" effort for
> health-records-sharing over SMTP/TLS), I got the sense that this view is
> not prevalent, that most practitioners understand the value of privacy, and
> that if it's come at the cost of progress in health IT and easy transfer of
> records between doctors and clinics, it's hard to say it's not been worth
> it.  Celebrity nude photos are one thing; celebrity (or non-) HIV test
> results something completely else.  Encryption at rest and in transit,
> ensuring that patient records are only shared with the patients themselves
> or licensed physicians, proper de-identification - those have not been
> constraints on setting up effective health IT systems or sharing between
> doctors and patients.  It's more the legacy of broken systems and
> silo-based thinking, compounded by the modern sense that "data is the new
> oil" and therefore should be hoarded rather than shared.  But those are
> afflictions less of the practitioners and more of the health IT software
> vendors themselves.
>
>  I said:
>>
>> 1. What are your principles for securing patient data offline? What are
>> the rights of the patient as a patient and as person? Figure those out in
>> writing and then work to encrypt data and secure patient privacy so that
>> those rights and principles are upheld. Even if it's difficult and
>> expensive to do it.
>>
>> 2. I said that asking patients to choose was a false choice--they deserve
>> good medical care and to keep their medical information private. At the
>> same time.
>>
>> 3. I said that it's not acceptable to lower the standards for patients
>> (this would be tens of thousands of patients in his case alone) just
>> because they don't understand the implications of sharing their personal
>> data. I said that he was in a position of great responsibility to protected
>> patients and that he shouldn't give up without a fight. He was
>> unconvinced--probably because it's cheaper and easier to ignore privacy
>> concerns and he's under pressure to get the ball rolling.
>>
>> What would you say in this situation?
>>
>
> If I'd had half the clarity as you did in saying what you said I would
> have considered myself lucky.  That was great.  I suspect this
> "administrator" wasn't actually a doctor bound to the Hippocratic oath
> earlier in their career, but should have been.  But absent the oath, I
> might remind them of their duties under HIPAA and if you have skin in this
> game you might want to talk to someone at HHS to look into this
> administrator's operations.  Perhaps he was scared by the paranoia-inducing
> "security researchers" at this conference, but such warnings are just a
> reminder to do his job, not abdicate responsibility for them.
>
> More specifically, compromising Skype at this point is a feature of
> commercially-available products used by despotic regimes to surveil
> activists in countries like Egypt, and likely has come down market to
> organized crime at the very least.  I don't know if that means the
> encryption used in Skype would fail to be HIPAA-compliant - all encryption
> schemes are breakable given enough horsepower - but the administrator may
> want to consider the PR implications of a remote consultation between one
> of their doctors and a celebrity getting posted to 4Chan.  Tunnelling a
> WebRTC-based conferencing like BigBlueButton over a VPN (maybe it supports
> SSL natively now?) or using Jitsi or another similar trustworthy tool may
> be a way to reduce that risk.
>
> Keep fighting the good fight on this.
>
> Brian
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated: https://mailman.stanford.edu/
> mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change
> password by emailing moderator at companys at stanford.edu.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140924/1fa8b087/attachment.html>