Anger Over EU Medical Data-Sharing

ukhackster writes "A row is brewing in Europe over plans to make medical records available across the EU. The scheme calls for interoperability between health systems in 22 different countries. Experts are predicting that security problems could expose confidential patient records, with one calling the affair 'a colossal waste of money and energy.' This 'e-Health' initiative reflects similar projects in the United States, and raises many of the same issues discussed here. The article makes it clear that many important issues, such as security, privacy, and the rights of patients, are still up in the air as the project moves forward. Could this be another huge IT project disaster on the horizon?"

a potential disaster?

[Aranykai]

Yes, but only if it gets pushed out before its ready. Proper planning and recources could make the transistion easy. But, most likely the deadlines will be unrealisted, the funding will be inadaqate and it will cause issues. Go figure...

Advantages and disadvantages

[Z00L00K]

This may be used both to an advantage and a disadvantage. Unfortunately it is first necessary to create a common semantic directory like UMLS.

The advantage is that it is possible to get your medical journal when you are visiting a different country, which in turn can improve the ability to get the correct medication and avoid medical hazards.

The disadvantage is that it may be used for privacy invasion. There are certainly other risks involved too not to forget the cost that may arise to unify all countries.

Anyway - one way to provide some patient security would be that identification of data and access control to personal data has to be restricted. A multi-level approach has to be in place for the best security. One way may be to use smartcard-equipped health-cards. The card will then hold the key to access of the data. Of course there has to be security measures involved too to handle lost cards etc.

Re:Advantages and disadvantages

[Richard+W.M.+Jones]

The advantage is that it is possible to get your medical journal when you are visiting a different country, which in turn can improve the ability to get the correct medication and avoid medical hazards.

If you have some disease or allergy that doctors should be aware of, you should wear a medical necklace. But of course such a simple low-tech solution won't pour billions into the IT contracting industry, the likes of EDS etc.

Rich

Re:Advantages and disadvantages

[Qzukk]

A. someone cares about your medical history
B. has some way of accessing it
C. is willing to risk the likely punishment for doing so

In other words, just about every employer out there who wants to see if the promising new candidate has any mental health issues or is likely to suddenly drop dead. They care, they have the money to get what they want, and what are you going to do, throw a company in jail?

Re:Advantages and disadvantages

[ScrewMaster]

This would increase efficiency and reduce costs in the already over-priced health field.

This might increase efficiency (yet to be proven) but if it does it will only increase profits in the already bloated health field. This is the medical industry we're talking about. When did you last know a medical operation to lower prices because their own costs went down?

Besides, social engineering (eg. calling a person's doctor and asking for medical history) is probably possible as it is.

Sure ... but so what. We are talking oodles and oodles of orders of magnitude difference here. The danger in storing hundreds of millions of medical records on a multi-national distributed database is that, when security is eventually compromised (and it will be, you know that, since this stuff is worth money), confidential data on millions of people will suddenly find itself on the open market. You're fooling yourself if you think otherwise, given that this happens to data concentrators in the financial sector with monotonous regularity (e.g. Choicepoint, among others.)

Few kinds of records are more important to us than our health histories: accuracy and confidentiality are crucial to their continued utility. The problem is that concentrated data stores are dangerous as Hell, if they contain highly-confidential or vital information. So far as accuracy is concerned, you only have to look at the major credit bureaus in the United States to see how badly that can go.

No doubt this will get rammed down our throats with laws that require records to be uploaded by our physicians, whether we want them to or not.

No thanks. I'd rather my doctor walk over to a filing cabinet and pull my history. Much safer that way.

alternative

[Markspark]

From my point of view, carrying a patientcard, with some kind of memory chip, that carries your journals seem to be the best solution in many of the questions that can be raised on this topic.

Not an IT disaster, but a political disaster.

[Sub+Zero+992]

Its always the IT guys who get blamed for cock-ups on a colossal scale. Occasionally, yes, bad decisions are made or poor execution is to blame. But at the supra-national level, the big mistakes are political ones.

Only governments can waste billions of Euros trying to achieve some kind of "Harmony" across political, linguistic, cultural and privacy borders. This usually fails miserably. The only success governments have at cross-border enterprises is in killing their citizens in wars.

A simpler solution would be to agree on a standardized data format and data content for medical records. This alone would take years. Then a common data-medium (chip cards, whatever) could be issued to those citizens who desire one. Everything else need not be regulated, everything else should be firmly in the control of the people.

lethal combinations

[wikinerd]

IT combined with bureaucracy, be it in government or corporations, is a recipe for disaster. IT is about information, and information wants to be free, and we all know that information can't flow in bureaucracies.

Giving out contracts

[denoir]

The biggest problem in my experience is not in the theoretical vulnerabilities of the technology but the fact that the decision makers that hand out the contracts do not have the technological know-how to give the contract to the 'right' company.

As a case in point, a few years ago in Sweden they harmonized the medical IT systems in the whole country. The politicians in charge awarded the contract to a company that offered a relatively cheap solution and that had a great marketing department. Unfortunately, they were incapable of delivering an adequate system. The huge amount of work and complete lack of proper requirement specifications led to a buggy and deeply flawed system. A quite common case is where a physician asks for the record of one patient and gets the record of somebody else. The user interface was also horrific - to register a new patient something of the order of magnitude of 100 clicks is required.

Once the problems became apparent, it was too late to do anything about it as the budget for the whole thing was already used up. Now, it is easy to blame the developer of the system - and to a large degree it is their fault - but the first cause of the problem were politicians who had no clue about neither IT nor medicine.

Re:Yes.

[ScrewMaster]

These data are already insecured, I see this initiative as a step in the right direction.

Not when viewed with the proper perspective. The problem with massive network-aware projects is that they make data widely available even when it doesn't need to be. The records your doctor maintains are accessible only to a few individuals, and then only on a physical basis: an effective means of security through obscurity. If someone else needs to see them, he can fax or mail them. However, once said records are replicated across thousands of servers on a multinational basis I don't how you can possibly consider it "secure" anymore. There's also the issue of keeping those records accurate and up to date, which is arguably even more important.

Even if these people used military-grade security (and they won't!), hired the best possible people to manage it (and they won't), once those records are online they will be effectively made public once that security is breached. And it will be. Either legally by insurance companies and/or employers wanting to know employee medical histories (even if said employees moved to another country) or by other even less-savory types. This is a bad idea, and like most government ideas creates a massive new problem in order to "solve" a much smaller problem. Then, of course the new problem requires solving, at even greater expense. It never ends.

There are plenty of other ways to spend tax dollars employing people other than posting extremely confidential information online, because that's what this amounts to doing. I have the same issues with what the U.S. and European governments are doing with antiterrorism measures involving massive amounts of data sharing with multiple law-enforcement agencies. It's very dangerous to spread that kind of data all over the place, because not all those who end up with it will use it in ways to our liking.

If you trust your government not to screw this up then by all means encourage them. Personally, I don't believe that my government can be trusted to keep my secrets. It's not their job now, and it shouldn't ever be.

Privacy already gone

[WoodstockJeff]

We gave up the idea of private medical records when we accepted the idea of others paying for our health care.

In ancient times, when we took care of ourselves, no one knew our medical history.

Then we asked others to take care of us, and they wrote things down to keep track of what they'd done to/for you, and "medical records" were born. But only the "doctor" needed them, so they were still relatively private. Plus, few people cared.

"Clinics" and "hospitals" meant that more people were giving you health care, so they got access to your records, but still, few people really wanted them, anyway.

Then, the "insurance company" was born. Insurance companies insisted upon records to prove you weren't trying to defraud them. When they got into the business of paying the doctors ("health insurance"), they wanted those records, too. And people started to get concerned, but not that many.

Then people decided that the government should replace insurance companies, to "make it fair", but governments like records even more than insurance companies, so they wanted the medical records, too.

Now that "the government" is becoming "most of Europe" is not the time to decide that you object to the government having your health records.

Another tower of Babel?

[tgv]

How in the hell is a Spanish physician going to understand my Dutch GP's notes? And such a system has so little potential use and so many ways of ending up on http://www.dailywtf.com/, that the mind boggles at the thought of hundreds of millions of being wasted on another prestigious EU project.

This is just a wild guess, but it smells very French to me.

Liability

[XNormal]

Ever wondered why so much medical information is still in paper form or in small, local proprietary databases? After all, we have had the technology to automate it and improve efficiency for about two decades now. I know a big supplier of medical software and they have learned to concentrate only on certain administrative aspects or things like lab tests - never on true integration of actual medical data. These project tends to mysteriously fail. Well, there's nothing mysterious about big software projects failing, right? But why is it that it's always the same kind of projects that fail?

It turns out that the medical staff doesn't really want them. Sometimes they even actively sabotage them. They are already exposed to far too many liability lawsuits. Having all that data online will make it a much easier target for court orders or even automated mining.