[liberationtech] If patients don't care about their privacy, should doctors?

[Kate Krauss]

Correction: I misread an article about the 4.5 million people whose
information was breached--it was their identity information, (names,
addresses, birthdays) not medical records.

On Wed, Sep 24, 2014 at 11:11 PM, Kate Krauss <katie at critpath.org> wrote:

> Hi all,
>
> Thank you to Andrew, Dan, Brian and those who communicated off-list for
> your good ideas and analysis. Based on Brian's suggestion, I found a
> section on the EFF website on Medical Privacy:
> https://www.eff.org/issues/medical-privacy
>
> I also found a section of HIPAA regulations that mandates encryption and
> other (inadequate?) technical safeguards for protected health information:
> http://www.hipaasurvivalguide.com/hipaa-regulations/164-312.php
>
> Some states are passing laws on the breach of online information; my state
> has a law that requires companies that have major breaches to inform their
> customers.
>
> A national health system was breached last month and the medical records
> of 4.5 million people were stolen. Think about that for a moment.
> http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/
>
> It's unclear to me what the repercussions are to an organization that
> encrypts and is still hacked--it seems like the law is not settled in this
> area.
>
> But the ability of a patient to sue (for negligence?) seems like a
> promising incentive to spur health organizations to try to do the right
> thing--if not for the good of their patients, now and in the future.
>
> Not a lawyer, but feeling better informed,
>
> Katie
>
> ps: It's worth noting that the administrator I spoke to at the conference
> was indeed a doctor--a doctor dazzled by the cool "privacy is dead" folks
> he met at a cyber security agency and at a health insurance company--who
> seemed to be the experts.
>
> On Wed, Sep 24, 2014 at 3:26 AM, Brian Behlendorf <brian at behlendorf.com>
> wrote:
>
>> On Tue, 23 Sep 2014, Kate Krauss wrote:
>>
>>> I was chatting with a health care administrator at a conference who is
>>> charged with rolling out a telehealth (read: Skype) clinical program for
>>> patients to communicate with doctors.
>>>
>> [...]
>>
>>> The health care administrator said that studies show that patients would
>>> rather get expedient care than protect their privacy if they have to choose.
>>>
>> [...]
>>
>>> I glimpsed a yawning abyss in which the private health information of
>>> hundreds of millions of people is in jeopardy because of clowns like this
>>> guy at large healthcare organizations across the country/world. It already
>>> is by neglect, but not yet by design.
>>>
>>
>> Usually the "privacy is dead" types are financially incented to believe
>> this due to ownership stakes in the surveillance industry, by which I also
>> include social media companies.  I hope this person never comes down with a
>> venereal disease (especially one their partner didn't have), or a future
>> employer doesn't discover how expensive they'll be for the corporate health
>> plan.  And in particular in your domain, AIDS policy work, there was a time
>> when not only was it ignored as a disease at all, but those fighting for it
>> to be recognized as a national health emergency were at risk of being
>> shamed or outed against their will.
>>
>> What's even more worrisome are comments like Larry Page's that 100k lives
>> could be saved if only Google could analyze everyone's health data:
>>
>> http://patientprivacyrights.org/2014/06/googles-larry-
>> page-wants-save-100000-lives-analyzing-healthcare-data/
>>
>> I'm a believer in the idea of using data to gain insights (if researchers
>> can adequately correct for cognitive biases, which few can) but the risk of
>> re-identificaton or spilling of confidential information is still too damn
>> high for most.  I suspect this is why Google struggled with their
>> personal-health-record platform, Google Health, because few people were
>> motivated to turn their patient records over to a company whose business
>> model is advertising.  Microsoft seems to be having more success with
>> HealthVault, which is encouraging.
>>
>> Fortunately in the brief moment I spent focused on healthcare
>> (co-designing and launching HHS's "Direct Project" effort for
>> health-records-sharing over SMTP/TLS), I got the sense that this view is
>> not prevalent, that most practitioners understand the value of privacy, and
>> that if it's come at the cost of progress in health IT and easy transfer of
>> records between doctors and clinics, it's hard to say it's not been worth
>> it.  Celebrity nude photos are one thing; celebrity (or non-) HIV test
>> results something completely else.  Encryption at rest and in transit,
>> ensuring that patient records are only shared with the patients themselves
>> or licensed physicians, proper de-identification - those have not been
>> constraints on setting up effective health IT systems or sharing between
>> doctors and patients.  It's more the legacy of broken systems and
>> silo-based thinking, compounded by the modern sense that "data is the new
>> oil" and therefore should be hoarded rather than shared.  But those are
>> afflictions less of the practitioners and more of the health IT software
>> vendors themselves.
>>
>>  I said:
>>>
>>> 1. What are your principles for securing patient data offline? What are
>>> the rights of the patient as a patient and as person? Figure those out in
>>> writing and then work to encrypt data and secure patient privacy so that
>>> those rights and principles are upheld. Even if it's difficult and
>>> expensive to do it.
>>>
>>> 2. I said that asking patients to choose was a false choice--they
>>> deserve good medical care and to keep their medical information private. At
>>> the same time.
>>>
>>> 3. I said that it's not acceptable to lower the standards for patients
>>> (this would be tens of thousands of patients in his case alone) just
>>> because they don't understand the implications of sharing their personal
>>> data. I said that he was in a position of great responsibility to protected
>>> patients and that he shouldn't give up without a fight. He was
>>> unconvinced--probably because it's cheaper and easier to ignore privacy
>>> concerns and he's under pressure to get the ball rolling.
>>>
>>> What would you say in this situation?
>>>
>>
>> If I'd had half the clarity as you did in saying what you said I would
>> have considered myself lucky.  That was great.  I suspect this
>> "administrator" wasn't actually a doctor bound to the Hippocratic oath
>> earlier in their career, but should have been.  But absent the oath, I
>> might remind them of their duties under HIPAA and if you have skin in this
>> game you might want to talk to someone at HHS to look into this
>> administrator's operations.  Perhaps he was scared by the paranoia-inducing
>> "security researchers" at this conference, but such warnings are just a
>> reminder to do his job, not abdicate responsibility for them.
>>
>> More specifically, compromising Skype at this point is a feature of
>> commercially-available products used by despotic regimes to surveil
>> activists in countries like Egypt, and likely has come down market to
>> organized crime at the very least.  I don't know if that means the
>> encryption used in Skype would fail to be HIPAA-compliant - all encryption
>> schemes are breakable given enough horsepower - but the administrator may
>> want to consider the PR implications of a remote consultation between one
>> of their doctors and a celebrity getting posted to 4Chan.  Tunnelling a
>> WebRTC-based conferencing like BigBlueButton over a VPN (maybe it supports
>> SSL natively now?) or using Jitsi or another similar trustworthy tool may
>> be a way to reduce that risk.
>>
>> Keep fighting the good fight on this.
>>
>> Brian
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated: https://mailman.stanford.edu/
>> mailman/listinfo/liberationtech. Unsubscribe, change to digest, or
>> change password by emailing moderator at companys at stanford.edu.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140924/d096839e/attachment.html>