Microsoft Working On Health Information 'Vault' System

josmar52789 wrote with an article from the New York Times, discussing Microsoft's new push into the consumer health care market. The plan is to offer personal health care records online via a system called HealthVault. Numerous big names in the medical field have signed up for the service, including the 'American Heart Association, Johnson & Johnson LifeScan, NewYork-Presbyterian Hospital, the Mayo Clinic and MedStar Health'. The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities: "The personal information, Microsoft said, will be stored in a secure, encrypted database. Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol levels. "

Re:Uh uh.

[nine-times]

Well, yes, there's a potential problem any time you put enough personal information into one place: sure, it's more convenient for the appropriate people to access, but it's also more convenient for someone to steal.

My bigger concern, however, is that this is Microsoft proposing this. It makes me want to vet the idea for possible abuses. Beyond the obvious privacy concerns, is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Even if such a system is going to be set up, I'd rather someone with a good track record build something that makes use of open formats and protocols. I'd like to know that my family's medical records aren't going to go up in a puff of smoke because Windows Update decided my Office license wasn't "genuine", or something other bizarre thing.

Re:MS and security?

[suv4x4]

The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

As you know, Windows' security issues are ones of legacy. The more they fix it, the more they wreck existing apps.

Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

Microsoft is here to stay, and while they may not end up with the most perfect solution possible, they don't need the money desperately, and can't hide if a major security breach occurs (and it's their fault).

Re:Free medical records on the web?

[mpapet]

The actual HIPAA regs appear quite stringent, but you'll find that they don't make the data more secure.

For example, Use is well-defined in many cases, but actual security mechanisms are not. This kind of programming is right up Microsoft's alley. Not only is the security model pretty weak, there's limited interoperability requirements.

Please, read the standard. It's not fun reading, but the average /.'er will probably discover it addresses some basic stuff, but leaves the door wide open for familiar and massive compromises.

http://www.hhs.gov/ocr/hipaa/

VA (not MS!) VISTA?

[xanthines-R-yummy]

As someone in the healthcare field, I've found that the VA has the best electronic record keeping system. It's logical, complete, reliable, and relatively easy to use. Why can't the government just lease that out? Or does it violate some kind of law regarding competition? Does anyone know how MS Vault is going to compare? I guess the VA system probably has weaker encryption, but I don't know that for sure. Here's the home site if you don't know what I'm talking about:

http://www1.va.gov/CPRSdemo/

Re:Oh yeah, triple secure.

[Bacon+Bits]

1. HIPPA says no. You ask, they must give you complete and total access to your own medical records. They have no authiruty to deny them to you unless you suffer from some fairly specific medical conditions (namely, mental illness).

2. HIPPA says no. If a nurse accidentally allows access to your health information, that's a $10,000 fine for her and a $100,000 fine for the hospital.

3. HIPPA says no.

WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (b).

(b) PENALTIES.--A person described in subsection (a) shall--

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

-- http://aspe.hhs.gov/admnsimp/pl104191.htm#1177

Geez, you'd think that people involved in IT would be somewhat aware of the demands of HIPPA PHI.

Re:Hailstorm

The guy you are thinking of is Mark Lucovsky and he does now work for Google.

Re:unsubscribe

[cayenne8]

"I know what HIPPA is, and have taken training on it, and even passed a HIPPA audit. All the medical data was stored on a Windows server, and guess what? Still passed with flying colors. HIPPA does not stipulate certain operating systems - any OS can be used as long as it passes the requirements."

This article, at least my understanding of it...isn't just about keeping medical info on a computer running MS Windows....it is more about a centralized medical record datastore that Microsoft is building and itself responsible for....that everyone's records are kept on an internet accessible server (or set of servers). Healthvault is MS keeping everyone's health data.

I'd guess that insurance companies would be drooling at the chance to get all this data in one place...a 'definitive source'. Shoot, combine that with some DNA records and evaluations....and you're all set to be denied coverage for possible future diseases. Hook this centrally to some other datastores on you...and all kinds of living/health habits can be established.

Let's forget the nightmare scenarios I was laying out above...what if there is a security break? Embarrasing info about your treatment for VD might come out...that's bad enough, but, what if it was treated due to an affair you mistakenly had while on a long trip away....you get treated, you'r sorry and won't do it again...but, your wife now finds out?

At the very least...MS products are already a HUGE target for hackers and crackers....wait till a MS system becomes the centralized repository on some of the most personal and possibly private information on citizens of the US and maybe the world. You trust them to keep that info safe with that big a target painted on the system?

As I said in another post.....Snowballs chance in hell of me voluntarily letting my info on there.

LGPL Version of this already exists.

[ivaldes3]

It's called Indivo Health, formerly known as Ping on Sourceforge. It's been around for years and it is LGPL licensed. There's been some recent activity with the Dossia Group. More information and links here. -- IV