Microsoft Working On Health Information 'Vault' System

josmar52789 wrote with an article from the New York Times, discussing Microsoft's new push into the consumer health care market. The plan is to offer personal health care records online via a system called HealthVault. Numerous big names in the medical field have signed up for the service, including the 'American Heart Association, Johnson & Johnson LifeScan, NewYork-Presbyterian Hospital, the Mayo Clinic and MedStar Health'. The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities: "The personal information, Microsoft said, will be stored in a secure, encrypted database. Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol levels. "

unsubscribe

unsubscribe

Re:unsubscribe

I'll be damned if any of my personal medical information will be entrusted to anything using M$ junk. I'll refuse to provide any info, or give them junk info to store.

Governments should be doing this, among other things:
http://linuxmednews.org/

Re:unsubscribe

[Mister+Whirly]

"I'll be damned if any of my personal medical information will be entrusted to anything using M$ junk."

It already is. Look around your doctor's office next time you are there. See the computers? They aren't Macs now, are they?

Re:unsubscribe

Ah, no. I just refuse to provide any valid info for their computer files. And of course, I demand a paper copy of everything they do have in their computer systems, to verify that it is 'correct', 'accurate', etc.

Followed by a lecture to the healthcare providers present to switch to reading:
http://linuxmednews.org/

Re:unsubscribe

[Mister+Whirly]

And on which systems do you think they store all the health information gathered by the doctors? Such as your charts, test results, prescriptions, etc. You don't have any control over how these are stored, nor can you selectively edit the information according to your needs. Giving them a fake address doesn't change anything.

And if they have no clue about Microsoft's security record, do you honestly think they will know or care what Linux is?? Save the lecture.

Re:unsubscribe

[freemywrld]

A little thing called HIPAA does go a long way to ensuring that your data isn't bouncing around all over the internet. Hospitals are frequently and meticulously audited to ensure compliance with federal regulations. A lot of clinical information systems still run on mainframes. Our new application runs on Unix. The front-end for doctors and nurses runs on Windows, but the whole back-end is nothing but Unix goodness.

Re:unsubscribe

[Dragonslicer]

Ah, no. I just refuse to provide any valid info for their computer files. Giving false information to your doctor? Brillant!

Re:unsubscribe

[Mister+Whirly]

I know what HIPPA is, and have taken training on it, and even passed a HIPPA audit. All the medical data was stored on a Windows server, and guess what? Still passed with flying colors. HIPPA does not stipulate certain operating systems - any OS can be used as long as it passes the requirements.

Re:unsubscribe

[cayenne8]

"It already is. Look around your doctor's office next time you are there. See the computers? They aren't Macs now, are they?"

Actually, MANY MANY Dr.s offices still primarily use paper records for perm. records, often computers are mostly used for scheduling. At least for smaller private doctors.

At the very least, this MS system sounds like it would be web accessible....with the part of patients being able to type in their info....

Snowballs chance in hell baby, snowballs chance in hell.....

Re:unsubscribe

[cayenne8]

"I know what HIPPA is, and have taken training on it, and even passed a HIPPA audit. All the medical data was stored on a Windows server, and guess what? Still passed with flying colors. HIPPA does not stipulate certain operating systems - any OS can be used as long as it passes the requirements."

This article, at least my understanding of it...isn't just about keeping medical info on a computer running MS Windows....it is more about a centralized medical record datastore that Microsoft is building and itself responsible for....that everyone's records are kept on an internet accessible server (or set of servers). Healthvault is MS keeping everyone's health data.

I'd guess that insurance companies would be drooling at the chance to get all this data in one place...a 'definitive source'. Shoot, combine that with some DNA records and evaluations....and you're all set to be denied coverage for possible future diseases. Hook this centrally to some other datastores on you...and all kinds of living/health habits can be established.

Let's forget the nightmare scenarios I was laying out above...what if there is a security break? Embarrasing info about your treatment for VD might come out...that's bad enough, but, what if it was treated due to an affair you mistakenly had while on a long trip away....you get treated, you'r sorry and won't do it again...but, your wife now finds out?

At the very least...MS products are already a HUGE target for hackers and crackers....wait till a MS system becomes the centralized repository on some of the most personal and possibly private information on citizens of the US and maybe the world. You trust them to keep that info safe with that big a target painted on the system?

As I said in another post.....Snowballs chance in hell of me voluntarily letting my info on there.

Re:unsubscribe

[freemywrld]

You are very correct, HIPAA does not stipulate any such things as OS. We have plenty of Windows servers in our Data Center. It just means that we have to have people here who really know what they are doing in regards to security. No doubt that server you reference is sitting safely behind a firewall, etc. No one who is smart (in any industry) would trust only Windows security to protect them.

Re:unsubscribe

[Mister+Whirly]

The server referenced is not connected to the internet in any way, only the local LAN. Also had to be encrypted, locked in a separate room, protected by strong passwords, etc.

No one who is smart (in any industry) would trust only (FILL IN THE BLANK) security to protect them. Security is a process, not a product. Security can be good or bad on ANY operating system.

Re:unsubscribe

[freemywrld]

I believe we are on the same page with this. And you make an excellent point about security being a process. A continually on-going process, no less.

Re:unsubscribe

A little thing called HIPAA does go a long way to ensuring that your data isn't bouncing around all over the internet.

You apparently haven't actually experienced a privacy violation under HIPPA. A local hospital violated my privacy in several ways and I'd just like my info removed from their system. They refuse to do it and they say the reason *is* HIPPA.

You can bet I don't want my data in any large central system.

Re:unsubscribe

I know what HIPPA is HIPAA

Re:unsubscribe

[cHiphead]

HIPPA is useless for dictating real life data security situations. ABSO-FUCKING-LUTELY USELESS.

Re:unsubscribe

Who cares about permanent paper records? Do you think all that information at the doctors offices that are going to the medical biller, to the healthcare provider, to insurance records are all avoiding microsoft products? Hah! You're already DEEP in it.

Re:unsubscribe

[Minwee]

HIPPA is useless for dictating real life data security situations. ABSO-FUCKING-LUTELY USELESS.

Absolutely. That's what HIPAA is for.

Re:unsubscribe

[turbidostato]

"The server referenced is not connected to the internet in any way, only the local LAN"

Except that somewhere, within the LAN, someone took 150000 health records out to a pendrive because he's working long hours for his PhD and loading them in his home PC.

Except that somewhere, within the LAN, someone a bit over mid-management looking for ways to outsmart those silly computer guys and their stupid web proxy attached one of those modems to his phone line and now he can freely surf the web.

Except that...

Re:unsubscribe

[rlbond86]

Everyone --- tag "vault13" in honor of Fallout 3!

Re:unsubscribe

Big selling point in the marketing literature for GE's "Centricity" line of practice management and electronic medical records (EMR) software is that it's built on Windows and doesn't use that 'old' unix technology.

Look a little deeper and you learn that the EMR piece runs on Oracle and the billing/scheduling piece runs on MS SQL. All smoothed over with IIS. So under the hood, it's not exactly an efficient application.

I guess point-and-click wins the day.

Re:unsubscribe

[rdoger6424]

Except that somewhere, within the LAN, someone took 150000 health records out to a pendrive because he's working long hours for his PhD and loading them in his home PC.

there is no way in hell that that would happen. Hospital privacy laws are extremely strict. There are extremely few legitimate use for dumping medical records on a pen drive, and no way in hell would that pen drive under any circumstances be allowed to leave the building.

Re:unsubscribe

"See the computers? They aren't Macs now, are they?"

Scary enough, every doctor I've been to in my country do you use Macs.

Re:unsubscribe

[darkpixel2k]

It already is. Look around your doctor's office next time you are there. See the computers? They aren't Macs now, are they?

One of my clients is a dental office. They are pretty darn secure, but I ran across something interesting when I was down setting up one of their new offices.
I fired up my laptop and it automatically connected to an AP named 'linksys'.
I couldn't get to the internet because it assigned no default gateway. So I started sniffing packets and saw a bunch of windows garbage scroll past.
I fired up the network browser in Ubuntu and started surfing around.

To make a long story short, in about 2 minutes I had an entire copy of the patient database from the dental office next door to my client. I walked in to their front desk and showed them what I managed to access and asked them about their 'IT guy'. They said he was 'sort of an idiot'.

Yeah. Thanks for exposing data on about 2,000 patients. I'm sure they want their Names, DOB's, allergies, medical history, insurance information, work information, physical and mailing addresses, phone numbers, spouse and child information, and even their photographs exposed to anyone who wants to sit in the lobby with a laptop for 5 minutes.

The only slightly redeeming part was that they didn't store and credit card details.

Re:unsubscribe

[master_p]

There is big bucks in the health care system.

Re:unsubscribe

[tombeard]

Ah, another fundamental purpose of government. Just like wiping my ass.

Re:unsubscribe

[LifesABeach]

It is not really a question of how long before all of this medical information is released into the wild. But the REAL question will be, "How young was that Cracker that did it?" I figure it would be someone under the age of 15, in exchange for more Sponge Bob underwear.

Re:unsubscribe

[slater86]

i don't think it matters who's running the thing. why the hell they somehow feel the need to post this stuff online, they're just asking for security issues of some form. good intentions or not from MS, it won't be long before scammers will not only try to phish for your bank details but then send targeted medication ads your way while they're at it with data they obtained mysteriously.

Re:unsubscribe

[Mister+Whirly]

"Except that somewhere, within the LAN, someone took 150000 health records out to a pendrive because he's working long hours for his PhD and loading them in his home PC."
Except we have the USB ports disabled just for such a situation. No CD or DVD RW on the machines either.

"Except that somewhere, within the LAN, someone a bit over mid-management looking for ways to outsmart those silly computer guys and their stupid web proxy attached one of those modems to his phone line and now he can freely surf the web."
Except all of our phone lines run through a digital PBX, and if you hooked an analog modem up, best case is it wouldn't work, worst case is it would fry the modem.

Come on, you think I haven't dealt with all those situations, and more that you describe? Anticipating stupid user moves is key to security.

Except that...

Re:unsubscribe

[rtb61]

Do you know what is even worse, M$ daring to call it a 'secure' database.

8. WE MAKE NO WARRANTY.

We provide the Service "as-is," "with all faults" and "as available." We do not guarantee the accuracy or timeliness of information available from the Service. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws that this Service Agreement cannot change. We exclude any implied warranties including those of merchantability, fitness for a particular purpose, workmanlike effort and non-infringement.

That is from https://account.healthvault.com/help.aspx?topicid=ServiceAgreement now that is exactly how secure the database is. The non-infringement bit is interesting, is M$ admitting to stealing code and hiding in the closed source software.

Re:unsubscribe

[Kalriath]

You should be aware that Windows is quite capable of blocking the use of removable storage (CDs, USB, SD Card, Floppy, anything) and most certainly can also be configured to block someone attaching a modem to the PC.

I work in a hospital in the ICT department. I'm well aware of exactly what we can do with the Windows PCs to prevent people misusing the data.

Ironically, around here we use something like HealthVault for people's medical records. They're held securely by central government and we use a secure VPN link (over dedicated lines, not the internet) to retrieve any info we need.

Re:unsubscribe

My surgeon is all mac. Even has a star treck waiting room.

I predict

There will be a breach and Microsoft will be sued. I predict they'll end up losing a lot of money on this long term (assuming they stick with it long enough).

Microsoft's successful formula

[us7892]

Microsoft is starting its long-anticipated drive into the consumer health care market by offering free personal health records on the Web and pursuing a strategy that borrows from the company's successful formula in personal computer software.

I'll bet this sentence is not going to go over too well with the slashdot crowd.

Re:Microsoft's successful formula

[Opportunist]

Must've been borrowing for a while now. If I was MS, I'd sue to get it back.

Re:Microsoft's successful formula

I have milk in my nose and on my face thanks....

Re:Microsoft's successful formula

[SoCalChris]

I don't think that anyone can argue about whether they have a successful formula in personal computer software. They've made billions using that formula.

Re:Microsoft's successful formula

[iONiUM]

You can dislike Microsoft's business practice all you want, but they are "successful" in a financial sense. Nobody, not even slashdot users, can deny that.

Re:Microsoft's successful formula

[h2_plus_O]

Nobody, not even slashdot users, can deny that.

you must be new here.

Re:Microsoft's successful formula

[Stormwatch]

I'll bet this sentence is not going to go over too well with the slashdot crowd.

Not really. Nobody can deny that Microsoft is successful. Now, do they deserve said success? Now that's debatable.

And let's be realistic: not all of it comes from unethical business practices. Despite the security issues and mediocre design, Windows was "good enough" for most people. And they cheated sometimes, sure, but their rivals mostly failed by themselves. For example, back in the early 90s, I recall that IBM sold PCs loaded with Windows rather than their own OS/2. Seriously, what the hell?

Re:Microsoft's successful formula

[Mister+Whirly]

"Microsoft is starting its long-anticipated drive into the consumer health care market by offering free personal health records on the Web and pursuing a strategy that borrows from the company's successful formula in personal computer software."

I'll bet this sentence is not going to go over too well with the slashdot crowd.

Yeah. Everyone knows that a business with over 90% of desktop marketshare is an utter failure. Not saying I agree with their "formula", but one could hardly call it "unsuccessful".

Re:Microsoft's successful formula

[iONiUM]

My.. my user id is lower than yours? I'm almost tempted to say "so is my penis".

Re:Microsoft's successful formula

[oSand]

You're short?

Re:Microsoft's successful formula

[oSand]

Depends what your metric is for success. They took half a decade to release an OS, constantly missed their dates and produced an OS that was mediocre and poorly received. Is that successful?

Re:Microsoft's successful formula

[marcello_dl]

>> ... and pursuing a strategy that borrows from the company's successful formula in personal computer software.

> I'll bet this sentence is not going to go over too well with the slashdot crowd.

Why? It's perfect. Of course the formula is =850*77.1

Re:Microsoft's successful formula

[Mister+Whirly]

Apparently you missed the 90% marketshare.That means that their mediocre operating systems (you do realize they have more than just Vista, right?) are on 9 out of 10 computers. And yes, I would call that "successful". Not "moral" or even "right" , but from a business standpoint, very successful. Remember, we are talking in the context of their "business formula", not their "ethics formula".

Sure..

I know I'd gladly trust my personal information to a Windows-based system. After all, Microsoft says it's secure, and they totally nailed security in Windows 95 ^H^H 98 ^H^H 2000 ^H^H^H^H XP ^H^H Vista

Re:Sure..

[Silas+is+back]

Same here; my health-records stored on Windows-Servers with Microsofts own software?

Won't happen.

Re:Sure..

9 9 2 X Vista?

Re:Sure..

[dnormant]

I feel the same way. The problem I see is what if my caregivers decide to subscribe to this MS service? What hoops do I need to jump through to revoke my HIPPA agreement with them? Can I?

Microsoft doesn't have a good security track record. Their marketing is pretty damn good. My doctor doesn't know they are incompetent in the security arena.

This is scary.

Re:Sure..

[_anomaly_]

But your information is stored in a vault!

Er, you're right, I'm not comfortable with that either.

Now, if it was stored in a lock box, that'd be a different story...

Re:Sure..

[Silas+is+back]

In the article, they state that the user/patient controls everything. Now, while I already doubt this, it's written that the user has to permit (once) what your doctors can store in this "vault" and what not. I guess they have to implement this security measure, health-records are very valuable and potentially dangerous data. Without the patient being able to decide what gets there and what not, there would be quite some resistance in various countries.

I trust I can refuse to have my data stored there.

Re:Sure..

[kyofunikushimi]

This comment has probably been made by somebody else already (I didn't check), and since I'm about to walk out the door I neglected to read TFA, so go ahead and mod me redundant/offtopic/etcetera.

This is an excellent way for MS to lock in the Hospital/Health Service market. If they require IE to interact with this website, they're in like Flynn; I can't think of many reasons a health services establishment would want to turn down a service like this.

Oh yeah, triple secure.

[photomonkey]

This sounds like one horribly, terribly bad idea to me from a security standpoint.

Also, I can't help but believe that 'anonymous' information will be handed over to drug companies so they can 'research' their 'market'.

Some things are still best done with paper and pen.

Re:Oh yeah, triple secure.

[Em+Adespoton]

This sounds like a horrible idea to me from other standpoints too:

1) Medical professionals never like patients to have full access to their records, as if a patient misunderstands something on their file, their life could be at stake based on the decisions they make.

2) The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

3) The system appears to be designed so that MS can sell aggregated data to drug companies and insurance companies. Seems to me though that even with aggregated data, you could reverse-mine it to have a reasonable suspicion regarding individuals (you'd know trends, which would help in searching for more specific details)

Anyway, the whole thing could be really useful if used correctly, but there are so many ways it could be misused even if the system doesn't have a major security breach that I for one would never use it.

Re:Oh yeah, triple secure.

[Evanisincontrol]

Like it or not, your medical information is going to become electronic. Microsoft isn't the first company to propose an Electronic Health Record -- not by far. The Cerner Corporation, for example, has been working modernize the health record since 1980. There are at least two universities in the U.S. which host a major in Medical Informatics, a program specifically designed to produce experts in this very subject.

Try to fight the Electronic Health Record is like trying to fight the use of computers in any other field -- it's inevitable.

Re:Oh yeah, triple secure.

[zifferent]

This sounds like a horrible idea to me from other standpoints too:

2) The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

Uhmm that was already the hidden agenda of the HIPPA regulations. The government has complete access to your medical records.

Re:Oh yeah, triple secure.

[ejdmoo]

The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

Proof?

Re:Oh yeah, triple secure.

[jpfed]

Oh yeah?!? Well my employer has been working to modernize the health record since 1979!

Re:Oh yeah, triple secure.

[ShieldW0lf]

Aside from all that, does anyone find the idea that hospitals could be shut down with no more difficulty than erasing an illegally copied politically newscast off a TCP compliant DVR intimidating?

What happens when a small county hospital can't afford to pay, so they lose access to the data they depend on to treat people? Spend a few years in court establishing that this is a problem?

Hell, there seems to be a lot of concern about foreign nations using cyber-warfare to attack another nations critical infrastructure. So, that being the case, why in the sweet hell would you want to take something as critical to human life as medical records and centralize them?

Wouldn't we be safer making do with a little less privacy and having them replicated automatically from hospital to hospital?

Honestly... I don't care if you guys know that I broke 5 ribs 15 years ago, have bad eyesight and am allergic to Ceclor. Snoop away, no skin off my ass. But you better fucking believe I want every hospital worker and their mom to know all about it.

Re:Oh yeah, triple secure.

[BuhDuh]

Am I alone in not trusting MS to secure a horse to a hitching rail?

Re:Oh yeah, triple secure.

Was this company the same as Disc several years ago?

Re:Oh yeah, triple secure.

[plague3106]

hmm, want to back that up. My wife works with medical records, and HIPPA severely limits who can see any patient information.

Re:Oh yeah, triple secure.

[Arterion]

I don't think we can prove that it DOES do things like this, but the languages and broad powers it gives certainly means that it CAN, and I think that's scary enough to warrant a LOT of concern.

Re:Oh yeah, triple secure.

[ceoyoyo]

Yes, but perhaps the Internet isn't the best place for such data.

Re:Oh yeah, triple secure.

[RKThoadan]

That medical records are going electronic is a certainty, and generally a great thing. The question of if there will be any centralization of records is up in the air and industry trends are mostly against that. Most of the major Electronic Medical Records packages couldn't even export your data from one hospital and import it into another using the exact same vendor, much less try and import it from a different vendor. For most electronic records packages, if you ask for a copy of it you're just going to get a series of images or maybe a pdf, because that's all the export abilities the packages have. There are plenty of organizations (especially the govt) pushing for standardization, but it's going to be really difficult to pull off.

Re:Oh yeah, triple secure.

[hazem]

1) Medical professionals never like patients to have full access to their records, as if a patient misunderstands something on their file, their life could be at stake based on the decisions they make.

To paraphrase Asimov, "if knowledge is dangerous, I can't believe the solution is ignorance". What useful knowledge is NOT dangerous in some way? Fire? Automobiles? Speech?

Those records are about me and I should have the ability to see/read/have copies of them. I should be able take them to another provider and them interpret them.

What you cite, while said in a well-meaning way, is basically a continuation of the elitism in the medical profession where the doctor is god and the patient is an ignorant plebe. It's my health, and ultimately, I'm the only one who has a keen interest in maintaining it. _I_ therefore should have access to all the relevant information about my health; whether I'm able to understand it or not.

This isn't an attack against you, just the mindset that we "normal people" are too dumb to know about our health.

Re:Oh yeah, triple secure.

The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host

The US also has a law called the Health Insurance Portability and Accountability Act".

The Privacy Rule took effect on April 14, 2003, with a one-year extension for certain "small plans." It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual.[12] This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

Covered entities must disclose PHI to the individual within 30 days upon request.[13] They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.[14]

-mcgrew

Re:Oh yeah, triple secure.

[R2.0]

"Honestly... I don't care if you guys know that I broke 5 ribs 15 years ago, have bad eyesight and am allergic to Ceclor. Snoop away, no skin off my ass. But you better fucking believe I want every hospital worker and their mom to know all about it."

Were you treated for alcoholism? Are you a transexual? Have an abortion?

There are plenty of things that, while perfectly legal, are things that one does NOT want "every hospital worker and their mom to know all about it." And you won't get to selectively edit it, because there are still SOME healthcare workers that need to know it. And HIPPA be damned - once a deep, dark secret is out, all the money damages in the world won't make up for it.

I'm actually for computerized, remote accessible records. But access needs to be secure, controlled, traceable.

And sure as shit I don't want Microsoft (or any private corporation, for that matter) to have any part of it.

Re:Oh yeah, triple secure.

[Bacon+Bits]

1. HIPPA says no. You ask, they must give you complete and total access to your own medical records. They have no authiruty to deny them to you unless you suffer from some fairly specific medical conditions (namely, mental illness).

2. HIPPA says no. If a nurse accidentally allows access to your health information, that's a $10,000 fine for her and a $100,000 fine for the hospital.

3. HIPPA says no.

WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (b).

(b) PENALTIES.--A person described in subsection (a) shall--

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

-- http://aspe.hhs.gov/admnsimp/pl104191.htm#1177

Geez, you'd think that people involved in IT would be somewhat aware of the demands of HIPPA PHI.

Re:Oh yeah, triple secure.

[BoChen456]

Seems to me though that even with aggregated data, you could reverse-mine it In Soviet Russia, data mines you! Seriously though, what do you mean by reverse-mining? If I tell you that the my age and the age of a sample of my officemates has a mean of 34 and a standard deviation of 9. How do you reverse mine that to get my age?

Re:Oh yeah, triple secure.

The comments I've first read are right... I work in healthcare and I can guarantee you Microsoft's plan is to sell data. There is a HUGE market in pharma for this, and it happens all the time. Personal information is stripped out, but doctors, hospitals, pharmacies all sell that data to drug manufacturers. MS figured this out and wants a piece of the pie.

Frankly, I'm not too comforted to hear Microsoft will be "securing" that data.

Re:Oh yeah, triple secure.

[Deadplant]

proof?
There is no disputing it, you can read it yourself if like:
http://www.epic.org/privacy/terrorism/hr3162.html

There is no argument on this subject that I am aware of.
The administration is actually proud of it. They think it is a good thing.

I have not heard about MS allowing backdoor access to some data but that would be nothing more than an administrative efficiency which I would have assumed they would have implemented by now. The 'right' of the CIA/SS/FBI/DHS/NSA to access the data is laid out in the patriot act.

Re:Oh yeah, triple secure.

[Evanisincontrol]

There are plenty of organizations (especially the govt) pushing for standardization, but it's going to be really difficult to pull off.

You don't think the ANSI-accredited HL7 is doing a good job pushing for standardization? Hell, they've completely revolutionized Health Informatics standards in the last few years. Especially with Version 3 being based on XML, I predict a HUGE portion of the Health Informatics market to adopt HL7 as a standard.

Re:Oh yeah, triple secure.

[JimFive]

The only reasonably secure way to have an Electronic Medical record is to have a standard format and an encrypted smart card that the patient owns, with a duplicate maintained at the patient's primary physician. Some sort of emergency override would have to be implemented to allow for unconsciousness of the patient, etc. The provider's and insurance companies would be required to delete all protected health information when no longer needed by their systems.

Good luck trying to get this idea to fly.

--
JimFive

Re:Oh yeah, triple secure.

[dasimms]

Oh yeah?!? Well my employer has been working to modernize the health record since 1979!

... with technology from 1979! (kidding ... kind of)

Re:Oh yeah, triple secure.

[ShieldW0lf]

No, although I'd like to know those things about the people I deal with, and I don't really see any justification for why compromises in health care and infotech and my own capacity to decide who I wish to have dealings with, just to keep someones deep, dark secrets. I wouldn't say there should be any entitlement to damages either.

Every example you gave was a choice, not a disease.

Why should we be helping the alcoholic keep his job? Why should we be helping the transsexual, who we've already established to have a mental disorder? Why should it be impossible to decide to help young mothers-to-be instead of baby killing little sluts?

Seriously, what justification for any of this beyond live and let live? Is society meant to enshrine peoples right to trick people into thinking they're something they're not?

Re:Oh yeah, triple secure.

[Transdimentia]

I believe there is a loophole in this, where it is the individual who is in possession of the data not a health provider (i.e. The end user sets up this vault not the health provider). This releases the 'vault' from complying with HIPAA because of SEC. 1172. (a) APPLICABILITY. I have heard this from more than one company trying to accomplish the same thing.

Re:Oh yeah, triple secure.

[freemywrld]

The purpose of HIPAA is to protect patient confidentiality. It not only limits who has access to the information, but also has provisions for how information can be transmitted (such as disallowing the sending of confidential information over email), what can be placed where (any paper from this hospital with even a name on it MUST be placed in secure shredding boxes to be destroyed), etc. Definitely not an open-door policy for government snooping.

Re:Oh yeah, triple secure.

[CodeBuster]

The question isn't whether normal people are smart but how the records would be used. Suppose that the insurance companies got access to the records and used them to price discriminate or deny coverage? How would you know that the record had been accessed or, more succinctly, how would you prove that they discriminated or denied coverage based upon a peek at your medical records?

Re:Oh yeah, triple secure.

[UncleTogie]

I just checked, and the section allows for law enforcement access....

Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court- ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

Pretty nebulous there, and I'll bet 10-to-1 that the system WILL be socially engineered based on this section...

Re:Oh yeah, triple secure.

[freemywrld]

The tone of your post should answer your own question. Why do people want the opportunity to keep certain information about themselves private? Discrimination, that's why. The automatic judgements you make in your post lead me to believe that you would treat people differently based on such information. People keep irrelevant personal information private to protect themselves from people like you.

Re:Oh yeah, triple secure.

[ShieldW0lf]

Not for much longer they don't. Those days are numbered. Better get used to it.

Re:Oh yeah, triple secure.

[ejdmoo]

Good Lord...I know the fucking PATRIOT Act exists.

I was asking for proof that "MS has agreements with some agencies allowing back-door access to data they host." That's just malarkey.

Re:Oh yeah, triple secure.

It's nothing new. WebMD has been doing this for many years. That's how they make their money. (datamining and selling info)

Re:Oh yeah, triple secure.

[zifferent]

hmm, want to back that up. My wife works with medical records, and HIPPA severely limits who can see any patient information.

Yah, I work with medical data and while doing my HIPAA awareness training, I was surprised and disturbed by it also.

Here's more info:
http://www.aclu.org/privacy/medical/15222res20030530.html

Re:Oh yeah, triple secure.

I'm glad you posted that, my own response to the grand parent would have been significantly less concise and rather more offensive.

Thank you.

Re:Oh yeah, triple secure.

[RKThoadan]

We shall see what HL7 does. It has had a huge impact on the financial and billing side of things (although I still have to occasionally hand-edit hl7 files that aren't quite right), but it hasn't done much yet for the clinical side. The problem is that so much medical documentation is still very freeform. It's slowly getting much more standardized in physician offices, especially specialist offices, but general practitioners and (especially) inpatient hospital visits are still extremely freeform (and simultaneously drowning in thousands of different official forms).

Re:Oh yeah, triple secure.

[Arcane_Rhino]

ROLFMAO

Re:Oh yeah, triple secure.

[Deadplant]

hehe...
ya, what I meant was that the text of the act makes it clear that the agencies in question have the right to demand the data. My second point was that giving them access to the servers directly would only be an operational/administrative detail not a shocking breach of privacy/security. I mean, who cares if MS services the requests by snail-mail and DVDs or with software over a network? (except the person responsible for controlling costs at MS)

Re:Oh yeah, triple secure.

[Em+Adespoton]

If you can grab data based on various criteria (age, hospital, hair color, disease, time period, etc.) you can re-assemble this data after pulling the queries and often narrow the field back down to a single individual again. These techniques are already used by insurance companies; they cross-compile aggregate data from a number of sources, and are able to find, if not specifics about individuals, strong trends correlated to small groups of individuals. This can actually be MORE damaging, as your profile might slot you into a group in which you are way outside the standard deviation on the one statistic being sought.

Re:Oh yeah, triple secure.

This MS thing is an entirely different beast from what Cerner offers. Cerner provides EMR software that stores your information at the organization that treats you. So if you go to the doctor, he puts his diagnosis, notes, and everything else in a database that his healthcare org provides. They control the database and they control the information. MS is trying to get consumers to control the information while MS controls the database.

It'll never work because nobody is going to want to put information in MS's database. Most large healthcare orgs already have their own software and it isn't going to be easy to export the data from that software to MS's db. They'll probably give you an long printout with your entire chart and tell you to put all that information in yourself.

Alternatively, a lot of healthcare orgs are also implementing patient portals that allow their patients to access their information over the web. Seems slightly more secure than the MS thing (you usually have to visit the doctor and get an authorization code to enable access) and it theoretically remains accessible even after you change to a different organization.

Re:Oh yeah, triple secure.

[Hatta]

Enabling bigotry is not "live and let live". The less information we have about each other the less we can stick our noses where they shouldn't be. We are all more free when we all just mind our own damn business.

Re:Oh yeah, triple secure.

[turbidostato]

"The only reasonably secure way to have an Electronic Medical record is to have a standard format and an encrypted smart card that the patient owns, with a duplicate maintained at the patient's primary physician. Some sort of emergency override would have to be implemented to allow for unconsciousness of the patient, etc."

Just to be clear: what you are proposing is "in order for you data to be secure we'll go a long path to be really sure only *you* can access your data. But then, we are going to provide a very big backdoor to the system so almost anyone can have a look at it in hurry -and then we'll hope nobody will dare to misuse the backdoor"?

Re:Oh yeah, triple secure.

[turbidostato]

"It'll never work because nobody is going to want to put information in MS's database."

By "nobody" you mean that neither the American Heart Association nor Johnson & Johnson LifeScan nor NewYork-Presbyterian Hospital nor the Mayo Clinic or MedStar Health will do it, isn't it?

Re:Oh yeah, triple secure.

[80N]

Check out http://www.openhealthrecord.org/ This is a proof of concept of how to do this kind of thing properly. Fully anonymous, it makes all data available to anyone for all kinds of research and totally undercuts anyone, like MS, who tries to monetize your data.

Your health data is your data, don't let Microsoft profit from it by selling it to drug companies.

80N

Re:Oh yeah, triple secure.

[SurturZ]

Yeah I find it ironic that most systems that use HL7 to transmit data seem to make heavy use of Z.. (user-defined) messages.

Re:Oh yeah, triple secure.

And yet, if Google, rather than Microsoft, were providing this very same service, you and the other slashdotters would be praising it to the high heavens.
Hypocrisy, thy name is "Slashdot".

Re:Oh yeah, triple secure.

The problem is that 'INDIVIDUALLY IDENTIFIABLE' is a vague term that is very open to unethical 'interpretations'...

Any information is identifying, and when combined, even from different sources can lead to full identification.

Leaving out the apparent things (name, ssn, address, etc) is not enough. You have to leave out everything to remove all information...

For example, when a database record says:
- 'a person who is married with no children', you've already reduced your set a lot.
- 'was scanned in March 2003 with a type T mri machine'
- 'with lab results for test U coming back negative'
- 'with a policy from insurance company X'
- 'that includes coverage for Y'
- 'but analysis Z was not done because the insurance did not cover that'
- 'whose father has also had disease D'
- 'where disease E is not common in the family'
- 'lives close to a factory polluting with chemical C'
- 'drives a blue volvo'
- 'in a subdivision with 50-75 houses'

It identifies a 'helluva' lot about the individual.

Realize that such a database will likely have almost the same kind of information from almost everybody else (who is relevant you your search), so it will likely also include that father, spouse. Then, thinks such as car ownership databases, insurance policy details, etc can be added.

The more data there is in the record, the more information it adds (and references to unidentified other records is still information) can be correlated with, the more people can be individually identified. If you ask the right questions, you need only 29 questions to pinpoint one out of over 500 Million people. Of course, not every question has only two answers, nor is equally distributed, so you will need more to pinpoint most people, but for some you will need less, and if you combine enough databases you may actually have the answers to enough questions to pinpoint most people... Even without each individual database having 'individually identifyable' data...

Re:Oh yeah, triple secure.

[Unordained]

Agreed. Besides, you hear stories of patients researching their conditions to a greater extent than their doctors, basically using the doctors only to get permission to go through with a proposed solution -- not to do the research. I know my g/f's mom spent *years* going from doctor to doctor for help, only for us to eventually help her self-diagnose as Celiac -- none of her doctors ever figured it out, nor spent the time researching the symptoms to see what it *could* be. They simply don't have the time. You go to doctors for:
a) advice (which you can get elsewhere, and spend as long looking as you need to)
b) permission (which, really, is none of their business, but somehow it became law)
c) justification for insurance payment (the real reason, I think)

Growing up in France, everyone was issued a Carnet de Sante -- a Health Booklet. You keep all your medical records in one standardized paper booklet -- immunizations, visits, checks, growth charts, odd medical conditions, etc. Not high tech, but it worked. Doctors sign/stamp as you go, but you're responsible for carrying your health history around to various doctors -- and they'll look at what you bring, too! Here, I have to sign a form for my new doctor to call my old doctor, fax the form, get records sent (not always free), all so the new doctor can ignore what he's now received, and start all over -- oh, I'm sorry, your x-rays aren't in my prefered format, so I need you to get whole new ones, even though there's nothing actually wrong with the old ones. They don't seem to ever want me to, oh, I dunno, take home a copy of my visit data after each visit, then re-supply it to future doctors (same or otherwise.) I can't figure out if it's a way of making me "loyal" to a doctor (as they also like to charge a first-time-visit fee, regardless of how recently you've seen another doctor -- making switching doctors a costly pain) ... but damn it, it's my data, it should be mine to keep and reveal.

Re:Oh yeah, triple secure.

It's just too bad that Epic's pharmacy module is such a joke....

Re:Oh yeah, triple secure.

[JimFive]

Since the information is on a physical object in the possession of the patient and the physician the emergency override might be something like, calling the physician, proving your identity and having the physician give out the pertinent information, I don't think the backdoor is that big or available for misuse.

--
Jimfive

Re:Oh yeah, triple secure.

[yakovlev]

Let's be absolutely clear:

You have a legal right to see everything in your patient records, and I believe to receive a copy. The point here is to ensure that the patient doesn't misinterpret the information they're given.

As a simple for instance, suppose the physician wrote: "possible stomach cancer" in your file 2 years ago. The physician might like the chance to tell you "oh, don't worry, that was ruled out by symptom X that was observed in the follow-up appointment 2 weeks later. (We'll ignore the fact that this physician is an idiot because the patient will never again be able to get life insurance.) However, the layman could panic and take inappropriate actions based on a misunderstanding of how the physician chose to chart. This falls into the category of "information that needs to be available, but doesn't need to be easy to get."

Re:Oh yeah, triple secure.

When was the last time you went to a doctor at the AHA or J&J? They don't have access to your medical records. So that leaves three actual organizations who signed on for this out of how many in the US?

Besides, Microsoft probably paid them a good chunk of money for their backing.

Uh uh.

[morgan_greywolf]

Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol level The hell I will! No way, Jose. Fuggeddaboudit!

The last thing I need is an employer or potential employer tracking down my medical records. Or the CIA, NSA, ATF, or cybercriminals or any other organization or individual who wishes to covertly steal my personal data for nefarious purposes.

Do you know what your medical history contains and how it can be used against you? I do.

Re:Uh uh.

A vote for ron paul would allow such a system because government oversight is BAD...

Re:Uh uh.

You do? How did my last screening turn out? I can't get hold of a real person to ask.

Re:Uh uh.

[nine-times]

Well, yes, there's a potential problem any time you put enough personal information into one place: sure, it's more convenient for the appropriate people to access, but it's also more convenient for someone to steal.

My bigger concern, however, is that this is Microsoft proposing this. It makes me want to vet the idea for possible abuses. Beyond the obvious privacy concerns, is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Even if such a system is going to be set up, I'd rather someone with a good track record build something that makes use of open formats and protocols. I'd like to know that my family's medical records aren't going to go up in a puff of smoke because Windows Update decided my Office license wasn't "genuine", or something other bizarre thing.

Re:Uh uh.

[jimicus]

is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Not at all. It will be web based, and provided you're running Internet Explorer 8 you're fine.

Oh, didn't we mention? IE 8 will be Vista with SP1 only.

Re:Uh uh.

It makes me want to vet the idea for possible abuses A person might ask you to provide your credentials for doing so, considering you don;t know the difference between vet and vett. And your propensity to ask leading questions based on complete assumptions.

Re:Uh uh.

I'd like to know that my family's medical records aren't going to go up in a puff of smoke because Windows Update decided my Office license wasn't "genuine", or something other bizarre thing.

If it would wipe my records off of their servers I would keep an obviously "pirated" install just for regular connection to their services.

Re:Uh uh.

[Cecil]

A vote for ron paul would also allow you to say "No, thanks" and if needed, get healthcare from someone else.

Re:Uh uh.

[???]

Online Etymology Dictionary - Cite This Source - Share This
vet (1)
1862, shortened form of veterinarian. The verb "to submit (an animal) to veterinary care" is attested from 1891; the colloquial sense of "subject to careful examination" (as of an animal by a veterinarian, especially of a horse before a race) is first attested 1904, in Kipling.

Re:Uh uh.

[morgan_greywolf]

Uh huh. And not to mention Microsoft's 'stellar' track record with regards to security.

Re:Uh uh.

[nine-times]

Thanks for that. I was tempted to respond to that. "Vet" is correct, but AFAIK, "vett" is wrong. I think it only adds the extra "t" when you change tense, i.e. "vetted" or "vetting", unless there's some unconventional spelling that's become accepted.

Re:Uh uh.

Just do what I do, never visit a doctor's office unless it's an emergency visit :P

Re:Uh uh.

[boarsai]

is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Not at all. It will be web based, and provided you're running Internet Explorer 8 you're fine. Oh, didn't we mention? IE 8 will be Vista with SP1 only.

Guys, that's not funny. That's insightful. :(

Re:Uh uh.

[rdoger6424]

the only way that sending such information would be legal would be to strip your personal information from the data before selling it. Personally identifiable medical records are protected under HIPAA.

Re:Uh uh.

[morgan_greywolf]

Did you read the article snippet I quoted? Microsoft wants you to authorize them to release the data. HIPAA allows for the release of medical records with the patient's authorization. But even if you consider that HIPAA release has to say what records you authorizing for release, and who you are authorizing them to be released to -- if people even read the form they are signing -- I also make the point in my post that this information is all in one place and can be stolen, especially given Microsoft's stellar track record regarding security.

"Blue screen of Death" to have a whole new

[unity100]

meaning, that is.

Re:"Blue screen of Death" to have a whole new

[Joe+the+Lesser]

Error: Could not find liver.dll

Re:"Blue screen of Death" to have a whole new

[mangu]

Error: Could not find liver.dll

Have you looked into the C:\booze folder?

Re:"Blue screen of Death" to have a whole new

[Lumenary7204]

... Blue Site of Death ...

... Big Sucky Online Database...

... Bill's Stealing Our DNA...

... Balmer's Surgical Orgy of Darkness...

Needless to say, this is a bad idea.

Re:"Blue screen of Death" to have a whole new

[chooks]

With that error, I think you would get the Yellow Screen of Death.

Blue screen of death would be for the lungs.dll.

Re:"Blue screen of Death" to have a whole new

[mb0]

There will be an outlook extension available soon. Outlook: "*Ding*Ding* You have got AIDS!" MSN will than inform you with a pop-up: "Meat 60k other people who've got AIDS at MSN."

missing tag

[ruffles321]

defectivebydesign

Standards

[jshriverWVU]

What I'll find amusing is if Microsoft actually follows the legal protocol that such an application has to follow. There are many laws dictating how medical data get's stored, how, and how it is to be accessed. My guess is that MS will "do their own thing" and try to market it as a new feature, even if it breaks a couple laws or compromises our medical info.

Re:Standards

[ScentCone]

My guess is that MS will "do their own thing" and try to market it as a new feature, even if it breaks a couple laws or compromises our medical info.

No, my guess is that they'll follow all of the HIPPA requirements, and as a result their service (and anyone else's, trying to accomplish the same thing) will be - just as HIPPA requires - such a gigantic PITA to use that it simply won't be used. People will just die from drug interactions the good old fashioned way, but do so with more privacy.

Re:Standards

[JimFive]

I think you'll find that HIPPA doesn't apply in this case, if, as the summary indicates, the information is being transfered at the request of the patient. Once the information is outside of the Provider/Payor/Patient relationship all bets are off. As long as Microsoft is dealing with the Patient and not the Provider, MS won't have to deal with HIPPA. If they are making deals with the Providers, however, then there must be a Trading Partner Agreement in place that enforces the HIPPA rules on MS.

--
JimFive

Hailstorm

[Saint+Stephen]

Remember Hailstorm? The plan was to expand Passport to first include calendar, todo, and some other web services, and then to provide an ActiveDirectory back-end for auth and ultimately to include all these kinds of services (including payroll and AR/AP data) in a massive cloud.

Privacy experts freaked out, but Microsoft never cancels anything.

Re:Hailstorm

You do realize that the primary guy behind Hailstorm went to Google, and is busy implementing exactly that, except including every search you ever do, and datamining everything.

The question is, do you trust Google with your privacy?

Re:Hailstorm

The guy you are thinking of is Mark Lucovsky and he does now work for Google.

Re:Hailstorm

[ScrewMaster]

Yes I do, and no I don't. It would trust my doctor with my privacy ... but I wouldn't necessarily trust anyone that works for him. I sure as hell don't trust any major corporation with my privacy. I don't care who they are, and with globalization more and more of the medical services sector is going overseas. Medical transcription, for example, has gone to India bigtime, and there have already been a number of high-profile data theft cases.

Really makes you want to start eating lots of vegetables, lay off the mainstream American diet, and start exercising, really, it does. Whatever it takes to keep myself as far out of the medical system as I can.

Mod parent funny or obvious

[reidconti]

... since they lose money on virtually everything they do, short of Windows and Office. I bet they make money on keyboards and mice, too.

Lock up

[OK+PC]

Well at least the Vault will always lock up...

Free medical records on the web?

[Enlarged+to+Show+Tex]

M$ is aware that the medical industry is home to some of the strongest privacy and security regulations, are they not? Or are they going to use a few campaign contributions to relax or otherwise eliminate provisions in HIPAA and other regulations associated with medical records? Color me crazy, but with M$'s track record in the area of security, I wouldn't be so certain my medical records would be handled in accordance with US law...

Re:Free medical records on the web?

[mpapet]

The actual HIPAA regs appear quite stringent, but you'll find that they don't make the data more secure.

For example, Use is well-defined in many cases, but actual security mechanisms are not. This kind of programming is right up Microsoft's alley. Not only is the security model pretty weak, there's limited interoperability requirements.

Please, read the standard. It's not fun reading, but the average /.'er will probably discover it addresses some basic stuff, but leaves the door wide open for familiar and massive compromises.

http://www.hhs.gov/ocr/hipaa/

Re:Free medical records on the web?

[korbin_dallas]

HIPAA doesn't protect 'you' or 'your data', HIPAA protects the Feds and the Medical Industry from lawsuits due to data theft.

That is all.

Heres an idea...give me all those medical documents, I'll keep them at home (or the Bank of Chiba) myself.

Bank of Chiba...
"We keep your money safe by^H^Hfrom prying eyes."

Yeah...

[Cleon]

The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities:

Yeah...That's gonna work out well. After all, whose products are more secure than Microsoft's?

Re:Yeah...

[jonesy16]

Well, NTFS may be a major pain when it comes to fragmentation and journalling support, but it does have one of the best security systems out there in terms of cascading permissions. Most *NIX filesystems only provide you with three tiers of controls: owner, group, everyone. On XP/Vista/NT you can provide as many levels of permissions for as many users as you want with much finer control than just read, write, access. With this in mind, we shouldn't say that microsoft is completely insecure. It's much easier to secure a service that's proprietary in nature and runs on a single maintained backbone than it is to provide security for an OS with some near billion number of users on everything kind of crap hardware imaginable.

Now, I'm not proposing that Microsoft should be the ones in charge of such a project, in fact it makes me shudder at the thought. It would even sound better if they were just being contracted by one of the other organizations that was mentioned instead of the other way around. But if not MS, then who? You asked who does have more secure products and I'm not sure there's a good answer to that. Every OS has security vulnerabilities (as anyone on here will tell you). And most people will agree that those exploits aren't a huge concern when you only make up ~1-5% of the computer market.

In a situation where you're setting up a massive database of personal information, you immediately supercede any metric for target size and jump straight to the top of the "attack me" list. So which OS / Company / Organization should head such a product. Haha, or better yet, choose between microsoft and the government . . . you may not get a third option!

Microsoft security expertise

A Microsoft built *secure* health database...what could possibly go wrong with that? Of course, I'll let the company with the worst security record in the world track my health records.

Oxymoron.....

Microsoft......secure? No thanks, I'll pass....

Yeah right

I don't trust Microsoft and I don't trust their products.

The only thing Microsoft can be entrusted with is fucking people over.

Google Searches too

[svendsen]

Man if anyone could link Google searches to individuals we would know every person's medical condition.

Google Search: Itchy crotch

NSA: Hey Fred Smith has crabs again...lol

MS and security?

[Opportunist]

The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

Say, are the people who are in charge of this living on another planet? I mean, even a non-technical person should have heard by now that "MS" and "security" in the same sentence are usually only used if there is also at least one of the group "flaw", "leak", "compromised" or "nonexistant" in the close vicinity.

In other words: How much was it?

Re:MS and security?

[suv4x4]

The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

As you know, Windows' security issues are ones of legacy. The more they fix it, the more they wreck existing apps.

Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

Microsoft is here to stay, and while they may not end up with the most perfect solution possible, they don't need the money desperately, and can't hide if a major security breach occurs (and it's their fault).

Re:MS and security?

[Opportunist]

...and can't hide if a major security breach occurs (and it's their fault).

No, they can't hide. And won't. And needn't. They'll simply say "gee, we're sorry" and get away with it. As usual.

When was the last time you've seen a large (IT) corporation being forced to take responsibility for the damage they did? Especially if it's "only" privacy leaking.

Re:MS and security?

[colonslash]

Microsoft is here to stay

MS has been around for a while now, but Vista isn't taking off and Office may be cracking under the weight of competition and switches to ODF. They have tried to get into other markets, but, AFAIK, they haven't been successful anywhere else.

In 2002, I gave them 10 years, and I think I am right on track.

Re:MS and security?

[cduffy]

Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

Yes, but the other entities getting into this space aren't exactly little and unknown, either. One of those has a name that starts with a "G", and I personally suspect that MS decided to get into this field principally to avoid one of their major competitors pulling one over on them again.

Re:MS and security?

[Dusty00]

You actually mentioned the biggest reason I don't want them to have my personal data is the reason they're here to stay.

Microsoft stops even trying to make a quality product the second they don't have to and what's more they blatently flip their own customers the finger. I have yet to hear a spin on DRM in the OS that even makes it sound like it was designed as a benifit to the customer and it's in there none the less. If this takes off and Microsoft no longer has to care about making a secure or good product what they have in their hands to f**k up is a lot more important that what OS I use and I image will be even harder to migrate from.

Re:MS and security?

[Salsaman]

Microsoft is here to stay

I damn well hope not.

Re:MS and security?

[plague3106]

When was the last time any software maker did so?

Re:MS and security?

[Opportunist]

Umm... Do the words Sony and Rootkit somehow ring a bell?

Ok, let's say Sony isn't a software company (though, no doubt about it, that was a piece of software we're talking about). How about McAfee detecting Excel as a trojan and removing it, killing hours of productivity? Ok, one might argue it's not a privacy issue. How about the multiple security holes in Windows?

Now show me how they were held responsible for anything.

Re:MS and security?

[plague3106]

I don't get your point; my whole argument was that no software company has yet to be held responsible for the damage their software has done... so I don't really see why you bothered replying to me.

I'm sorry you got a Troll though; seems some asshats out there just like picking on people (I have four comments in a row, across three different stories that were all marked as Troll or FB. Interesting.. not the first time.. oh well, I have more than enough karma).

Re:MS and security?

[Opportunist]

Ok, then it seems we agree. My statement was that no IT company ever had to take the blame for something their software did, your reply was when that happened, so I guess somewhere in the communication there was a misunderstanding.

I have said it time and again, English does need some kind of CRC.

Re:MS and security?

[plague3106]

No worries.. probably just missed the ? mark ;-)

Minnesota eHealth

[SleptThroughClass]

Minneota eHealth is intending to share records. I just hope it won't require Microsoft technology. That would be sickening.

microsoft vs security

[oktokie]

I personally think microsoft windows server is a great platform to build websites.
There are range of tools and cookie cutter stuffs already written for in asp/net allows very powerful function to exist especially inter-operate ability with different MS product like sharing outlook generated schedule via exchange server out to web portal.

However, putting medical records requires requires middleware between ms platform and medical softwares. I see this use of middleware becomes security problem here. Windows do not work very well when 3rd party glue is applied to the what seems to be rigid architecture it shares between products of ms. This inability to have full control over the protocol, situation usually involving previously unthoughtful of...should I say out of boundary for what original purpose of the software calls for...ends up becoming the problem.

Oktokie

Re:microsoft vs security

[SixDimensionalArray]

Welll... except for Microsoft's huge investment in web services and service oriented architectures (SOA). I don't see the problem you describe so long as people follow, say, the SOAP protocol over some TCP port, and make use of the WS-* frameworks, or even common sense, for securing their web services. The format of the actual messages exchanged - well - that's a different story.. in the healthcare industry we have the X12 (still not XML) and HL7 (some XML, some not XML) data standards which are not rigid enough.

As for old software not being designed to work in this environment, I agree that there still are some legacy environments that aren't up to this level yet, but many have written and/or are writing .NET data providers that can be used to expose their vast functionality and data.

I for one have used PHP, for example, to work with web services written in .NET, and it worked quite well. If that .NET webservice had been exposing data from an old legacy COBOL system, I'd have an open- and closed-source, web services enabled COBOL
legacy application. Phew, what a mouthful. But doable. And not just with .NET - I just think .NET's implementation is pretty good.

SixD

Re:microsoft vs security

[oktokie]

Phew...nice...

Do we still have COBOL engineers around these days?
Last person that I knew dabbled in FORTRAN/COBOL was from Russia where her graduate level of education was done around assembly/FORTRAN/COBOL. :)

Let's start a lottery on this

[n0ano]

Actually, 2 lotteries, one for how long it will take before this system is first compromised and the second for how long after that until MicroSoft admits that the breakin occurred.

I pick 6 months & 7 months, respectively.

Re:Let's start a lottery on this

[CodeBuster]

You can already make these kinds of bets on sites like Trade Sports. You can buy or sell contracts or make bets on anything you want. They have bets on everything from when the first person will walk on mars, to who will win the Democratic presidential nomination, or just about anything else you can possibly think to bet on.

Re:Let the Stone Throwing Begin!

[Jawnn]

Nah... Like shooting fish in a barrel, there's no sport in it.
But I will say that the announcement did provide the best chuckle I've had all day.

I wouldn't trust MS to store my phone number

[olddotter]

I'm not about to give MS any person medical information.

Agreed

[twmcneil]

Sounds like one more attempt to resuscitate Passport.

And sell your health info back to you

[christian.einfeldt]

and require Microsoft Windows to access it.

No thanks.

Just look at what Microsoft is planning to do with Office Live or whatever they are calling it. You need to have Microsoft Office installed locally on your HD. All you are storing is your data. GNU Linux OSes probably won't even be able to run WINE to access those Office Live files. So even if they don't actually charge to access the data, it extends their reach into your life.

Per usual "revise and extend" behavior...

[C10H14N2]

So, great, they got their grubby hands on a copy of the HL7 schema and dropped in into an encrypted database. Whoop-dee-doo.

Re:Per usual "revise and extend" behavior...

[???]

I like your nickname so much that I'm going out for a smoke now.

Sounds Good

[RAMMS+EIN]

``...privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or...''

That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

I have about zero trust that Microsoft will actually implement this correctly and securely (I've seen far too many stupid bugs from them lately), but at least they're saying the right things. Not vague promises that it will be "very secure", but an actual description of the security controls they are planning to provide. Moreover, those security controls seem to actually provide the security one would want in such a system.

Re:Sounds Good

[mikelieman]

Yeah, but IIRC, PHI NOT TO BE disclosed must be maintained separately from the PHI which can be disclosed.

Think of the children

If enough people contribute enough data over a period of 40 or 50 years, that data could be mined for a lot of really useful information. Such things as how lifestyle choices affect a person's health (is it fatty meat that causes obesity and diabetes, or is it starchy foods?) or long term affects of medicines (do statins raise the risk of stroke?)

In fact, given the age of most /. readers, this project could well make *your* retirements years longer and more comfortable!

Re:Think of the children

[safXmal]

How long do you think it is going to take before you have to give permission to prospective employers to see your complete file? Longer than it took before almost everybody has to undergo a credit check before being hired?

Re:Think of the children

[Ajehals]

Its it fairly insane, I wouldn't expect, nor consent to a credit check for employment unless it was employment that involved working with very sensitive information (in which case it would presumably be carried out along side background checks and criminal record checks etc. and may be justifiable) and I trusted the potential employer, criminal record checks are fine but my credit history, good or bad is not their business.

As for health checks / access to medical information, I would under pretty much no circumstances allow it, it is none of an employers business, if they have a specific requirement for a specific job (a job that requires a certain level of fitness for example, not simply to figure out if I had 1 or 10 sick days in the last 5 years)then fair enough, they can ask and give reasoning, but a license to access things they don't need would not be forthcoming.

I should point out that I am not in the US, and cant think of a single time that either was requested - outside of government work, but then I have fairly decent references...

Re:Think of the children

[safXmal]

I'm sorry I didn't specify that I was talking about the US. I recently moved here from Belgium and it is amazing how much power companies have over here. I haven't come by a company yet that didn't do a complete background check (criminal, credit and previous employers). before hiring you. The lower the pay, the more intrusive they tend to be. I had several companies that required me to sign waivers, allowing them to act in my name and enabling them to circumvent the few privacy laws that exist here before even considering me for a position. I'm really afraid that once such a system is in place here companies will require to give them access to our health history

Re:Think of the children

[Ajehals]

What I'd like to know if this is recent, I would expect that in a country with apparently low unemployment figures and therefore presumably a very competitive employment market for employers, would be one where everything favours the employee, you'd expect rising wages and benefits and good treatment from potential employers, not the opposite. I certainly wouldnt expect nor tolerate much of what you describe for any position, much less a low paying one. (As I said in my previous post, there are certain very specific circumstances where this kind of intrusion is justifiable, working at a local supermarket or in an unskilled position certainly do not qualify, working for a government agency or in a significant position of trust may alter that a little but not totally negate ones expectation of privacy. Not to mention that there should be legislation preventing abuses of this kind of thing.)

Re:Think of the children

[safXmal]

You would expect that. I don't know if you saw the latest movie of Michael Moore "Sicko". In this movies he explains that a lot of workers are held hostage by their college debt and the high health insurance cost. Typically a college student starts his career with 30 to 60 thousand dollar in debt and a good health insurance for your family is easily a 1000 dollars a month. You better find a job quikely before you get sick or the debt collectors are at your door. You also have to take these unemployment figures with a grain of salt. Working full time for walmart or consorts doesn't get you enough to rise above the poverty level. A lot of people work 2 jobs to make ends meet. Also a lot of people that shouldn't have to work - retired, handicapped or sick - work at these placed to be able to pay their health insurance. I don't know why people here accept it - in Belgium I would have been protesting about it - but here i'm an immigrant so I feel I have to follow the mores. Perhaps I'll change my mind later, but for now I try to work in their system.

Re:Think of the children

[Ajehals]

OK now I am amazed, given the 1000 dollars you show as the monthly cost of healthcare + servicing student debt, I thought Id just check to see how much comprehensive private health would cost me in the UK if I went private, the quote was £57/m or about $114 for me and my partner, never mind the fact that we'd be covered under the NHS, next off as far as collage debt is concerned, my partner pays maybe £150 a month on her university loans of £12k ($24k), so that's a total of about $300, throw in repayments on a £100,000 ($200,000) home at £600 ($1200) and at $1614 were still $386 short of that, I'm fairly sure that covers my monthly travel costs.

So it would appear that there is some gouging going on, something that especially impacts on the less wealthy, and on top of that we have this extremely intrusive employment process. I think I am finally beginning to understand this whole 'big business' dominance and lack of consumer rights that you hear about the US, I mean I am and have been aware of them, but I have never quantified them in this manner.

Thanks for that, food for thought. Oh, and yes I think there would be a bit of an outcry if the situation were the same in Europe, if only from the unions, I would hope our politicians dont have the nerve to attempt to emulate the US in these matters.

Re:Think of the children

[safXmal]

I was amazed too when I came to the US. I got a job soon after I came over here and the company offered me a good health insurance. They paid most of it but I still needed to contribute an additional $350 (UK175) per month.

I had a $20 copay and $500 deductible which meant that each time I went to a doctor I would have to pay $20 until the deductible was used up and after that the insurance would pay everything.

What really amazed me that if you weren't insured the doctor would charge you more than if you were. My GP charges $85 when you are insured and 115 when not insured. It seems they have agreements with the health insurance companies to lower rates if the health insurance companies sends patients to them.

Are you kidding me?

[PontifexMaximus]

I don't trust MS to determine if my copy of Windows is Genuine, do I really think they can keep my medical history safe? Hell no. How long do you think it will be before they cut a deal to 'share' that information with marketers/insurance companies for a buck or two?

To Microsoft: NOT A CHANCE IN HELL. I'd prefer running naked through a pile of broken glass than let you have my medical information.

Microsoft & Health?

[maxwell+demon]

Must ... resist ... "whole new meaning of BSOD" joke ...

Threats to our health data privacy...

Anybody else suspecting that big health insurance industry money might be behind this and other threats to the privacy of our health data? Can you imagine a world of tomorrow where all your health data (as well as artificially manufactured bogus data) is kept in Health Reporting Bureau databases (just like the credit reporting bureaus) that the individual person is effectively powerless to audit/dispute/change despite laws supposedly in place to safeguard our rights? HIPAA was a blow to the health insurance industry's long range plans and goals, much more effective for the consumer than the FDCPA and FCRA have been on the credit side of things, and the health insurance industry is out for revenge and will not stop at anything to engineer a "solution" to get around the law or to get the law changed to benefit themselves.

Re:Threats to our health data privacy...

[base3]

That world is already here. Google for "Medical Information Bureau".

Re:Let the Stone Throwing Begin!

[blcamp]

Actually, I would have said "Let the CHAIR Throwing Begin!"

Except for the tinfoil hat crowd...not a bad idea

[notaprguy]

Putting paranoia aside, managing healthcare information is a major pain in the butt. I see this as a way for ME to control how my information is shared rather than my Dr. or my insurance provider. If this idea matures I can see how insurance providers and health providers would need to ask for the patients permission to exchange information rather than just doing it...which is what happens today. If you're worried about the CIA looking into your health information this isn't going to make the problem any worse. Perhaps a little medication might alleviate your stress on that...

Anonymous?

[DoofusOfDeath]

The HealthVault searches are conducted anonymously

What does this mean? I hope it doesn't mean that there's no record of who it was that peaked into your medical records.

More features

[Impy+the+Impiuos+Imp]

Let's not forget the best feature of all: They'll give the government a back door into it, in exchange for the government backing off on the anti-trust lawsuits, just as was done for a backdoor remote control into Windows.

Nah.

Just kidding.

Go on about your business.

Great

[richardellisjr]

Now not only Microsoft bad for the help of my computer but bad for my health as well. What's next my car... oh wait they're trying to get in there also, stereo - nope trying there, phone - ditto. I know, Microsoft isn't bad for health of my dog - yet. I can see it now microsoft dog, won't do what you say, will eat all of my documents not created in word or excel, will help burglars by opening the door for them and will need to be kicked every couple of days because it turns blue and keels over.

Next Doctors visit might go something like...

[EvilSpudBoy]

Doctor: I've examined you, and reviewed your MSMedicalHistory(tm) and it looks like you are in fine health, though I see your blood pressure is slightly higher than last time.

Patient: Well, work has been a bit stressful, should I worry?

Doctor: Not at all. It is still good for your age. Have you tried Halo 3?

Patient: huh?

Doctor: Video games are a great stress reliever. If you don't have an Xbox 360 with Halo3, I can put in an order for one for you. Have you had any other problems?

Patient: Sometimes I get a headache from staring at the computer too long.

Doctor: Hold on -- there, I've adjusted your screen resolution and font size on your home and work computers.

Patient: Umm.....

Re:Next Doctors visit might go something like...

[kyofunikushimi]

"While adjusting your font sizes, I noticed you were running linux, so I've upgraded you to the Microsoft Vista(tm) Operating System. For your own health, of course. If your insurance doesn't cover that, perhaps you'd be interested in switching to MSInsurance? A monthly subscription also provides some limited protection against viruses."

Re:Next Doctors visit might go something like...

[RAMMS+EIN]

``Doctor: Hold on -- there, I've adjusted your screen resolution and font size on your home and work computers.''

If only that actually worked on Windows. I have to work with Windows for work purposes every now and then, and I can't seem to get the fonts in the title bars, the fonts in dialogs, and all the others right all at the same time. On Vista, I've had better luck with this than on XP, but even there, it's not all well. I think this used to work in older versions of Windows, but newer versions seem to just ignore some of the settings.

It's about time

[businessnerd]

I've been wishing for a system like this, but on a much more mandatory basis for some time now. It is one reason I am in favor of a universal health care system, where all hospitals, clinics, doctors, etc. have access to a single health care information system. Anyone who's been to an emergency room can see the benefits of such a system. Instead of playing 20 questions with the emergency room docs and hoping you don't leave out anything important, they can instantly download your file. They don't' have to request it from your doctor and they get an instant snapshot of your health records. What are you allergic to? Did you have surgery recently? Were there any complications with said surgery? The point being that if I am on vacation and need medical assistance, the doctors will have all of the same information my personal doctor has. Given equally skilled doctors and equally equipped facilities, I will get the same quality care.

Of course, there are some downsides, but they are mostly the tin-foil-hat-wearing kind. A central database of your health records could be infiltrated, thus compromising your privacy. There are a lot of people who would want to know how healthy you are, but it's really none of their business. This could be potential employers, political competitors, etc. Security would have to be a number one priority of such a system. Unfortunately, you can never be 100% secure. That's why I'm unhappy Microsoft had to be the one with the initiative. Any Slashdotter worth his salt is aware of Microsoft's security track record. And of course all of those electronic documents will be in a proprietary format (and yes OOXML might as well be proprietary). But at least maybe someone else who knows how to do it right will decide to compete. At least the issue is being raised.

Big, Broken Brother Microsoft

[Doc+Ruby]

Even if these records were under my own control, on a my server, behind a firewall I control, in my home connected over my home broadband, or some other system where I control physical and network access to it, I still wouldn't trust Microsoft to control it.

Microsoft has proven that it should be trusted with info only when absolutely necessary, like when you're already locked into its OS/software monopoly. The CIOs of those healthcare corps already know that: it's not just common knowledge, but they're spending $millions every year coping with Microsoft server and desktop insecurities in their orgs. Their disregard of the certainty that Microsoft will leak this data just says that they have no respect whatsoever for the privacy and safety of their patients - and those patients' families.

I expect this whole project is another way for Microsoft to get even more info to profile all Americans (and visitors) in every way. Probably some payback for Bush leaving them their monopoly that has to do with Bush wiretapping us. Together, Microsoft and the Federal government will have all our personal info, right down to our DNA and psychological tests.

Re:Big, Broken Brother Microsoft

[Doc+Ruby]

Moderation -1
    100% Flamebait

TrollMods don't even want their own privacy, when they could sacrifice it at their Microsoft altar.

Great! A service I can trust!

[Eggplant62]

Given Microsoft's track record in the last 20 years for security flaws, I don't think I'll be participating with this one. I'd rather my personal and medical data be safer locked in a nice, strong FILE CABINET, thank you very much.

Might be deadly for Microsoft

Imagine this scenario: the Microsoft designed system breaks. Huge number of health records, - which are protected by strong legistlation - are exposed. This opens up a possible and probable class action suit against the cash rich company. Since the health record of lawyers, judges, potential jurors are exposed, Microsoft can not bank on any support from this corner. Depending the number of exposed patient records, Microsoft may loose very quickly all the cash and more they have.

Re:Might be deadly for Microsoft

[psbrogna]

Sssh! They might here you.

Re:Might be deadly for Microsoft

Ah.. But the EULA will prevent M$ from being responsible for any fraud, injury, or death as a result storing your information in their systems. Oh.. wait... The current EULA covers all of that. All M$ has to do is add the disclaimer that regardless of the problem all consequences of using their software is your fault.

Microsoft has repeatedly shown that

[gillbates]

It understands neither security, nor the enterprise market. The thought that they could be responsible for securing my health history is particularly troubling.

Yes, I understand that a lot of healthcare providers use MS products internally. However, gaining access to that information requires a concerted attack against a particular target, rather than just "listening" on a wire for healthcare info... The difference is that attempting the first is a crime, while even succeeding in the latter is not. Knowing Microsoft, they're going to leave holes in their scheme somewhere, and crackers will have exploits ready soon. Knowing Microsoft's lawyers, their licensing/contract with the provider will absolve them of any responsibility whatsoever.

I mean, think about it: if Microsoft cannot prevent their OS from being cracked and pirated (which they do value), how could they possibly have the means and motive to protect my health information (about which they could care less)?

Very troublingt indeed.

Sued to death

[Joebert]

Microsoft better not botch the security on this one, there's alot of people whom don't look at medical records as numbers that can just be reset in a database & make things all better.

interoperability?

[Cajun+Hell]

Why do I have a feeling that no one will ever be able to implement a medical records application, which is simultaneously able to interoperate with HealthVault, and also not run on MS Windows?

As a customer, you have to be fucking crazy (and downright hostile to your stockholders), to want more MS lock-in. Auditors, if any of your people don't look terrified by this, start looking for kickbacks. By trying to start a new monopoly, Microsoft is actually doing a wonderful thing: showing you exactly which employees are trying to rip off your company.

This WOULD HAVE BEEN a first post, but...

[darkonc]

I spent too much time ROTFL at the concept of a secure Microsoft product -- especially a first-release.

Oh -- and it uses your Windows Live ID All of your medical, financial and communications information under one Microsoft password (if MS has their way).
It's enough to give me a heart attack.

Microsoft Secure (oxymoron anyone?)

[GuyverDH]

C'mon - I don't even trust MS to write a secure operating system - let alone a healthcare information system.

Better watch it MS - HIPAA will not be your friend, and you'll probably find that you end up paying more in fines than you'll ever make in revenue.
You have to meet all kinds of restrictions and security levels that Windows today just hasn't been able to meet.

Re:Microsoft Secure (oxymoron anyone?)

Actually, Windows can meet it. Just because there have been vulnerabilities doesn't mean that Windows is not a securable OS. Government security standards deal with securability features specifically, and every version of Windows since Windows 2000 has been able to achieve C2 security certification. So has SQL Server. And while MS' past security record has not been great, they have done a fairly successful job lately. IIS, which was deservedly a laughing stock, is now a respected and hardened webserver. IIS6 has had four vulnerabilities since it's release four years ago, none of which enabled root access and none of which affected a system in it's default state. Apache can't claim that.

Re:Microsoft Secure (oxymoron anyone?)

Government security standards deal with securability features specifically, and every version of Windows since Windows 2000 has been able to achieve C2 security certification. This is completely irrelevant. You can only gain C2 security certification with no network enabled, among other things.

Whatever it is you're smoking, you should consider cutting back a bit. Food for thought.

security-fix Tuesdays?

So will there be data "leaks" around the 16th of each month
while Microsoft refuses to hurry a patch until the first Tuesday of each month?

Ooooh this will be good

[CoffeeIsMyGod]

he personal information, Microsoft said, will be stored in a secure, encrypted database.

Its said that if you think encryption is the solution to your problem you don't understand your problem. Where are they going to put the access keys? How will they authenticate users? What does encryption have to do with any of this, anyway? I think they have bigger challenges, like actually enforcing access control.

Proof..

You can't prove the PATRIOT act has caused any damage because you aren't allowed to talk about it. It's a national security kind of thing, you know.

Who decides?

[doas777]

Who decides who can access MY personal Medical history? I'm the only person who should have that right. not my doctor, not my insurance company, not my government, and most definitely not Microsoft. I am wondering how long it will take for my info to appear in the database, since I'm certainly not going to approve the transfer unless under duress.

Re:Who decides?

[safXmal]

To my opinion you're only partially right. You are the one who should decide which doctor can see your info but I don't believe you should have the possibility to forward that info to any party that doesn't need this kind of info. Not to insurance companies, employers or financial institutes. It is certain they will abuse it and force you to give them that info. Example. No mortgage before they see your health history

A great idea from a world class company!

[GnarlyDoug]

Given Microsoft's proven track record on ethics, reliability and security, I daresay you would be hard pressed to find a better candidate to providing life-critical services such as this one. I will rest easy knowing that my medical files as secure, that they will always be available to my doctors when needed, and that all that information upon which my very life my depend will be properly stored without mistake.

Typical

[FranTaylor]

Pure vapor. Again, Microsoft sees other people making money, gets mad, issues a vaporware press release. This one sounds like it may have taken an hour or so to write. If there ever is a finished product, you just know that it won't even resemble what they are talking about here. Go back and read old Microsoft press releases if you doubt me.

Re:Typical

[CoffeeIsMyGod]

But I saw a screen shot! Its gotta be true.

The summary quote seems contradictory...

[Overzeetop]

quoteth the summary:

Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it. Pretty simple, I get to say that nobody sees it.

The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Whoa, there, I thought that the individual set the permissions, but there can be anonymous access to the data therein? So which is it?

Re:The summary quote seems contradictory...

[Larry+Lightbulb]

You decide who can see your information and know it's yours; the anonymous part means they don't know it's yours, which could be useful in large studies rather than indivudual treatment.

Google has a similar effort

[lseltzer]

See this NYT article on both services

Incomplete health records...

"Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it"

That is not entirely true, neither the part about what information goes in, nor I suspect the controls being entirely set by the user.

#1 while patient provided family history is generally accepted at face value, patient provided personal medical history is taken with a grain of salt (hence the need for portable medical records)

#1b patient provided details of current medical conditions (other than reporting symptoms) are treated as suspect (more than a few grains of salt) unless they can be verified by trained medical personnel. This is because patients can mix up or forget details, read too much into their condition via google searches, or perhaps just be a hypochodriac. (Also when you get a consult, the doctor usually wants any films, scans, reports and results from the first doctor. What you have to say is less important)

#2 You may give the hospital permission to export your records, but they probably won't do it. *NO* medical information is released (except to insurance companies, etc.) unless your doctor approves each piece of data individually. Not even to you. Usually they just write a letter giving you a summary, if that. Maybe give approval for HbA1C, or Cholesterol. Part of the reason is some doctors are pricks, and they can charge for an office visit if you are forced to come in so they can tell you your lab results are normal. The main reason is cover their ass, though. Your medical record is a legal document. Imagine a missed cancer diagnosis for 6 months, you can get a lawyer to sue, and subpoena your medical record, but why would you if you had no cause to suspect? And you're not going to have access to that record unless you sue. Hospital workers can be fired for looking at THEIR OWN medical records. And good luck with EVER getting to see your own psychiatric record, if that is applicable to you.

#2b Because of #2, medical providers are unlikely to deliver medical records carte blanche to an outside records service that is available to the patient unless they can also restrict what the patient sees.

Re:Monopoly Abuse. Re:Microsoft's successful formu

[everphilski]

It's nice of them to admit they are and be described as a one trick pony.

One hell of a pony ...

Google is more secure than MicroSoft Vault

[peter303]

Get my point?

VA (not MS!) VISTA?

[xanthines-R-yummy]

As someone in the healthcare field, I've found that the VA has the best electronic record keeping system. It's logical, complete, reliable, and relatively easy to use. Why can't the government just lease that out? Or does it violate some kind of law regarding competition? Does anyone know how MS Vault is going to compare? I guess the VA system probably has weaker encryption, but I don't know that for sure. Here's the home site if you don't know what I'm talking about:

http://www1.va.gov/CPRSdemo/

Re:VA (not MS!) VISTA?

[inKubus]

Dude, it's not an EHR, it's a PHR. PERSONAL health record. Basically it's a spot where you can put the information you WANT to share. Gradually, the industry will realize that people don't want independent records kept (almost like the credit report system, but not as accessible). I have a kid, and when you see all the crap you have to keep yourself, like immunization records, certificates of this and that for school/daycare, etc etc. having a central point to share them would be rather nice. Imagine switching daycares and only having to basically show up. And since I can give them a one-time access code and only grant them the information they really need, I don't have to worry about them screwing anything up. And it could be a real boon for people with chronic diseases that require daily (hourly) management, such as diabetics. A script could review the blood sugar and your dietary log and make suggestions about what foods to limit/avoid. Companies could sell treatment models just like doctors sell themselves now. Because let's face it, doctors don't really do shit but write prescriptions nowadays. Why pay $250 for a person to guess when the computer can give you an educated correlation. This is the future of healthcare. Of course you will still need surgeons to open you up, and any physical procedures will require a doc. Must most of the nursing crap like blood tests, blood pressure, etc. can be done in the comfort of your home, for practically free.

Re:VA (not MS!) VISTA?

While Vista might be good from an end-user perspective, the internals are horrible. First off, it's written in MUMPS, and has all kinds of technological anachronisms. I guess it's one of those things that nobody wants to rewrite.

Let me guess...

[iMachias]

It's going to be built on Microsoft Access, right?

"Permission", eh?

Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like ...

Permission: signed form. (Number five in a stack of eight routinely given to patients to be treated for pretty much anything, with no mention made whatsoever on consequences and options for not agreeing, not that 99% of the patients will ever read anything that is said on the forms anyway.)

itsatrap - Requires Windows Live ID

[VP]

In order for the consumer to authorize a physician to see some of the data in the vault, both sides need to have a Windows Live ID.

Re:Except for the tinfoil hat crowd...not a bad id

[xanthines-R-yummy]

Pffft! "...rather than just doing it"? I dont' know where you get your healthcare from, but around here I order thousands of dollars of rather unnecessary tests and scans on patients because I can't seee what the hospital across town found. There's just too much bureaucrcy to cut through. Even IF I manage to get a patient to get in touch with the other hospital and give consent, it doesn't always appear: oops, it was faxed to the wrong number; someone forgot to send those; who are you again?;

The more likely thing is some office worker throwing your file out in the trash or getting his/her laptop stolen.

Re:Except for the tinfoil hat crowd...not a bad id

[jedidiah]

I have a far better idea...

Make the doctors give it to YOU.

You want to control how information is shared? Then do the sharing yourself. Keep the data yourself and determine what you will share and what you wont.

This needs to be a desktop app with a defined format, not some Orwellian data mining operation.

Keep your own medical records.

Re:Monopoly Abuse. Re:Microsoft's successful formu

No wonder you're posting at -1, like all the trolls and crapflooders. You've obviously never had a real job at a real company in your entire life. Let me guess, you work support for Dell or fix computers at Joe Bob's PC Emporium?

Am I the only one

[BuhDuh]

to not trust MS to secure a horse to a hitching rail?

Re:Am I the only one

[edraven]

The thing MS knows how to secure is contracts. Once that's accomplished, they've never seen a need to go further and secure anything else.

What will be used as the index key?

[JamJam]

Considering this initiative is suppose to span multiple states, multiple health plans, etc. then I'd be curious to see what will be used as the index key. It's not likely going to be individuals health plans policy number, so will they use name, DOB, and location?

Judging from http://www.namestatistics.com/ there will be lots of duplicate name combinations. People are always moving and not updating their address so that would not be kept up-to-date. Plus what do you do with someone who's legal name is Thomas but registers in this Health Vault as Tom?

All of these issues can be overcome ie: postal address verification software, common name comparison software, etc. However there will always remain a need for some manual intervention for ones that cannot be adjusted by software. Who's going to foot the bill for the manual intervention or even other costs associated to this vault? This is a huge endeavor and this "news" announcement really doesn't address any real world issues that this vault will encounter.

MS Health Care

[KiwiCanuck]

WoW! Is there going to be a health care industry in the US? Honestly, it looks like a health insurance industry (the two are are polar opposites).

Re:Who decides? -- Not you!

If you look at HIPAA, healthcare providers can give your records to anyone involved in your medical care and/or to facilitate billing. Most providers will "claim" they will not give permission without asking you, but there's no requirement to either implement such a policy or stick to it.

off-the-grid medical care

[juan2074]

Must. . . never. . . go. . . to . . . doctor. . . again!
Ugh!

Targetted Advertising

Once you have your Windows Live ID so that you can authorise your records to be stored then MS can identify you when you use MS Search and can target advertising to you based on your medical records. After all, it is you that causes the access.

MS will make a fortune selling finely targetted ads for drug companies.

Try uninstalling your CD burning software.

[Valdrax]

Error: Could not find liver.dll

Seems to be a conflict with Alcohol 120%.

I *really* hate to break the news to you

[overshoot]

Of course, there are some downsides, but they are mostly the tin-foil-hat-wearing kind. A central database of your health records could be infiltrated, thus compromising your privacy. There are a lot of people who would want to know how healthy you are, but it's really none of their business. This could be potential employers, political competitors, etc. Security would have to be a number one priority of such a system.

What security? If it's going to be available to the ER when they wheel you in with a concussion, it's going to be available to anyone who bothers to look you up.

Get over it.

Please fill out and sign these forms.

[Valdrax]

That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

Prepare to see a new waiver in the stack of crap you have to sign when going to a new doctor's office requiring you to give permission for full access to your records for any purpose not prohibited by law.

This will happen because doctors will not want to spend time having you okay access to each locked off section of your records that they might need, and they sure as heck don't want to spend time arguing with you about it when it's something you find embarrassing and don't know may be relevant.

Re:Please fill out and sign these forms.

[Ajehals]

Not to mention your insurance provider, employer, girlfriend.... centralised and easily accessible medical records are clearly a good idea, but they could create some interesting problems too...

It makes sense to me

[dave562]

I'm probably going to get modded down for this, but here goes. It makes sense for Microsoft, or some other major vendor to do an initative like this. There are so many governmental regulations regarding the storage of patient medical records that keeping up with those regulations is a major burden on doctors offices, hospitals and clinics. The system is geared towards a centralized model. Put the burden on a vendor to keep up with the regulations and security of patient records and let the clinic staff focus on treating the patients. Last time I checked, SQL Server 2005 offers some pretty elegant on the fly encryption of data in the tables down to the specific, individual fields.

Of course the merits of using an OS that is a prime target for information theft like Windows can be debated all day long. I don't really see much of a problem with accessing an online database with a 256bit SSL connection though. People do it all the time for their online banking transactions, and not all of them are doing it with a Microsoft operating system. I can pretty much bet that MS will require IE7, ActiveX and all of that nonsense, but you never know... there might be a Java API for it.

Re:It makes sense to me

[SL+Baur]

It makes sense for Microsoft, or some other major vendor to do an initative like this. Duh! How do you think H. Ross Perot became a billionaire? He did it with lock-in computer equipment and software to support state governments administering the (brand new) Social Security program. EDS was nothing before that. http://www.eds.com/about/history/timeline.aspx

This is more corporate welfare to the tune of many billions of dollars of revenue to whomever they bless with the contract.

Re:It makes sense to me

[dave562]

This is more corporate welfare to the tune of many billions of dollars of revenue to whomever they bless with the contract.

Corporate welfare? WTF? Did you read something in the article that I didn't? I saw an article that talks about Microsoft making progress where other companies (Google, Cisco, etc.) haven't. The article talks about Microsoft signing up major partners to participate in the program. I don't see anything about Microsoft driving corporate welfare and that's what my interpretation of your statement is... you are implying that Microsoft is driving corporate welfare. If you want to talk about HIPAA and other government programs (like SOX) being corporate welfare for companies that get contracts for implementing it then sure, I can buy that. In this case, I see Microsoft catering to a market need and that market need is required compliance with Federal standards.

A dababase somewhat skewed

[frovingslosh]

Well, if there is one name that I both hold trustworthy enough to guard my private medical data and also associate with a proven history of excelence in computer security, it's Microsoft. But isn't there a danger that the data will be rather skewed towards insanity based on those who choose to opt in?

hooooray

[jizzypop]

does that mean i wont have to fill out the same monotonous bullshit every time i go to the doctor?

A marketing test for peoples trust in Microsoft?

[MrPrometheus]

Anyone creating this article had to know it would spark debates on trust. Could this just be someone in marketing measuring the current trust level of Microsoft as a company? I would not be surprised to see a similar post about placing a large portion of trust in some other company for their comparison.

You're easily troubled

[overshoot]

The thought that they could be responsible for securing my health history is particularly troubling.

If that bothers you, how do you feel about the fact that they're right, and you don't get any say in the matter?

MS has the marketing, economic, and political clout to get themselves the contract for keeping the health records for everyone in the USA. Washington is already salivating over the prospect of:

• Saving hundreds of billions on health care costs, and
• All of the money that companies will make from providing medical informatics services [1]

Curiously, they don't see any conflict between those two points.

One way or another, though, giving MS (or possibly someone else, but MS is the main chance) custody over your health records is well on its way to being a requirement for getting any kind of medical care in the USA.

[1] Sort of the way the FCC is drooling over all the money that the carriers will make from the spectrum they buy.

Hey, I read that book

[JazzLad]

The Truth Machine or The First Immortal anyone?

I seem to recall one went into the database/vault/whatever you wanna call it in more detail than the other (I think it was the first one), any other Halperin fans out there?

PS: If you haven't read either / both, both are available for download & IMHO well worth the time.
Sorry to get your site slashdotted, James :)

I like the basic idea

[JerryLove]

We do suffer, indeed people die, from an inability to rapidly and accuragtely get complete medical information on someone. The basic idea of a secure database of medical history is, in my opinion, quite sound. The problems are security and abuse. The instances of hacking of companies like Microsoft and Googe are rife. Certainly, our money is online and I won't say that Citigroup or TeleCheck are immune to hacking either; but they do seem to have a better record. There is, correctly, a concern of MS finding ways to mine this information that it considered legal and disrupting privacy. I won't go as far as to condemn a program I've never seen the particulars of; but I am very wary of it.

Obvious step after Vista failed..

Ah, yes, the ploy of getting 20 services in Vista to phone home with your information has obviously failed alongside with Vista itself, so lets' make it really simple to get all data on the worlds' citizens: let's just get our dirty hands on the databases itself.

You know, the more I'm watching these clowns, the more the film 'The Net' turns out to be frighteningly close to reality. Apart from botched IP addresses, of course, but we'll fix that by introducing IP v6.

Wonko the sane - he was right after all. Sigh.

secure?

[Deadplant]

I am assuming that since it is a Microsoft system that it will be hosted in the USA.
It therefore cannot lawfully be made secure.

Any information in any computer system operated by an american company must be made available (secretly, MS will not be allowed to notify you) upon request from an american government agency like homeland security or the CIA.

This is a total non-starter for citizens of other nations like for example Canada.
In fact, I doubt this service would even be compliant with Canadian or European privacy laws.

All that being said; I do like the idea. We just need it to be an open source system that can be deployed and operated by more trustworthy organisations.

count the health care panaceas

[nido]

Electronic health records [EHR], such as this new system offered by Microsoft, is the latest placebo promoted as a fix for the American system of health care.

From the fine article:

"It's going to be a long journey," Mr. Neupert said. "To make a difference in health care, it is doing to take time and scale. And Microsoft has both." The advantages of the EHR is that all the doctors a patient sees have instant access to all the patient's medical history. This includes the results of diagnostic tests (X-Rays, MRIs, CT-Scans, Endoscopy, Colonoscopy, allergies, etc). The theory is that we'd get better results from the healthcare system if only practitioners had better information. While better information might help a little bit, and also would probably help reduce the amount of duplicate tests ordered, better sharing of this kind of information will make little difference in patients' outcomes.

There are various philosophies of healing, and to make a difference, a more effective philosophy than 'allopahty' has to be adopted. Allopathy - a derogatory term coined by a homeopath for his competitors who used drugs to counteract an illness' symptoms - has become the definition of the practice of Medicine in the United States. From the Arizona Revised Statutes:

19. "Medicine" means allopathic medicine as practiced by the recipient of a degree of doctor of medicine.

- AZRS 32-1401. Definitions

Don't get me wrong - modern medicine has done extremely well with getting to the core of many medical problems. Emergency medicine is also a fine art, with which I have no qualms.

But allopathic medicine is mostly powerless to deal with most chronic degenerative disease. Sure, the allopath will prescribe something to help with the symptoms, and sometimes surgery is the best that one can do under the circumstances (severe knee degeneration, for example). But it's better to treat the cause of the problem before the patient is on their deathbed.

But treating the nearly-dead patient is much more profitable for the system (hospital chains, equipment manufactures, pharmaceutical companies, G.E., etc) than lifestyle changes early-on in one's lifetime. For example, in The Great Modern Glucose Poisoning Epidemic, it's much more profitable for the system to wait for a pre-diabetic to develop full-blown type 2 diabetes before begining treatment...

I'll just refer to two of my previous posts (here and at kuro5hin.org) for supporting links/commentary:

the fundamental problem with insurance
links on how healthcare became screwed up

Mod Parent Right On

[mpapet]

I was taking a more circumspect route instead of your more direct opinion. (correct IMHO)

Voluntary and secure, eh?

[LongSpleen]

Some people call it paranoia to assume that these kinds of systems will be hacked but I've received 3 notices this year from companies letting me know that my personal information may have been stolen from their system. The company handling the data only has to make one mistake (or the software only has to have one security flaw) for some clever, determined hacker to gain access. They always talk about making these kinds of things voluntary but it could easily end up feeling compulsory. Primarily, this would appear to make things easier on health care providers. If they figure out that the new system it's cutting their costs they will do everything in their power to force you to use it. They may never be able to make it a requirement for care but they will find ways to apply pressure. It may eventually become the de facto way in which everyone's information is stored. Saying that something is voluntary and thus ok, is a huge cop-out.

accessible vs secure

[deadline]

online accessible but highly secure service

When given such statement it is important to remember that you can pick one and only one option. Everything else is wishful thinking.

A fifty year old "innovation".

[AJWM]

If you want that service for yourself, fine -- sign up with MedicAlert who have been doing that sort of thing for 50-plus years, and emergency responders are all trained to look for the MedicAlert tag. They're also a non-profit, which I'm inclined to think makes them more trustworthy than Microsoft.

There are some other outfits that have similar services -- Divers Alert Network (DAN) comes to mind, also a non-profit, they're specialized for divers and offer a number of related services (training, etc - they're associated with Duke University Medical Center).

Re:A fifty year old "innovation".

[Misch]

There's also the MedicAlert E-HealthKey, a USB flash drive that has your medical information on it.

Obviously, the MedicAlert bracelet/necklace is more useful for immediate/life threatening conditions.

I worried that health companies will fall for it

[KWTm]

"... a strategy that borrows from the company's successful formula in personal computer software."
I'll bet this sentence is not going to go over too well with the slashdot crowd.

Unfortunately, it will sound nice to health care companies. I am involved in the healthcare sector, and I am worried that this will succeed, without the health care companies knowing (or caring) about the issues. Microsoft has the cash, the clout and the reputation for this. (Remember, to non-geeks, Microsoft is the premier computer company --lay people can't even tell whether Microsoft is software or hardware.)

The health care industry is greatly dependent on information technology, and is beholden to IT --without realizing it. People in healthcare have this attitude, for better or worse, that they are more important and special and have a unique place high on the totem pole, so they don't really see their vulnerability to some run-of-the-mill thing like IT, which is held with the same regard as the people who answer the phones or clean the medical instruments.

I just pray that Microsoft can have some high-profile screw-ups, maybe a few databases hacked here and there, that can reveal to non-geeks the dangers of having a convicted monopolist at the reins of the nation's healthcare info.

Re:Let the Stone Throwing Begin!

[timhillu03]

Please, please, please.... let it run Linux!

This gives 'BSOD' a whole new meaning...

[Lumenary7204]

... Blue Site of Death ...

... Big Sucky Online Database ...

... Bill's Stealing Our DNA ...

... Balmer's Statistical Orgy of Darkness ...

Needless to say, this is a bad idea.

Re:This gives 'BSOD' a whole new meaning...

[Lumenary7204]

Oops, sorry, someone else beat me to it...

Re:Except for the tinfoil hat crowd...not a bad id

[Deadplant]

Paranoia? tin-foil hats?
when an agency does something a few times you consider it paranoia to suspect that they might do it again?

I prefer someone with less cash

[KWTm]

I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

I'd rather have some small company that has to build up trust and earn the respect of the healthcare industry, rather than some big convicted monopolist that has enough cash to do what it wants with impunity, and has enough monopoly-generated momentum that it can market an OS like Vista and make statements like "Google's success was only because of us!"

If Microsoft was unable to enter the health info industry, then the healthcare sector would demand non-proprietary formats for their data from the small companies that provided health info services, in case the company folded. But this won't happen with Microsoft because of the MS clout.

Good

[sxmjmae]

I know a few provinces in Canada have adopted or will be adopting a system like this. Ontario has suggested paying $500 Million for a full implmentation of such a system. I believe the UK already has a system like this.
The best part is that the system should have records of all your drugs and if you had a bad reaction to a family of drugs. That way if you happen to see a different Doctor or forgot that you have bad side effects to a drug you took 20 years ago the system can catch it and flag you at the pharmacy counter.
The largest cost is ensuring secure access to those various location and only providing the right access to view only certain data, update certain fields, and insert certain data. Lots of various roles and permissions.
In principle it is a good idea that could reduce long term cost, provide faster responses, provide more accurate data, etc.

Re:Good

[Phurge]

in the UK? - £12 Billion for a computerised NHS medical records system and its still not finished! http://en.wikipedia.org/wiki/National_Programme_for_IT

MS is not alone

There are a wide variety of proposal coming out centralized data stores of personal health records. A similar project soon to be offered to all employees of Intel, At&T, Walmart and a host of other Fortune 500 companies is http://www.dossia.org/ This initiative is spearheaded by the participating companies as means of driving lower healthcare costs first and foremost. Privacy seems to be a secondary problem. To Dossia's credit, they have canned their old software implementation and moved to an open source project hosted at http://www.indivohealth.org/ I think this is one instance where the open source community can drive the issue of consumer privacy and protection as it no longer is a question of "if", but rather "when" and "how" these systems will be implemented.

Ask British Columbia how good that is ...

[davecb]

They are implementing quite a different system, which will actually pass the BC privacy standards... which aren't as strong as they could be. See http://www.oipcbc.org/publications/speeches_presentations/speech_04.html for an idea of just how hard this is for personal medical records.

--dave (who has worked on personally identifying health information in the past) c-b

Re:I worried that health companies will fall for i

[synthespian]

To me, security is not even the question. The question is that health care has been persuing open standards (like HealthLevel7) and Microsoft and open standards do not mix - at least, that has been Microsoft's track record and policy for more than 20 years.

Governments have a huge stake in this. Anything to do with Microsoft-only solution is bound to hurt the public health sector. I understand that, the public health sector being virtually non-existent in the U.S., this doesn't represent a big problem there. Nevertheless, it's sad to see big names like the Mayo Clinic or the American Heart Association embrace this thing so eagerly. The problem is, this will be used in other less developed countries as an example. "If it's good for the AHA, it's good for us" mentality.

This is yet-another instance of Microsoft monopoly.

Re:Except for the tinfoil hat crowd...not a bad id

[inKubus]

That's what this is for, an online tool to manage your own health records. And it interfaces with some popular home medical devices such as blood pressure and blood sugar monitoring, which means you don't have to worry about recording it in a journal (which most people are too lazy to do). If you've ever had to fill the same damn personal history form out again and again, you know why this might be useful. Also, you can edit it to show whatever you want. It's getting to the point where we are going to have to take care of ourselves. There are simply not enough doctors. Use this to keep yourself healthy, move all of your insurance to high deductible plans, fund a Medical Savings Account or HSA and start taking back your medical options.

This might not be THE solution, but it's definitely a niche someone WILL fill. I don't know if M$FT is the ones to do it or not, but they are basically the only player in consumer software, so why not have consumer medical software.

I expect Google will find a non-evil way to do this exact thing. I'm telling you all, this is the killer industry for the next 20 years, and whoever figures out a way to save us is going to win big.

Competition?

[saintory]

Sounds like they're trying to compete with InterSystems HealthShare.

Sweet Baby Jesus

[turgid]

Should I just get a MySpace page and post my medical records on it?

dammit

[pestilence669]

Medical records SHOULD be managed by a company that has a history of writing software that: deletes data unintentionally, crashes, provides gaping security holes and reduces access via proprietary APIs. Yeah, this is definitely a way to make health care even worse. Exchange has done an outstanding job ending two decades of reliable email delivery.

Windows Genome Advantage

[SlashdotCrackPot]

Just what I thought the next step for WGA was going to be......

Windows Genome Advantage

LGPL Version of this already exists.

[ivaldes3]

It's called Indivo Health, formerly known as Ping on Sourceforge. It's been around for years and it is LGPL licensed. There's been some recent activity with the Dossia Group. More information and links here. -- IV

Personally,

[scott1110]

I would love to have more control over my medical records. Anyone here ever tried to switch doctors? The amount of trouble it takes to get those records moved over to the new doctor is unreal. Plus I always find out something the that previous doctor found in an exam, but never told me about.

Let my toilet manage my health.

[Mahjub+Sa'aden]

Seriously. Let me urinate and let it tell me what I need to know. Incorporate some sort of medical scanning equipment on it. Let me keep my records to myself.

How could that possibly be worse than the combination of Microsoft and doctors?

Re:Except for the tinfoil hat crowd...not a bad id

[Insightfill]

My other fear is that this system becomes a defacto standard for getting ANY medical care in the future, much like the Social Security Number has. Yes, you can try to use a distinct number other than SS#, but you'll have to take twice as long to get stuff done. In the future, you can expect any hospital, doctor or pharmacy to REFUSE to treat you until you turn over ALL info on file. After all, drug interactions, etc....

well

[unity100]

Bill's Stealing Our DNA...

judging by the track record of software 'bill' produced, actually probably anyone will be able to steal anyone's dna from that database

Windows

[kurtis25]

Maybe the could put Windows into the "Vault" and finally figure out why it has all these bugs and skin problems.

will google index this database?

[140Mandak262Jamuna]

Just wondering if Google will index the data base and show in the search results?

VA's PHR is called MyHealtheVet

VA's has a PHR in addition to its EHR. Its called MyHealtheVet.
https://www.myhealth.va.gov/

Having a list of medications you're on wherever you are can save your life. There are veterans who have visited emergency rooms while on vacation in the caribbean who have been able to get their med lists to the ER docs.

Not sure I trust MS to do this for me, though.

What's worse

[wsanders]

Whats worse, is the average doctor's office has at least a few legacy, broken, or half-assed attempts at computerized record management lying around. There are plain old incompetent vendors, vendors who suddenly go out of business, vendors who suddenly have incompatible platforms if the doc decides to change partnership affiliations, no backups, etc. Ask your doctor about his IT adventures next time you visit - it will be an eye-opener. And if you're an IT professional, I defy you to think of something you can do within the constraints of the doc's budget and operating requirements, except 1) Go back to paper, or 2) participate in some kind of online venture like this (and there are lots of others.)

What could possibly go wrong? Well, online banking isn't exactly a big disaster. Why would this be any different?

Re:What's worse

Don't delude yourself, banking and financial matters will always take precedence over health, human life or any other matter of importance.

Bad, bad news

[GodfatherofSoul]

Assuming this works and the health care industry buys into it, this is bad news for the market. This network will undoubtedly turn into a corporate cash machine full of back room deals, privacy violations, and targeted advertising. It's bad enough that credit information is available to the highest bidder. I don't want "sterilized for my privacy" versions of my health care information being floated out to anyone with a checkbook.

Insurance nightmare

[db32]

So...when they strip all of what they claim as personally identifiable information out and sell it to insurance companies then what? The insurance company goes through their database of customer claims, match it up to the records, and in one quick motion have your entire medical history. Woo lookin forward to that day.

Re:Except for the tinfoil hat crowd...not a bad id

[notaprguy]

Dude...this is about you controlling the information. I suppose MSFT or somebody else could build a desktop application that holds this stuff but that's not particularly practical for easy access by health care providers or insurance companies. The idea is that you can grant permissions to specific stuff that you WANT to share WHEN you want to share it. You're in control. You can question the ability of MSFT to execute this in a way that works and is secure but the idea is cool. I read somewhere that something like 15% of all Web queries are related to healthcare. That means that there are dozens of millions of people every day who are using the Web to help manage their health related stuff. This is just another way to make that work better IMHO. PS. I bet MSFT or someone else could easily write a desktop app that would store this info locally and then allow you to sync it up with a Web site when you want to.

Sounds exactly like my old Company NDMA

[Benjamin+Shniper]

This will probably crush a couple of small startups - like my previous job here:

www.ndma.us
(National Digital Medical Archive)
NDMA never did get all the bugs out. It was a little slow and lacked some key xml protocol sharing features. Security and never losing a file are a legitimately difficult task, in itself, and that was addressed. Maybe Microsoft will come up with better ideas than NDMA did. The protocol for the application there was terribly slow, but the website to access the information eventually came through.

Selling anonymous data is, unfortunately, a necessary evil. It's already happening, all Hospitals require you to sign things on joining that will give them rights to sell your data, with your name and ID numbers removed. Doctors do truly need that information, especially for disease outbreaks and drug treatment information. This system by Microsoft just makes it more practical.

With Microsoft entering, it probably means Oracle, IBM, and maybe Sun will as well. There's tens of billions of dollars to be made.

-Ben

IHE is worth a look for those interested

[gavinjolly]

I am in the IT healthcare field at present and have had a look at EHR (Electronic Health Records) and other iniatives. For an overall healthcare experience the data is one component of the quacks keeping me alive. Process is the other. I recommend looking at IHE (Integrating the Health Enterprise) and what they are trying to achieve using existing and open standards. Here is the intro from their website.

IHE is an initiative by healthcare professionals and industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively.

Re:Except for the tinfoil hat crowd...not a bad id

[shalla]

If this idea matures I can see how insurance providers and health providers would need to ask for the patients permission to exchange information rather than just doing it...which is what happens today.

Um... wha? Who the hell are you going to? I had to have medical paperwork with all my doctors that authorizes them to communicate with my insurance. I had to sign a HIPAA form at my pharmacist's place. My doctors all had me sign forms which laid out their privacy policies, and they ask for my permission before they share information (or, more often, I have to have paperwork that details who ordered tests and who will receive copies). I even still have my privacy agreement from my dentist.

If your health providers are just wantonly sharing your information, find new ones or sue the pants off them.

Re:Monopoly Abuse. Re:Microsoft's successful formu

[ookabooka]

So is MS an "OMG PONIES!~" or an "invisible pink unicorn"-like pony?

A little clarification

I am doing a little work in the area and think that some of you don't quite get the goal of the personal health record. It is something owned and controlled by you as the patient and is different from an Electronic Medical Record that your doctor, clinic, or hospital has about you. The idea is that you can allow information from those parties to post to your personal record, but more importantly, you can add your own information. This is VERY important to people with chronic conditions who have to keep detailed logs of their diet, activities, sleep, etc. that may help in further diagnoses and treatments. Also, it stays with you even if you change providers. As the costs of health care continues to rise, people will be switching providers a lot over the next few years and this will provide an easier way to make sure their information goes with them and is current. Your employer may even start offering this as part of your benefit package. By keeping track of your vitals and encounters, the system can prompt you to go get that colonoscopy you have been putting off. Taking care of yourself and staying healthy keeps costs down for you and your employer.

The first nice thing I have ever said about M$

[xkr]

As bad as Microsoft products are, they are a d*sight better than our current health care system. Fewer bugs even. Really. I started a healthcare IT company. Our products have already saved 16 lives. Did you know there will be 500,000 medical errors in the US today? No, that is not a typo.

I think this may be the best thing Microsoft has ever done with their monopoly.

Re:Monopoly Abuse. Re:Microsoft's successful formu

[Irish_Samurai]

In fact, the article looks like hype and might actually piss the hospitals off. Are they all really jumping in with both feet when most of them don't even want to go to Vista? I doubt it. You obviously know nothing about the IT infrastructure of most hospitals.

Are they jumping at Vista? No. They aren't really jumping at XP either. 2000 Pro is what I see a lot of.

Hell, do you know how many nursing stations, in 200-300 bed hospitals, pass med orders to the pharmacy?
FAX. As in they fax the order down to the Pharmacy and the Pharmacists/tech prints it out and puts it in an INBOX. I've seen pneumatic tube systems for Christ's sake, and not just in rural LTACs.

Hospitals don't jump on new technology EVER. Never ever. Never ever ever.

OK, not exactly true. Big hospitals jump on tested technology all the time. The rest don't have the funding, nor the legal support, to do so.

In the US Healthcare services consumption is rising in proportion to the aging of the Baby Boomer generation. Add to this the fact that there is a severe shortage of Quality staff, and you have a MAJOR problem. Since most hospitals run in the red due to Insurance companies woefully inadequate rates for payments on procedures, retroactive denials, and games played with payment timing - and you have Hospitals who are effectively working as banks.

Let's not even add to the issue by introducing patients WHO CANNOT ACTUALLY PAY for services that cannot be legally denied.

So is Microsoft going to piss off Hospitals? HELL NO. Hospitals want this type of thing, FROM ANYONE THEY CAN AFFORD, even if only to save on labor costs for the manual tasks they execute now in order to emulate this functionality. Hospitals are being legislated into implementing EMR. What makes you think the existing McKesson, Cerner, or any other big Healthcare software company for that matter is making this same functionality available for a reasonable price.

They aren't. In fact, you should be more pissed off at the fact that these big HC software companies want to charge $50,000 for their HL7 connectors to put data INTO their systems. That's called a API in techland, and its usually much cheaper than that.

EMR and LIS

Everyone here is making funny jokes about running Windows but guess what? I run a lot of EMR and LIS systems using windows. Measured in Library of Congresses. Chances are that if you have ever seen a doctor, I am storing, accessing, and backing up all your info on a Windows box. Ha ha. Very funny. I like computers. I like almost all operating systems, but if you can't see the progress and innovations being done, you are road kill.

Re:Let the Stone Throwing Begin!

• Microsoft Working On Health Information 'Vault' System

(Score: -1, HowCanYouFsckingBELIEVEthatMicrosoftIsTellingYouTheTruth?)

by Anonymous Realist on Thursday, October 04, @High:Times PM (#8675309)

The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities:...

'Nuff said.

• Reply to this [ValidParanoia ^]

Google Health

[SnprBoB86]

So let's pretend this product was called Google Health ( http://blogoscoped.com/archive/2007-08-14-n43.html ). Everywhere the summary/article says "Microsoft" substitute in "Google" and anywhere it says "HealthVault" sub in "Google Health". Push your imagination really hard here.

(I just wanted to point out: I'm not taking sides. I've been on the payroll at both companies... http://brandonbloom.name/resume.html )

PaientPrivacy.Org and Microsoft

An organization I respect for its single-minded focus on patient privacy is http://www.patientprivacy.org/. Readers might be interested in today's press release from this group, which worked with Microsoft to resolve privacy concerns: http://www.patientprivacyrights.org/site/PageServer?pagename=HealthVault_PressRelease

All I can say to this, is

[tupletuple]

Oh Fuck

I had to laugh

[Dunbal]

The words "Microsoft" and "secure" are in the same sentence. Heaven forbid!

Difficult undertaking...

If they want to be able to compete in the market place they have a long way to go. Not only do they need to give the consumer the information that they want, but they also need to be able to give it to the doctors when the *need* it the most. This is no trivial feat. 35+ million lines of code later Cerner is still trying to make it all work and I can tell you that I don't care how big of a company you are this is an industry that Microsoft is late to the game in. With Cerner increasing the number of employees at a rate of about 10% a quarter (so I am told) this market is growing really fast. I am sure that all the companies in the field (Crener, Epic, ...) are going through this growth. I'll believe it when I see it - it can take a whole hospital 9+months to "go live" with only a small number of the 50+ solutions that Cerner has.

I see this as Microsoft saying, "Medical records should be available to who they belong to in a convenient format, and they should have control of them." I don't see any real product coming out of this and going the way of Passport.

(I work for Cerner.)

My patient's info

[stapedium]

...will start being entered into a Microsoft database, as soon as all my patient's release this info to MS AND someone pays me for the time it takes to enter it. In other words...never. There is just no incentive to physicians to start entering their patients' info into this database. And for all those of you who say, "well then six different people won't have to ask me what drugs I'm allergic to." I say tough. If you are really that concerned that an ER has an accurate medical history on you even if you are unconscious, then pay someone to do a thorough history and physical exam. Get a copy and give it to your emergency contact. Shrink it down to fit in our wallet/purse and wear a bracelet that says "My medical history is in my wallet/purse, call my friend XXX for more info". It will cost you about $150 and ANY ER will be able to use it.

Psst - they have open job positions there!

[VP]

Check it out!

Clearly to compete with Google Health

[DelitaTheFridge]

Have we all forget about Google's upcoming offering? Unlike Microsoft they have WONDERFUL respect for our privacy. I can see it now. "Do you have Erectile Disfunction? Try this new creme!"

lets just make it all public and get it over with

[wardk]

this is just an ingenius and way-stealth method of making private medical records really really really really easy to get into.

I can't wait to learn the medical histories of Ballmer and Gates, maybe view the ex-rays that show exactly how far up his ass Darl McBride's head actually is.

Part good idea, part ridiculous

[gbridge]

Some of this appeals to me, some just confuses me.

For example, being diabetic, I'd love to be able to record data on my blood glucose, blood pressure, weight, injection sites and so on using a web app. I could pull of graphs and generate a report to take with me to my clinic checkups, saving me the hassle of taking paper versions or trauling through the memory in my glucose meter. However, even if they did go into the detail I wanted, I wouldn't trust Microsoft with the data, and the web app would probably be a pile of buggy crap anyway.

The most crazy thing though is that they want hospitals to push test results to the patient's record on HealthVault. This is such a bad application of technology. It's fabricating a solution to a non-existant problem. If your result warrented discussion with your consultant, the hospital would push the result to your profile on HealthVault anyway, then you'd get a call to organise a date to go into the hospital for a chat. If not, you don't hear anything from them - if you really want to know, you pop into the hospital as they rightfully won't give the information out over the phone. There's no problem with this. Pushing results to HealthVault is completely unnecessary.

Boggles the mind. It really does.

might be the chink in the armor

folks have been looking for all these years.

Can't sue microsoft due to poor design, bad implementation, loss of data.
Can't successfully get the government to do a thing about them, other
than accomodate MS's idea of how antitrust should be handled.

Now, MS takes complete control of all the medical information.
The breaches and leaks are going to inevitable and quick in coming.
I doubt MS can craft a 'click-through' user agreement that will
completely release them from criminal and civil liability for
these breaches.

With the first mis-use of an individual's records, should come the
first lawsuit.

Followed on by the second, and so forth.

Might be just thing thing, actually.

Why this is good

[professorguy]

Everyone who says "But now my hospital will send my info to a central insecure database and it'll be hacked...." has been asleep for a few years. I work at a hospital and we send your records not to one central database, but to dozens of central databases. The state cancer commission, infectious disease control, health and human safety, insurance checkers, bill scrubbers, etc, etc, etc. Many of these are mandated by law. So if you think one database might be hacked, how secure is your info residing in 20 databases? Good luck with all that.

MS puts lives at stake

[Cyko_01]

we all know Microsoft couldn't build stable software if there life depended on it. Now other peoples lives depend on it. This can only end in tragedy

This reminds me of the response to online banking

This sounds like one horribly, terribly bad idea to me from a security standpoint.

There are certainly ways to secure the data in a de-identified form. If you feel comfortable banking online, why wouldn't you be OK with EHR?

Also, I can't help but believe that 'anonymous' information will be handed over to drug companies so they can 'research' their 'market'.

Google execs use the phrase "unmined sources" to describe these new "markets." Oh yes, this data will be mined and sold to insurance companies, HMO's, hospital chains, big pharma, etc.

Some things are still best done with paper and pen.

I'm reminded of similar attitudes toward online banking in the mid 1990's.

EHR is coming. It will become the new standard, for better or worse. Consider that fully 1/3 of health care costs involve "paper pushing" and other administrative tasks (not treatment). What if you could save 1/3 on your health care? For many large companies (ie: GM and Ford), saving 1/3 on health care costs would be the difference between looming bankruptcy and profitability.

Clearinghouses are covered.

[Medievalist]

I believe there is a loophole in this, where it is the individual who is in possession of the data not a health provider (i.e. The end user sets up this vault not the health provider). This releases the 'vault' from complying with HIPAA because of SEC. 1172. (a) APPLICABILITY. I have heard this from more than one company trying to accomplish the same thing. This scheme would be covered for several reasons; most importantly because the vault owner would need a HIPAA mandated BA (business agreement) in order to traffic data with HIPAA regulated entities such as hospitals, doctors, and insurance companies.

The companies you've been hearing from are barking up the wrong tree. If they do find a way to subvert the intent of the law the Secretary of Health and Human Services will simply issue a statement invalidating whatever loophole they thought they had. The legislation is set up that way, so that it can be effectively amended without the hassles of representative government.