Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Americans Trust Docs, But Not Computerized Records

timothy posted more than 3 years ago | from the and-scarcely-themselves dept.

Privacy 162

Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

Not unfounded. (2)

Kenja (541830) | more than 3 years ago | (#35238130)

People notice when their filing cabinet goes missing, they are less likly to notice the theft of digital records. This does make it more likely that employees etc will abscond with the data.

Re:Not unfounded. (1)

MozeeToby (1163751) | more than 3 years ago | (#35238222)

Couldn't you find ways around the problems? Encrypt the data and store it to a central DB, only the patient keeps a record of his encryption key and allow him to request a new key at any time. Maybe set it up with expiring keys to allow a doctor access for a limited period of time after he sees the patient. Obviously this kind of scheme would restrict access but it would also make bulk exportation of the raw data difficult or impossible.

Of course, there will always be holes in such a set up, but the same can be said of filing your tax returns, storing paper records of your medical files, and any number of other things we do regularly that are at least as important to keep private as medical records are.

Re:Not unfounded. (2)

Korin43 (881732) | more than 3 years ago | (#35238358)

But that would be hard.

Re:Not unfounded. (1)

0123456 (636235) | more than 3 years ago | (#35238544)

Couldn't you find ways around the problems? Encrypt the data and store it to a central DB

Why would you put it in a central database when you could just carry it around with you (and back up as required to wherever you chose)?

Re:Not unfounded. (2)

MozeeToby (1163751) | more than 3 years ago | (#35238654)

Why would you put it in a central database when you could just carry it around with you (and back up as required to wherever you chose)?

Sure, fine, whatever. My point was that while the security and privacy concerns are certainly warranted, they can relatively easily be gaurded against using standard, commodity software and hardware solutions. It isn't as though keeping information from falling into unauthorized people's hands is a problem that has never been encountered before in computer science.

And to more directly answer your question, you might want it in a central DB so that if you're on vacation and end up in the hospital the doctor there can access your records and find out that you're allergic to such-and-such drugs, have a history of this-and-that disease, and here's what your blood pressure was when you went in for your physical 6 months ago. Personally, if it were properly secured, I would prefer the information be accessible from anywhere with an internet connection so long as I or someone I trust with it supplies you with the key.

Re:Not unfounded. (1)

Ltap (1572175) | more than 3 years ago | (#35240522)

This is a beautiful, simple solution. It's a pity it'll never be properly implemented.

Most people are just too stupid to figure out how encryption works or to try to understand why they need it. Even if they use it daily (say, as a part of their job) they will likely neglect it, passing off encryption keys to anyone and everyone. Furthermore, due to the fact that insurance companies and employers love to spy on people's medical records, they would almost certainly be given access in some way, allowing the records to be compromised by an outside source without the control of the patient. Furthermore, in many jurisdictions patient records are defined as the property of the doctor, not the patient, so it would really be doctors controlling the system rather than individual patients. Finally, many doctors are simply too arrogant due to their high-status job to puzzle out even the simplest computerized system; and if they don't screw up, clerks (as the people who will update the database) will. Even a beautiful system like yours would be hacked up, trodden on, and would have all of its secrecy compromised and destroyed. Think again.

Re:Not unfounded. (1)

cayenne8 (626475) | more than 3 years ago | (#35240604)

I'm currently trying to help a Dr. with some of this and HIPPA needs. The problem I'm trying to solve is...he is a radiologist...and needs to send securely...reports on patients AND images. I'd looked at a service like ZSentry for easy encrypted email...on both ends.but the service doesn't allow files as big as needs to be sent.

I'd looked into maybe setting up some kind of PGP set up for him...but would be tough to get every dr he might do business with....to get them to set up PGP, generate keys...and set up whatever email client they use......

I was trying to maybe come up with him a web server.that other dr 's could link to securely...etc....but need a quick term solution till I can set something up like that and integrate it with the system he currently has with telerad..etc...and have to make it easy for a non-tech Dr to use

Any ideas out there?

Re:Not unfounded. (2)

Z34107 (925136) | more than 3 years ago | (#35240746)

What you want is a PACS [wikipedia.org] . These are generally expensive. I can't recommend any specific vendors, but you want to be very careful with HIPAA. They're also FDA regulated, so you also want to be careful about hacking anything together that could be functionally confused with a PACS.

That said, I'd be really surprised if a radiology clinic didn't already have one (that "telerad" you alluded to?). I'd call up the vendor and ask what they can do; any modern system will speak DICOM [wikipedia.org] , and a lot (if not most) of them can grab images from outside the facility.

Re:Not unfounded. (1)

demonlapin (527802) | more than 3 years ago | (#35240878)

It's not cheap, but using some Citrix product as your Web interface to any decent PACS system should provide a secure interaction. My hospital uses Citrix clients as the primary means of offsite access. If you want the remote site to be able to download, you'll probably need a VPN, as well as a better (and more expensive) PACS system. I'm not a radiologist, but Philips' iSite is the easiest one I've ever used. And it easily exports to DICOM.

Re:Not unfounded. (2)

khallow (566160) | more than 3 years ago | (#35239066)

only the patient keeps a record of his encryption key and allow him to request a new key at any time

And what happens if the patient can't provide the key, say because they are unconscious and dying? At the least, there would have to be a somewhat centralized authority (that is, someone who is guaranteed to be there, not just a next of kin) with the power to provide a suitable key.

Re:Not unfounded. (1)

iluvcapra (782887) | more than 3 years ago | (#35239136)

It doesn't have to be centralized authority, in this case the patient's general practitioner would hold a copy of the key and release it in such a circumstance according to the terms of a legal advance directive, like a limited power of attorney or living will. You just need a central repository of the encrypted data, and a directory service to help an ER find the patient's GP or kin, allow the keyholder to validate the patient's unconscious condition, or that their condition meets the terms of the directive, and then release the records.

If the patient is dying on the table and the communication with the referent of the "security directive" or whatever isn't available, they just have to proceed without records for the time being. Happens all the time.

Re:Not unfounded. (1)

khallow (566160) | more than 3 years ago | (#35239450)

It doesn't have to be centralized authority, in this case the patient's general practitioner would hold a copy of the key

Who actually holds the key? The general practitioner can have an accident or medical emergency of their own. The key has to be reliably obtainable.

The scheme is workable, I think, but I think it's worth noting that no matter how it's implemented, there will be a number of people with access to that key ("access" not being the same thing as copying a zillion records for fun and profit). Because otherwise, the doctors treating a patient might not have access to the key.

Re:Not unfounded. (4, Informative)

kullnd (760403) | more than 3 years ago | (#35239102)

It would not be possible to do this... A healthcare org has to refer to the patient records long after your visit is over. In a hospital, there is generally reporting that takes place which requires extensive reviews and audits of the care given, and alot of these audits can take place nearly half a year after you were seen. There is also the fact that after your visit, the record will be reviewed for medical coding, which is how you, your insurance, and or the gov't are billed for the care that you were given. The idea that when you leave, your record is locked, is just not realisitic. I can also say that the latest push by the federal government, with these EHR incentives, is pretty much going to do the opposite of what you are asking for.

I have seen medical practices on both ends of the security fence, and it is sad... I've been in practices that I would never, ever, visit as a patient because I have no faith in how things are run there from an IT security view point... At the same time, I have worked with other orginazations that do take security very seriously, and do everything possible to ensure that all data is kept private... The thing that really sucks is that you really have no way of knowing what type of office you are visiting until you see the report that your record has been leaked.

Someone else posted in here that most practices are afraid of HIPAA and will do anything to keep things safe... Unfortionately I have seen alot of practices that couldnt give a crap about HIPAA and won't listen to any reasons as to why they should not run bittorrent on their office computer. The bottom line is that until HIPAA and HITECH start producing more results, busting more practices, and making everyone aware that they do have teeth this is going to continue to be a problem. HIPAA has been around for a long time, but until HITECH came around it has been a joke, and only enforced in the worst of senarios. I still think that both of the policies are too loose, and enforcement on those policies today is still largely reactive, when it's too late.

Re:Never visit because of IT (1)

TaoPhoenix (980487) | more than 3 years ago | (#35239208)

There may be weird cases where you evaluate the only 4 network providers within 40 miles of you, and 3 have good IT and sloppy care, and the last one has good care and sloppy IT. Med is a weird profession, I'd grudgingly take the good care with bad IT in a pinch.

Re:Not unfounded. (0)

Anonymous Coward | more than 3 years ago | (#35238328)

That's because Copying is not Theft. Isn't that the argument used by most digital piracy apologists?

Re:Not unfounded. (1)

maxwell demon (590494) | more than 3 years ago | (#35238484)

Exactly. If someone photographed the contents of your filing cabinet, you'd be more likely to not notice it that if someone stole them. That's because the photograph is a copy. The original is still there. If someone stole your filing cabinet, you'd notice as soon as you want to look up something.

Re:Not unfounded. (1)

demonlapin (527802) | more than 3 years ago | (#35240890)

Photographing the entire contents of a filing cabinet takes a long time. It's silly to make obscurity your only security, but it's always a nice part of a balanced system.

Re:Not unfounded. (1)

Bobakitoo (1814374) | more than 3 years ago | (#35238496)

Please stop with that silly, and offtopic, argument.

Medical records are not meant to be public information. In order to "steel" data, it must have been kept locked in first place. They also have no legitimate use outside of the patient doctor relationship.

And the saying is "copyright infringement is not theft", not "copying".

Re:Not unfounded. (1)

cheekyjohnson (1873388) | more than 3 years ago | (#35239010)

It isn't theft. It's copying (or copyright infringement, depending on the situation). He just used the wrong term for it. It does, however, endanger someone's privacy.

Re:Not unfounded. (1)

Foobar of Borg (690622) | more than 3 years ago | (#35239870)

That's because Copying is not Theft. Isn't that the argument used by most digital piracy apologists?

Copying is not theft. Copying medical data, however, does violate doctor-patient confidentiality. Copying other personal information can lead to actual theft, such as through fraud (stupidly referred to as "identity theft").

Re:Not unfounded. (1)

icebraining (1313345) | more than 3 years ago | (#35240202)

I agree. The crime is breaking into the {computer, filing cabinet} to access them in order to copy them.

Re:Not unfounded. (3, Insightful)

Stregano (1285764) | more than 3 years ago | (#35239518)

It depends on what you are diagnosed with or what doctor you go to. If you have a medical marijuana card, you do not want hard copies. Many dispensaries get raided, and then the feds have your information and you get marked as a pothead. If they are digital, if there is a raid, most professional places have ways of handling digital documents properly. Something like that would be an instance where I don't want teh feds to have my records. And shut your lips, I have a condition I am getting treated for and need a way to get rid of the pain. You are not my doctor Mr. Judgy McJudgy Pants

Re:Not unfounded. (0)

Anonymous Coward | more than 3 years ago | (#35239734)

So you are afraid the "feds" might find out you smoke a lot of pot in an effort to self medicate, but you don't mind telling all of slashdot? Further, your attitude seems to suggest that you think Marijuana should be legal, and yet, you are afraid of people finding out you use it?

What you need isn't privacy, it's a lack of hypocrisy.

Not Too Surprising (3, Insightful)

BJ_Covert_Action (1499847) | more than 3 years ago | (#35238144)

It seems like most of us Americans are also content to trust our eternal souls and moral decisions to an imaginary sky fairy with an epic beard.

But on a more serious, and less inflammatory note, this probably has to do with the very high incidence rate of folks in the U.S. getting their financial accounts cracked. Anyone who has had to frack about with their bank or credit agency regarding X many thousands of dollars being debited from their account due to some mysterious "hacker" that stole their identity is probably pretty suspicious of putting any important personal data on the internet period.

Re:Not Too Surprising (2)

|TheMAN (100428) | more than 3 years ago | (#35239772)

Considering how EHRs are going to be required in the near future, I'm not surprised that hospitals/doctors are still getting dragged kicking and screaming into the 21st century.

HL7 was created in 1988, and over 20 years later, it still has very little penetration in the US. I had friends ask their acquaintances working at hospital IT departments, and many don't even know what HL7 is! Part of this is the government's fault (lack of incentives unlike European countries), but most of this is due to the lack of understanding and technophobia.

The other problem is HL7 is epicly hard to learn. There's a major shortage of trained/certified people to help hospitals deploy this right now. I'm trying to learn some of this so I can take on a job in Tokyo (part of getting my work visa approved involves understanding HL7). But with the lack of free resources or books, it appears to be a feat that requires divine intervention.

Re:Not Too Surprising (2)

demonlapin (527802) | more than 3 years ago | (#35240942)

lack of understanding and technophobia

No, it's not technophobia. I'm a technophilic physician, and I know a lot of technophilic physicians, so I may be able to help you understand.

EHRs really cover several different areas. Some areas clearly benefit from computerization; lab reporting is so clearly better done via computer than phone that it makes no sense not to. Having radiology studies available for review outside the radiology department is of significant benefit. Having transcriptions of dictated reports available is tremendously useful.

Some areas are somewhat suspect. For example, nurses now often have to perform their hospital admission documentation on a computer. This is somewhat slower than using a handwritten method, and so nurses tend to dislike it - they are now doing data entry that is of only marginal benefit to them; the primary benefit is to the physician. Nonetheless, because a nurse will probably spend 20 minutes doing that admission work, the login/logout process is not usually painful (vital sign checks, on the other hand, are incredibly tedious on computer).

Finally, there are areas where the benefit is fairly small by comparison to the cost. From a doctor's perspective, a brief note in the chart is a trivially easily way to make a small update on a patient's status or convey an important point to consultants - much faster than finding a computer, logging in, waiting for Windows to load (the VA, for example, does not have generic logins to Windows - in addition to logging into the EHR, you have to log into Windows to be able to access the EHR), loading the EHR software, logging into it, and then finding the appropriate spot to enter a note. You can't flip back and forth between two pages in an EHR, the way you can with a paper chart.

With too many EHRs, doctors become data entry clerks for the hospital and insurance companies, and we don't like doing that. People are naturally resistant to changing how they do things if they bear all the cost while someone else reaps all the benefit.

Re:Not Too Surprising (0)

Anonymous Coward | more than 3 years ago | (#35239840)

It seems like most of us Americans are also content to trust our eternal souls and moral decisions to an imaginary sky fairy with an epic beard.

Because clearly any topic is really about your hatred of religious people. "People are worried about the security of their health records! Bloody Christians!" "Apple's about to release a new MacBook! Bloody Christians!" "It's raining! Bloody Christians!" "Everybody thinks you're an irrationally obsessive bigot! Bloody Christians!"

Re:Not Too Surprising (0)

Anonymous Coward | more than 3 years ago | (#35239876)

cool story bro

Re:Not Too Surprising (1)

Exclamation mark! (1961328) | more than 3 years ago | (#35240010)

And yet they put up all sorts of things on Facebook... go figure...

Huh? (2)

thenickdude (1481249) | more than 3 years ago | (#35238180)

"30% and 34% of doctors lack basic anti-virus software and network firewalls" ... what? How is this legal?

Re:Huh? (1)

Anonymous Coward | more than 3 years ago | (#35238380)

No one said anything about legal. Lot of stuff that is illegal go on around you today, you're probably guilty of at least a few crimes today if we go by the book.

Speaking from the viewpoint of someone who deals saily with HIPAA and several other standards, I can tell you that it really is a bitch to try to keep all your ducks in a row.

Re:Huh? (1)

modmans2ndcoming (929661) | more than 3 years ago | (#35238744)

it's not legal.

HIPPA and HITECH make such lack security illegal on systems that hold patient data.

Re:Huh? (0)

jmorris42 (1458) | more than 3 years ago | (#35238804)

> How is this legal?

Because HIPPA was intended to provide the appearance of security without actually doing much of anything that would cause actual pain to the medical industry. Sure doctors and nurses are forced to jump through hoops, all part of the security theater. Had they been serious, one of the first requirements would have been to ban Windows from touching patient data if there was any possible point of connection between any machine on the same network and the Internet. Because Windows itself still admits in it's EULA that it is not intended for any work requiring a high level of safety. It was designed as a desktop single user OS and after several rewrites (that had to keep backward compatibility intact) is still crippled.

But requiring all medical information systems to run on Trusted Solaris, Trusted AIX, etc. would have been painful in the extreme, requiring a rip and replace since pretty much 100% of the industry was on Windows based vertical apps at the time HIPPA passed. So they went for security theater, just like TSA did.

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#35239932)

If you take your time, you will read that, "Although fewer than 10% of physicians now use full EHRs [computerworld.com] " and "CDW Healthcare said that a recent survey it performed found that 30% of doctors lack basic anti-virus software and 34% do not have network firewalls in place."

The important questions would seem to be:
  1) where do the 3 sets listed above intersect?
  2) why should anyone care if your primary care physician is trustworthy in this regard when she isn't the one who manages her network security or EHR compliance?

Quite a conundrum... (2, Interesting)

Rooked_One (591287) | more than 3 years ago | (#35238192)

You will always have uneducated and educated people. And you will have educated people who aren't computer savvy. This means you will end up with a percentage (probably based on region - I feel sorry for people in the midwest) of doctors who offices are completely unsecure and all it would take is a patient walking in with the appropriate thumb drive at the appropriate time.

BAM! Access to the doctor's office is now at hand and anyone's records can be had.

Very few people who would do this sort of activity in other situations are doing it for fun. I can only think doing this to make money would be something that would be a scheme, to mostly blackmail people of a region with the largest percentage of ignorant and uneducated people. Who, ironically enough, are going to be sick more and thus go to the doctor more... But how, or why, to exploit these people who have nothing to give is beyond me.

But rich people also go to doctors from time to time as well... so what then?

Re:Quite a conundrum... (1)

DNS-and-BIND (461968) | more than 3 years ago | (#35239304)

Wow, way to talk out your ass and totally invent something. I especially like the looking down on people who live in a different part of the country than you do. Those people over there are all stupid!

Re:Quite a conundrum... (0)

Anonymous Coward | more than 3 years ago | (#35239672)

I could easily imagine some small-town doctors office having WEP wifi and a network share holding sensitive documents. Can't you?

Re:Quite a conundrum... (1)

DNS-and-BIND (461968) | more than 3 years ago | (#35240412)

I can imagine a dragon that farts rainbows. Can't you?

Amusingly? (3, Insightful)

Daetrin (576516) | more than 3 years ago | (#35238210)

"Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."

It seems we can't have a week go by without some article showing up on Slashdot about how the average person don't have "sufficient" security on their various electronic devices and programs. In which case if those same average people are concerned about a particular set of records being compromised couldn't it be considered wise that they'd rather have someone else who should (theoretically) have better safeguards in place handle those records?

Re:Amusingly? (1)

compro01 (777531) | more than 3 years ago | (#35238866)

That's what's amusing. That they actually realize that their own security is inadequate to the task of storing that information securely.

Re:Amusingly? (1)

Beowulf878 (1304661) | more than 3 years ago | (#35240340)

well said - oh for some mod points.

and passwords (1)

Anonymous Coward | more than 3 years ago | (#35238220)

and probably 80% of doctors over 45 have a password of "password"

Re:and passwords (1)

The Grim Reefer2 (1195989) | more than 3 years ago | (#35239242)

and probably 80% of doctors over 45 have a password of "password"

I work in the medical field and I'm going to call bull shit. Actually IME generally the older doctors are safer with computers than the fellows and younger drs. They bring in a MP3 player of their own, or listen to an actual radio, Where as the younger doctors tend to install all kinds of music players and other downloaded programs. Basically the older docs tend to listen to the IT guys whereas the younger ones tend to think they know what they're doing. Believing that if it was that big of a security risk the IT guys would have locked down the system better.

Now I would venture to guess that close to 80% of the systems used to read patient exams have the password taped to the bottom of the keyboard, back of the monitor, or somewhere close by; or they all use the same password.

Re:and passwords (1)

phantomlord (38815) | more than 3 years ago | (#35239572)

I sit there and watch my doctor type in his password to the EMR system every time I go. The EMR requires him to change his password every 3 months and so he goes with something easy to remember. So, we get (color)(number)(item) for his passwords and so far, I've only ever seen the number change. blue1tie, blue2tie, blue3tie, etc. His username is the astoundingly difficult to remember (firstinitial)(lastname) which is further abetted by a dropdown menu of the usernames of all the medical staff in his office. Oh, and since his office is owned by the local major hospital, he has access to not only his patients, but the records, lab updates, etc of all patients in the hospital and satellite offices (though it would be a HIPPA violation for him to go snooping, which does little to stop someone else from snooping while he gets the blame since it originates from his office IPs and username).

Since the whole hospital system uses the same EMR system, it wouldn't be too hard to guess anyone's username, most doctors and nurses aren't all that great at typing while hiding their password input since they specialize in medicine, not keyboarding, and there are terminals accessible in rooms you're frequently left alone in for extended periods of time (and if that isn't convenient enough, the free wifi on hospital grounds and web based access to the EMR is). Put the three together and it would be pretty trivial to get access to records of tens of thousands, maybe hundreds of thousands, of people, not that I've ever tried to access records in ways that I don't have authorization for (you can access your own record through the web, though it is read only and patients have limited access to restrict them from seeing things like their own surgical notes or lab results, but those restrictions don't apply to medical staff accounts).

Re:and passwords (1)

Z34107 (925136) | more than 3 years ago | (#35240852)

Most doctors don't have access to all patients, and most systems will log every record you view anyway. It's kind of disturbing that the doctors let you shoulder surf, though.

Not amusing. Sensible. (4, Insightful)

BlueParrot (965239) | more than 3 years ago | (#35238232)

Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.

What the hell is amusing about this? I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself. For the same reason I keep my money in a bank as opposed to underneath my mattress. Now granted some doctors may have lax security, but for myself to keep the records in addition would just open up more avenues of attacks. The only good reason I can see why I would keep such records myself is to ensure I have a backup of them if my doctor was to screw up and erase them by accident or something.

Re:Not amusing. Sensible. (4, Insightful)

Jah-Wren Ryel (80510) | more than 3 years ago | (#35239054)

I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself.

The problem is that you can't trust "the pros" to act in your best interests. Money is 100% fungible and misuse is pretty straight-forward -- a bank steals your money and its obvious what happened. But for someone doing searches of healthcare records it is much harder to tell if the intent is nefarious. Even the people doing the searches may not fully understand the implications themselves - ala netflix's "anonymised" data fiasco.

What we need is less centralisation, not more. The push for electronic records in healthcare is inexorable, so we need to develop systems that inherently limit access. Not just fancy permission bits that can be ignored with the right privileges, but actually keeping the data physically inaccessible to those who don't absolutely need it. The best way to do that is to decentralise.

For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

If we had a system where each person was responsible for their own information, then the overhead of widescale misuse would be significantly increased. You'll never stop one-off abuses, but you can design a system that (a) makes widescale abuse difficult and (b) makes it easy for individuals to safely manage their own records.

Right now are moving to the worst of both worlds - centralisation of data with protection no better than flimsy laws subject to interpretation and rewriting by people with money and interests that conflict with that of the patient.

Re:Not amusing. Sensible. (4, Insightful)

ColdWetDog (752185) | more than 3 years ago | (#35239300)

For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

1. I don't have a smartphone.
2. I forgot my smartphone, do I have to go back home to get it?
3. The insurance company needs to drop a bill, do they text message you to get the data?
4. Medicare wants to audit the hospital. Do they text a message to get the data?
5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?
6. Oops, the cell phones are down again.

No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.

Re:Not amusing. Sensible. (0)

Jah-Wren Ryel (80510) | more than 3 years ago | (#35239526)

1. I don't have a smartphone.

Any widely deployed system would also support dedicated PDA type units for practically nothing.

2. I forgot my smartphone, do I have to go back home to get it?

Yes. If you forget your wallet you have to go back home and get it too.

3. The insurance company needs to drop a bill, do they text message you to get the data?

Yes, but only if you envision health insurance working exactly the way it does today. For example, a record of services rendered could be transmitted to the insurance company at point of sale with 3 parties required - doctors office, patient and insurance company.

4. Medicare wants to audit the hospital. Do they text a message to get the data?

Yes.

5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?

No different than what happens today when they can't call up your doctor and get something faxed over.

6. Oops, the cell phones are down again.

See #5. But this is scenario is even sillier because if we have that level of infrastructure failure, medical records are not going to be a priority,

No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.

You suffer from a failure of imagination. Unable to conceive of a system that HELPS people to manage their information you can only see the crap that we have now. Its like someone who has only driven stick-shift completely dismissing the utility of an automatic transmission in favor of hiring a taxi.

Re:Not amusing. Sensible. (1)

ColdWetDog (752185) | more than 3 years ago | (#35240498)

1. I don't have a smartphone.

Any widely deployed system would also support dedicated PDA type units for practically nothing.

And my 80 year old mother, who can't remember much at all is supposed to take the bus back home when she forgets her iPad? Nope, not happening in the real world.

2. I forgot my smartphone, do I have to go back home to get it?

Yes. If you forget your wallet you have to go back home and get it too.

No, not at all. I don't necessarily need anything to show up at the doctors' office. The feds make me show ID for the ER but that's their insanity showing. So, in your magic world, we keep some of the most private information we have, our medical history, on our persons at all times? Again, not in the real world.

3. The insurance company needs to drop a bill, do they text message you to get the data?

Yes, but only if you envision health insurance working exactly the way it does today. For example, a record of services rendered could be transmitted to the insurance company at point of sale with 3 parties required - doctors office, patient and insurance company.

And you're going to fund an enormous initiative to force hospitals and doctors to be able to drop bills as the patient wanders off, not twelve times in the next two weeks like they do now. I personally have no interest in getting texts every couple of days for two weeks after my colonoscopy, thank you very much.

4. Medicare wants to audit the hospital. Do they text a message to get the data?

Yes.

Right. And if you refuse, or turn your phone off, the whole survey team has to wait for you to wake up?

5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?

No different than what happens today when they can't call up your doctor and get something faxed over.

No, in a decent EMR world (not that we have one now), it's in there. We just punch it up. From what I understand about your system, the data is held in the smartphone which has just been converted to rubble in this particular scenario.

6. Oops, the cell phones are down again.

See #5. But this is scenario is even sillier because if we have that level of infrastructure failure, medical records are not going to be a priority,

Hah. Cell phones routinely fail where I live and yet the rest of our little world wanders on.

No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.

You suffer from a failure of imagination. Unable to conceive of a system that HELPS people to manage their information you can only see the crap that we have now. Its like someone who has only driven stick-shift completely dismissing the utility of an automatic transmission in favor of hiring a taxi.

And you suffer from an overactive imagination. That's not necessarily a bad thing, but your system has no possible way of working in any feasible way. It would take enormous amounts of money and social change merely to put the individual completely in charge of something they don't want to be completely in charge of. The system as it stands is far from perfect and really does need to be improved if digitalized medical records are going to do much useful, and individuals should indeed take more of an interest in how the data is used. But this level of control is simply not feasible.

Re:Not amusing. Sensible. (1)

Z34107 (925136) | more than 3 years ago | (#35240614)

Your idea isn't going to work, and it's not because of ColdWetDog's "lack of imagination.

  1. Requiring everyone to own a smartphone or PDA just to have a medical record is impractical, at best.
  2. You currently can't "forget" your medical record. This isn't an improvement, or even necessary.
  3. You've made your entire medical record essentially patient reported. Your insurance company isn't going to write you a check just on your word, and that's now all you have.
  4. If Medicare, or the Joint Commission, or AIUM, or whoever wants to audit the hospital, they now require the cooperation of every patient that hospital has seen. Hospitals see a lot of patients. Audits span years. You've just made oversight impossible.
  5. The only copy of your medical record getting run over by a bus
  6. is a lot different than having to get something faxed.

  7. Current medical records depend on very little infrastructure. Some are still entirely on paper. You want to five nines the cell network, nationwide.

This doesn't help people "manage their information", because currently, they don't. As people increase their "management" of their medical record, the information it contains because impossible to act on, either for medical or legal reasons.

Individual control of a medical record is a nice idea, but it entirely defeats the purpose of having one.

Re:Not amusing. Sensible. (2)

randallman (605329) | more than 3 years ago | (#35240616)

How about developing a standard medical record access protocol. Companies can compete to store your information. They would compete based on who guards the information best. A service is defined via URL. So if you want to grant a hospital access to your records, you supply the URL and credentials (maybe a key/certificate stored on a card). They use a standard access protocol to fetch and/or update the data. The standard may also define how the client (hospital) may access the records, preventing a leak from that side.

On the client side, a dedicated machine would be a good idea. No web browsers or email clients installed, nor any other software that isn't necessary for interfacing with the medical records services. Strip it down and guard it enough so that there's no need for AV or other half-measures. For example, at the OS level there could be a whitelist of URLs accessible by the client application.

Re:Not amusing. Sensible. (0)

Anonymous Coward | more than 3 years ago | (#35239982)

I hate to mention this...well here goes. Your records have already been compromised. Seriously. Records management is a joke on the security front. Here is an absolutely real world scenario.

Kaiser salem Hospital in Oregon keeps their Workers compensation related records in a 32 foot container out behind the hospital in what they call the "records annex". 50 or so parking spots filled with various sized shipping containers. The records themselves are (as is typical) kept in banker boxes, with individual "files" in standard folders. There is of course a lock on the door to each of these containers.

So, they decided that these paper records were a pain in the ass and they wanted digital copies. OK. In comes me any mine. We contract that job, and get the go ahead. Kaiser Salem ships the entire container to our facility in NE portland. We put it behind a chain link fence with nothing more than casual security. (a latch) We unlock the container and unload it to our warehouse. Something like 40 people walk through, by or near this warehouse every day. There is NO access control. Everyone from the boss's 8 year old daughter, to the courier drivers have access to those records right now. Then, the records are prepped and run through scanners. The whole project takes 8 months. Constitutes 20 years worth of records (fully inclusive), and now exists as both physical records (back in the warehouse), and a digital copy of those same records. Sitting in a drive rack 50 yards away from the warehouse with similar levels of access control. OH yeah, the data isn't encrypted, the system doesn't have access controls, so anyone that sits down at any workstation can access that data. It can NOT be reached over the internet (however any employee could dump it all to the FTP in seconds).

Then, to finish up the job, we send the container back to Salem, and send them a stack of hard drives with the unencrypted, raw data.

So you were worried about your records? I've seen them. My employees saw them. If we had any reason, we could have put that information in the public domain.

HIPPA and HITECH and all the rest are basically just nodded towards in the contracts and everyone gets on with their day. Third party service providers (of which my company is one) are not checked for compliance. If we say "yeah, we follow HIPPA and all federal records guidelines" that's good enough for our clients.

Our clients being Lexis Nexis, Your county government (you live in the USA? You are included), pretty much every major Hospital on the west coast, and a couple on the east. And an endless see of companies. Including lots and lots of doctors and lawyers.

So.. in short, the system installed at the hospital? It's pretty good. The system to hand paper records... it's pretty bad. The simple fact is, these systems are so full of holes it should be a nightmare. It's not, mainly because the people that would ravage this data, don't know where to get it from. And the people that have the access (like me) don't have any malicious intent. Although someone is going to come along and replace me some day, and I hope for all our sakes he has equivalent morals.

(yes, you could sleuth out my company from this info, feel free)

Firewall what, exactly? (3, Interesting)

Just Some Guy (3352) | more than 3 years ago | (#35238238)

The majority of doctor's offices I've been around aren't connected to the Internet at all. For instance, my wife's practice has a WPA2 secured Wi-Fi network so that her laptop (whole-drive TrueCrypt) can talk to the database server that manages her records, and none of the hosts on the WLAN have any form of Internet connection. As it turns out, they do have AV programs (MS Security Essentials), but without any removable media coming into the office and no net connection, it's pretty much just a formality.

My kid's orthodontist's network has Internet access, but it's a bunch of Macs behind a firewall+NAT and a strict "no personal browsing at the office" policy. (I know this because I bartered net admin chores for dental work :-) ).

I'm certain there are insecure medical offices, but the doctors I've talked to are so terrified HIPAA that they'll take almost any security tips you give them.

data is still not safe (0)

Anonymous Coward | more than 3 years ago | (#35238526)

who guards the data on the other end? I have found 3 types of guardians of data: 1. a corporation with no liability, and legally capable of selling data, 2. a corporation that is not very good at security, 3. Both.

Re:data is still not safe (1)

Just Some Guy (3352) | more than 3 years ago | (#35238564)

On the other end of what? Her records never leave her office network, which is the most common arrangement I've seen.

Re:data is still not safe (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#35239084)

On the other end of what? Her records never leave her office network, which is the most common arrangement I've seen.

If she takes health insurance, then yes, plenty of data about her patients and up far beyond her control.

Re:Firewall what, exactly? (2)

yuna49 (905461) | more than 3 years ago | (#35239784)

Just curious, but how many of those HIPAA-fearing doctors use plain-text email to correspond with patients? How many of them have their email addresses on their business cards? I routinely ask providers if they realize that sending patient health information via e-mail is a HIPAA violation. Most haven't ever given the question a moment's thought.

Re:Firewall what, exactly? (1)

demonlapin (527802) | more than 3 years ago | (#35240958)

I'll bet I can easily find an attorney to argue that the patient's request for that information constitutes authorization to transmit in the clear.

HIPAA security audits? (3, Interesting)

hawguy (1600213) | more than 3 years ago | (#35238268)

Why doesn't some organization come up with a set of standards and best practices to ensure that HIPAA protected data is actually protected as it should be? I'm thinking something like the PCI security council started by the credit card companies that mandates a set of rules and best practices that have to be followed for all merchants that handle credit cards.

Following the PCI standard doesn't guarantee data security, but it is a big step in the right direction. Doctors need the same kind of prodding to get them to implement real security controls and not just say "Oh, well i checked the WEP encryption box on my Wifi router, so all of my data is encrypted and safe - I know it's safe because I backed up my patient records to my iPhone".

Re:HIPAA security audits? (1)

modmans2ndcoming (929661) | more than 3 years ago | (#35238774)

HIPPA and HITECH cover more than just protecting data. It covers communication of the data as well, both digital communication and analog communication. it is hard to come up with a test suite for that.

Re:HIPAA security audits? (1)

hawguy (1600213) | more than 3 years ago | (#35238950)

PCI is not just about protecting computers and networks, but is about policies that companies are required to have in place to protect cardholder data (i.e. don't write a card number on scrap paper and toss it in the trash). Network vulnerability testing is a part of the compliance process, but developing policies and procedures for keeping the data safe is a large part of it.

Does HIPAA cover having network firewalls and anti-virus software? If it does, then the law has no teeth since 30% of doctors were found to be missing one or the other (or both). 100% of PCI compliant merchants will have both firewalls and anti-virus on any computer that touches cardholder data.

Why is it that private industry appears to be taking more steps to protect credit card numbers than the healthcare industry is taking to protect health information?

I'm not saying that the PCI-DSS is the best model to follow, and it's certainly not perfect, but that's the one I'm most familiar with.

Re:HIPAA security audits? (3, Informative)

The Grim Reefer2 (1195989) | more than 3 years ago | (#35239366)

The problem is that HIPAA is severely broken. Most hospitals violate some part of HIPAA countless times per day as it's not even possible to operate within it's guidelines and be able to realistically treat patients. Another issue is the FDA understands how to deal with IT about as much as it knows how to building a Saturn 5 rocket.

Here's an example that I've witnessed many times over the years. A vendor installs an MRI system in a hospital, the control computer the technologist uses to scan patients is Windows based. Obviously the system needs to at least be on the local hospital network so that the patient scans can be sent to a reading station so that a Dr. can look at the images. Neither of these systems can have any software installed on them that is not FDA approved. So by law, unless you have an FDA approved security program you cannot install it on either of these systems, or any system that contains patient data for that matter. If you do have an FDA approved program you need to prove that it will not affect any of the calculations that are made for determining a diagnosis as well. It gets even better though. If you do find a security suite that you can use, the vendor is not responsible for worrying about it in the case of system updates. So when an update comes out the vendor sends in an engineer who generally will simply re-image the drive with the new update, thereby wiping out your security programs.

What's the point of all the worry? (1)

blair1q (305137) | more than 3 years ago | (#35238270)

Why are people so worried about their medical information going public?

First of all, you can't get most people to shut up about what happened at the doctor's office. (And the older the person, the more likely this will dominate their idea of interesting conversation.)

And if this guy [slashdot.org] can't get a few days' quiet time to himself before he dies, then just who the fuck do the rest of us think we are?

Frankly, I'm going to start posting the boroscope videos of my colonoscopies. Hopefully the karma buildup will mean -- when the time comes to hole up in the hospice eating ring-dings by the boxful and watching DVDs of Firefly in my last few days -- that nobody will even think to bother me.

Re:What's the point of all the worry? (2)

0123456 (636235) | more than 3 years ago | (#35238522)

Why are people so worried about their medical information going public?

I think your comment about Steve Jobs would be enough to explain why people don't want everyone to have access to their medical records.

Re:What's the point of all the worry? (1)

maxwell demon (590494) | more than 3 years ago | (#35238724)

First of all, you can't get most people to shut up about what happened at the doctor's office.

Even those people will generally be selective about what they tell you. I doubt many speak about their STDs. Or about what they talked with their psychiatrist.
And the fact that most people speak openly about it (is it actually really most, or does it only feel like that?) doesn't invalidate the rights of those who don't want others to know about their illnesses or other medical conditions.

Re:What's the point of all the worry? (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#35239220)

And the fact that most people speak openly about it (is it actually really most, or does it only feel like that?) doesn't invalidate the rights of those who don't want others to know about their illnesses or other medical conditions.

Yeah, he was making the Zuckerberg argument - most people use facebook so we should all just make our lives an open book to anyone and everyone.

Common Law (3, Insightful)

Gonoff (88518) | more than 3 years ago | (#35239258)

In the UK, and therefore probably the USA too, there is a Common Law expectation of privacy in this situation.

If I tell my neighbour over the garden fence that I am going in for a prostate examination tomorrow, there is not necessarily a legal duty on the part of my neighbour to keep this confidential,If a different neighbour is my doctor it is very different. I can reasonably expect that they will not blab about it at a party.

That common law duty extends to keeping the matter private as best they can. They should not leave printed notes on display. They should not send it around by insecure fax, unencrypted email or put it on Twitter.
They should, in fact, take every reasonable precaution to ensure that this matter stays secret until I choose to let it be known. Reasonable precautions include things like having firewalls and controlled access to my data.

If a doctor, hospital or any other medical organisation, does not take suitable actions to protect such patient information, there are specific laws in developed countries (and most undeveloped ones) which will penalise them even if no information leaks out. My earlier comments on Common Law are because we don't even need written laws to deal with this. Common law is the effect of all those books full of legal precedents that lawyers have on their walls.
If the doctors don't even have firewalls and a patient finds out lawyers could get busy...

Americans Are Idiots, news at eleven (1)

h4rr4r (612664) | more than 3 years ago | (#35238300)

Drs fail more than machines. These are the same folks who have tried to kill me several times, often have no idea about me when I visit because they fail to read charts, and prescribe medicine they feel comfortable with instead of checking actually studies.

Re:Americans Are Idiots, news at eleven (0)

Anonymous Coward | more than 3 years ago | (#35238426)

Your grammar is atrocious, News at Eleven!

inaccurate (0)

Anonymous Coward | more than 3 years ago | (#35238326)

As a physician, the article misses a few points.
First, most hospitals currently use online recording notes of some sort, or at least a hybrid system with paper charts and computerized charts. While I can believe 30% lack firewalls and antivirus software, the systems that record patient information are highly governed and regulated. HIPAA provides strict guidelines on access control, how data can be managed remotely (eg. log in from office to check hospital records on a patient that was transferred, etc.)

For someone looking to 'steal' records, it would be much easier to break a window, and jimmy a file cabinet and run off with records than 'hack' into a online patient registry and steal information.

Re:inaccurate (0)

Ludedude (948645) | more than 3 years ago | (#35238732)

Hardly true when "Lupe" at the front desk goes out to lunch and leaves her computer on and logged in to the EMR system. They do the same thing when they leave the office at night.

Re:inaccurate (1)

Anonymous Coward | more than 3 years ago | (#35238844)

Damned "Lupe." If only everyone were white there would be no problems, right?

Re:inaccurate (0)

Ludedude (948645) | more than 3 years ago | (#35239022)

Fact of life that you'll find more Lupe's checking you in at the Dr than you will Betty & Veronica. If Betty were there she wouldn't logoff either. Feel better now?

Re:inaccurate (0)

Anonymous Coward | more than 3 years ago | (#35239476)

I work for a major pharmaceutical company. My department just got moved on the org chart to be part of a different IT group that is much more involved with corporate strategy. We just had a teleconference with the whole new group. One of the presenters was talking about the things the company wants to do with EHRs going forward. He talked about the information being anonymized, but we all know how good that actually works (there was an article on here about identifying individuals from anonymized data a few weeks back). I was sitting there listening to this thinking about how many slashdotters would have been horrified by the invasions of privacy inherent in what he was talking about.

Re:inaccurate (1)

fl!ptop (902193) | more than 3 years ago | (#35239830)

the systems that record patient information are highly governed and regulated. HIPAA provides strict guidelines on access control, how data can be managed remotely

Yes, HIPAA does provide "strict guidelines," but how often do they audit? Guidelines are useless when not followed. I have several clients who are doctors/dentists and I know more about HIPAA than they do. To them, it's just a piece of paper w/ rules written on it.

For someone looking to 'steal' records, it would be much easier to break a window, and jimmy a file cabinet and run off with records than 'hack' into a online patient registry and steal information.

Much easier than parking in the lot, cracking a weak WEP key and having a field day on the network? I think not.

Re:inaccurate (1)

swalve (1980968) | more than 3 years ago | (#35240356)

The article is a physician?

pre existing conditions and job discrimination (1)

Joe The Dragon (967727) | more than 3 years ago | (#35238336)

pre existing conditions and job discrimination are the big fears with Computerized Records.

Re:pre existing conditions and job discrimination (0)

Anonymous Coward | more than 3 years ago | (#35238772)

One of the specific areas that IBM is promoting Watson for is medicine. Specifically, it would listen to patients describing symptoms (or read a typed version of, as close to verbatim as possible, the patient describing symptoms), figure out what the patient "means", figure out what's actually more important, and do highly advanced searches for the probable causes. With Computerized Records, a new fear is that you could get on insurance, later get diagnosed with a disease or other problem, but then have the insurance deny all related claims after it sent your file through it's computer system, determined that you had the pre-existing condition before you joined the insurance, just un/mis-diagnosed, based on your previous records. And all completely automated, for maximum efficiency!

Re:pre existing conditions and job discrimination (1)

jmcharry (608079) | more than 3 years ago | (#35239116)

I don't think there is a defense against that. You have to sign a third party release for your current insurance, and the insurance companies pool data. Physicians have to code diagnoses and treatments and key them into the system to get paid. Your nosey friends might not have access, but the people you most worry about do.

Money to be Made (0)

Anonymous Coward | more than 3 years ago | (#35238392)

One has to wonder if you can make money at setting up an online database with encryption, where only access is granted through virtual machines to prevent viruses, malware, etc and contracting out with doctors and hospitals. I'm just musing here that is seems like this would allow a fairly good security with less chance of problems.

The Smart Ones (1)

keckbug (1525803) | more than 3 years ago | (#35238574)

"Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records." These are the smart ones.

I'm not worried about "the internet"... (1)

swb (14022) | more than 3 years ago | (#35238576)

...or Betty in Records getting snoopy.

What I worry about are the 23872832387 "health information sharing authorization" forms I'm basically required to sign every time I do anything remotely related to my health care, whether in the physician's office, renewing benefits at work, etc.

With paper records, the insurance companies, employers, and others who are constantly looking for a way to use your health status against you had to work a damn sight harder to get their hands on this info.

With electronic records, it makes it much easier for people who formerly wouldn't be able to make sharp-pencil decisions about coverage or other tangential decisions to make your life harder.

I'm sure somehow electronic records make healthcare "more efficient" but at the same time the controls and aggregation of this data in the hands of people whose mission is to make Lloyd Blankfein richer scares me. I'm sure it's a problem long-term, but there are a number of issues I won't discuss with my doctor because once into the computer, I'm afraid of where they'll go.

Dr's are tech idiots (5, Interesting)

Ludedude (948645) | more than 3 years ago | (#35238624)

I work for a large regional provider of EMR hardware and software and I can tell you first hand that you should be afraid, very afraid, of anything your Dr. does with health records that involve a computer. Anti-virus is the tip of the iceberg. You install it for them and their brother in law who's a burger flipper helpfully uninstalls it to "speed things up." Hilarity ensues. Entire offices are implementing EMR that refuse separate usernames and passwords because it's "just too damn hard to remember all that" so everyone logs in as user with some simple password; that's if they even bother to log in or off at all. Of course they have to have admin rights because it's their hardware and they know what's best.

Since most of the offices that are being force-fed EMR because of the lure of up to $44,000 in "stimulus" funds [allscripts.com] are smaller practices, they don't have domains that can be used to enforce universal security policies.

The larger ones, sure, but most of them already use EMR and have on site servers etc. along with the requisite firewalls and VPNs. The vast majority of the new ones though are being sold "cloud" based systems with no local servers at all, so it's a friggin' free for all in terms of security (or lack thereof). They're just lining up for a swipe at the stimulus golden ring but half of them shouldn't even be entrusted with anything as complicated as a TV remote, let alone computer systems.

Re:Dr's are tech idiots (1)

fl!ptop (902193) | more than 3 years ago | (#35239886)

A-freakin-men to your whole post, you took all the words right out of my mouth. I'm often shocked at how lax the doctors and staff are even with simple stuff like Windows updates. Just today I found 3 computers at a client's office that were running WinXP SP2!

Re:Dr's are tech idiots (0)

Anonymous Coward | more than 3 years ago | (#35240280)

Not only are some doctors idiots, they're dangerous idiots. I've fired two as clients recently. One insisted on having remote access to his network enabled with NO password. He didn't want the "hassle" of entering it. As for a VPN, forget it. He would also spend hours trawling "warez" sites for his software.
The other had pirated Windows XP and MS Office on all of the practices' PCs. He didn't see why he should have to pay for software as he'd already paid for the hardware. Both docs thought nothing of sending PHI via unencrpyted e-mail.
To be fair, a lot of the IT people working with these docs aren't blameless either. Around here, most of the practices use local, small IT services companies. Some of these are clueless as to security and the provisions of HIPAA as far as the security of PHI is concerned. Sadly, they tend to be the cheapest and that's all a loto f the doctors care about.

34% Percent have no antivirus (2)

dbIII (701233) | more than 3 years ago | (#35238728)

Perhaps that number is completely meaningless. I've noticed anecdotally that many doctors have Macs, perhaps 34% have Apple computers and don't need antivirus?
Also for firewall do they mean a separate dodgy product and are they ignoring the quite reasonable Ms Windows and Apple firewalls? How about the situation where just about every modem or router made after about 2005 has half decent firewall rules as a default?
It's not as if 34% of these computers are actually naked to the net.

Wait a Minute... (0)

Anonymous Coward | more than 3 years ago | (#35238908)

Firstly, the security of EHR's depend largely on how the network on which they are stored, implements security. Thus, your giants, like Children's Hospitals for instance may have a nice security model in place for global settings. However, the article being more about private practice, presents some high level of risk. "Computer Saavy" may mean two different things to two different folks. This is the reason I have no intention of trusting my private physician.

One would hope that HRSA, or the HIPPA law would have some plan/guideline laid out for security at the private practice. Moreover, it would be better if private practices could pool their money and contract large reputable IT firms implement their security as opposed to cousin Vinny dropping in to install AVG Free. I for one believe the health care system is very flawed at the level of private practice, and this needs further attention. I'm not certain what the correct approach would be, though in the end, some folks will be unpleased with the results.

As a security Officer once told me, "Security is not an achievement, but an ongoing battle"

what about all the vender systems / medical device (1)

Joe The Dragon (967727) | more than 3 years ago | (#35238914)

what about all the vender systems / medical device that run windows but are no installing updates and the venders say you are not to install them or they just lock you out of the admin password.

Perhaps doctors should not hold the info locally. (1)

cstanley8899 (1998614) | more than 3 years ago | (#35239152)

Maybe all the info should be stored on some "cloud" somewhere.

Not amusing, more like enlightening (1)

The Grim Reefer2 (1195989) | more than 3 years ago | (#35239168)

Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.

I find this statement damn interesting, certainly more so than amusing. This sounds like the general public is becoming more knowledgeable than I would have guessed.

study of HIT analysts show... (0)

Anonymous Coward | more than 3 years ago | (#35239254)

most think that consultant surveys are BS produced to boost sales of their own products and services.

Not what I'm worried about (2)

glwtta (532858) | more than 3 years ago | (#35239400)

I know the popular thing is to constantly cry about our precious privacy, but I'm more worried about my medical records not showing up when they are needed, not the other way around. I'm thinking of allergies, drug interaction, and relevant medical history during emergencies, and the like.

Re:Not what I'm worried about (1)

el_tedward (1612093) | more than 3 years ago | (#35240242)

The doctors office I work at still has paper records.. There are so many freaking errors that I end up finding while filing. For some reason checking the date of birth is just way too much of an exercise for people to both themselves with. I find records that get put in the wrong folder all the time because of this, as well as other filing errors, etc.

If we had fully digital records, this likely wouldn't be a problem. Of course, software can epic failz just hard as a human, but it tends to be more consistent when it decides to fail or not.

As far as security goes, it's a joke. Virus whack a mole is getting to be a daily task :D I don't think we should shy away from things like this just because of the security challenge. Security will improve eventually, and life will move on.

First Question: Who paid for the survey (0)

Anonymous Coward | more than 3 years ago | (#35239422)

So from the article you can find that O'Keefe and Co. and ResearchNow are the folks responsible for conducting the survey... O'Keefe is a PR firm, ResearchNow is a provider of data collection tools, neither seem to be all that involved in independent studies of citizen welfare... So who footed the bill? CDW Healthcare

CDW was Computer Discount Warehouse years ago and now are either CDW or CDWg (CDW Healthcare is their healthcare products branch). I'm thinking maybe the healthcare data reform would loose business for them in some way, either by adding technology efficiency and thus reducing the need for their medical-tech services or regulations regarding technology which requires certification they are not capable of achieving...

I was a skeptic too, until I had them (1)

Gim Tom (716904) | more than 3 years ago | (#35239596)

At the time my health care provider began implementing Electronic Medical Records I was working as the network engineer and Information Security Officer for a fairly large organization that was also subject to HIPAA I also was on the HIPAA technical implementation team for the organization. I was very concerned as to whether it would be done right and securely. Although I had no access to what back end controls the provider implemented, the front end I used to interact with it greatly exceeded my expectations. The advantages of such a system in terms of patient care and coordination among different doctors is something that anyone who has not been a part of such a system can not really appreciate. Whether I went to my regular primary care doctor, an alternate doctor since I needed to see a doctor NOW since I was sick, or when I had to go to either a routine specialist appointment or for a diagnostic procedure the doctors and medical personnel had ALL my medical records available. Think of how many times you have to list what medications you are taking whenever you see a different doctor. Think of how useful it might be to a doctor to see your detailed medical history to know whether something he or she was considering might be contraindicated by something in that history. Also when I had lab work done, I would get an email telling me to check the secure web site for results often on the same day as the tests! Also I could send private emails on that site to my doctor and medical team and they could reply for routine questions. It was wonderful. Now, this was probably a special case since it was a closed HMO to be specific, it was Kaiser Permanente in Georgia -- and it worked and worked well. Unfortunately my employer dropped them as an option last year and I am now back with whatever doctors are on the current plan and none are anywhere near this point technically. Electronic Medical Records are not a panacea and they have to be done right or really could put you at risk. I still question whether this can be done the way medicine is practiced in this country. It has become a three way adversarial contest with the interests of the patients, the doctors and the insurance companies all going in different directions. In a three person zero sum game there are no winners.

"Amusing" (0)

Anonymous Coward | more than 3 years ago | (#35240122)

Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.

We have banks for the same reason. Guess the stupid gene that had all those mental midgets trying to secure their money themselves for the past 700 years bred through to us ahmurkins. How amusing.

What is your recourse when, NOT IF, the records rotting in the 'cloud' get compromised? Not a damn thing. You'll sit their and fume like the WoW playing office drone you are while the entire world, not just every government bureaucrat with a keyboard, rifles through your shit.

If the records kept at the hospital or doctors office get out of hand you know who is responsible. You won't need $8E6 worth of legal representation some senators private number and a class action lawsuit to get some answers.

People trust their doctors because their doctors are trust worthy; they are recognized professionals with reputations to maintain and vast liabilities if they fuck up. This is just the sort of concept that always evades the snarky malcontent fuckwits that find any of this "amusing."

What can go wrong? (1)

ashvin213 (1602795) | more than 3 years ago | (#35240552)

I mean it, seriously! What is wrong with your medical history showing up online? How can anyone monetize it?

Seriously, what is with you privacy folks?

I actually want my medical history to be online so that different doctors can view it and suggest if something different could be tried. Honestly, I never trust the doctor. Doctors have vested interest to push for a option in which they are good at. This happens very subtly and people may not notice it.

I have seen two common complaints about unlimited access to medical data. In my opinion both lack any merit.

1. Insurance rates go up: Sure they do. Its better that your insurance rates go up (if you have a problem that is), as opposed to the entire community's. You are at fault so you pay for it.

2. Employer Screening: This is even better. The employer is the best judge (at least before hiring) on what the job takes. If you have a problem and you wanna hide it, how will it help you while you are performing the duties. It is better for the employer and the employee to have the access to medical records. For example, if you are a former drug addict, I wanna know that before I hire you.

You know what country has electronic records? (0)

Anonymous Coward | more than 3 years ago | (#35240654)

FRANCE. That's right Captain America, the French beat you to the punch.

Snap to it Super-Soldiers!

Not a surprise (0)

Anonymous Coward | more than 3 years ago | (#35240894)

One of my clients a surgeon used to get his computer so loaded up with spyware from porn or whatever that he would go to the corner computer which happened to be his server to use it to surf the web lol.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>