Microsoft Working On Health Information 'Vault' System

josmar52789 wrote with an article from the New York Times, discussing Microsoft's new push into the consumer health care market. The plan is to offer personal health care records online via a system called HealthVault. Numerous big names in the medical field have signed up for the service, including the 'American Heart Association, Johnson & Johnson LifeScan, NewYork-Presbyterian Hospital, the Mayo Clinic and MedStar Health'. The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities: "The personal information, Microsoft said, will be stored in a secure, encrypted database. Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol levels. "

unsubscribe

unsubscribe

Re:unsubscribe

[Mister+Whirly]

"I'll be damned if any of my personal medical information will be entrusted to anything using M$ junk."

It already is. Look around your doctor's office next time you are there. See the computers? They aren't Macs now, are they?

Re:unsubscribe

[cayenne8]

"I know what HIPPA is, and have taken training on it, and even passed a HIPPA audit. All the medical data was stored on a Windows server, and guess what? Still passed with flying colors. HIPPA does not stipulate certain operating systems - any OS can be used as long as it passes the requirements."

This article, at least my understanding of it...isn't just about keeping medical info on a computer running MS Windows....it is more about a centralized medical record datastore that Microsoft is building and itself responsible for....that everyone's records are kept on an internet accessible server (or set of servers). Healthvault is MS keeping everyone's health data.

I'd guess that insurance companies would be drooling at the chance to get all this data in one place...a 'definitive source'. Shoot, combine that with some DNA records and evaluations....and you're all set to be denied coverage for possible future diseases. Hook this centrally to some other datastores on you...and all kinds of living/health habits can be established.

Let's forget the nightmare scenarios I was laying out above...what if there is a security break? Embarrasing info about your treatment for VD might come out...that's bad enough, but, what if it was treated due to an affair you mistakenly had while on a long trip away....you get treated, you'r sorry and won't do it again...but, your wife now finds out?

At the very least...MS products are already a HUGE target for hackers and crackers....wait till a MS system becomes the centralized repository on some of the most personal and possibly private information on citizens of the US and maybe the world. You trust them to keep that info safe with that big a target painted on the system?

As I said in another post.....Snowballs chance in hell of me voluntarily letting my info on there.

Microsoft's successful formula

[us7892]

Microsoft is starting its long-anticipated drive into the consumer health care market by offering free personal health records on the Web and pursuing a strategy that borrows from the company's successful formula in personal computer software.

I'll bet this sentence is not going to go over too well with the slashdot crowd.

Re:Microsoft's successful formula

[SoCalChris]

I don't think that anyone can argue about whether they have a successful formula in personal computer software. They've made billions using that formula.

Re:Microsoft's successful formula

[h2_plus_O]

Nobody, not even slashdot users, can deny that.

you must be new here.

Oh yeah, triple secure.

[photomonkey]

This sounds like one horribly, terribly bad idea to me from a security standpoint.

Also, I can't help but believe that 'anonymous' information will be handed over to drug companies so they can 'research' their 'market'.

Some things are still best done with paper and pen.

Re:Oh yeah, triple secure.

[Em+Adespoton]

This sounds like a horrible idea to me from other standpoints too:

1) Medical professionals never like patients to have full access to their records, as if a patient misunderstands something on their file, their life could be at stake based on the decisions they make.

2) The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

3) The system appears to be designed so that MS can sell aggregated data to drug companies and insurance companies. Seems to me though that even with aggregated data, you could reverse-mine it to have a reasonable suspicion regarding individuals (you'd know trends, which would help in searching for more specific details)

Anyway, the whole thing could be really useful if used correctly, but there are so many ways it could be misused even if the system doesn't have a major security breach that I for one would never use it.

Re:Oh yeah, triple secure.

[Evanisincontrol]

Like it or not, your medical information is going to become electronic. Microsoft isn't the first company to propose an Electronic Health Record -- not by far. The Cerner Corporation, for example, has been working modernize the health record since 1980. There are at least two universities in the U.S. which host a major in Medical Informatics, a program specifically designed to produce experts in this very subject.

Try to fight the Electronic Health Record is like trying to fight the use of computers in any other field -- it's inevitable.

Re:Oh yeah, triple secure.

[Bacon+Bits]

1. HIPPA says no. You ask, they must give you complete and total access to your own medical records. They have no authiruty to deny them to you unless you suffer from some fairly specific medical conditions (namely, mental illness).

2. HIPPA says no. If a nurse accidentally allows access to your health information, that's a $10,000 fine for her and a $100,000 fine for the hospital.

3. HIPPA says no.

WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (b).

(b) PENALTIES.--A person described in subsection (a) shall--

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

-- http://aspe.hhs.gov/admnsimp/pl104191.htm#1177

Geez, you'd think that people involved in IT would be somewhat aware of the demands of HIPPA PHI.

Re:Oh yeah, triple secure.

[freemywrld]

The tone of your post should answer your own question. Why do people want the opportunity to keep certain information about themselves private? Discrimination, that's why. The automatic judgements you make in your post lead me to believe that you would treat people differently based on such information. People keep irrelevant personal information private to protect themselves from people like you.

Re:Oh yeah, triple secure.

[zifferent]

hmm, want to back that up. My wife works with medical records, and HIPPA severely limits who can see any patient information.

Yah, I work with medical data and while doing my HIPAA awareness training, I was surprised and disturbed by it also.

Here's more info:
http://www.aclu.org/privacy/medical/15222res20030530.html

Uh uh.

[morgan_greywolf]

Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol level The hell I will! No way, Jose. Fuggeddaboudit!

The last thing I need is an employer or potential employer tracking down my medical records. Or the CIA, NSA, ATF, or cybercriminals or any other organization or individual who wishes to covertly steal my personal data for nefarious purposes.

Do you know what your medical history contains and how it can be used against you? I do.

Re:Uh uh.

You do? How did my last screening turn out? I can't get hold of a real person to ask.

Re:Uh uh.

[nine-times]

Well, yes, there's a potential problem any time you put enough personal information into one place: sure, it's more convenient for the appropriate people to access, but it's also more convenient for someone to steal.

My bigger concern, however, is that this is Microsoft proposing this. It makes me want to vet the idea for possible abuses. Beyond the obvious privacy concerns, is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Even if such a system is going to be set up, I'd rather someone with a good track record build something that makes use of open formats and protocols. I'd like to know that my family's medical records aren't going to go up in a puff of smoke because Windows Update decided my Office license wasn't "genuine", or something other bizarre thing.

Re:Uh uh.

[jimicus]

is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Not at all. It will be web based, and provided you're running Internet Explorer 8 you're fine.

Oh, didn't we mention? IE 8 will be Vista with SP1 only.

"Blue screen of Death" to have a whole new

[unity100]

meaning, that is.

Re:"Blue screen of Death" to have a whole new

[Joe+the+Lesser]

Error: Could not find liver.dll

Hailstorm

[Saint+Stephen]

Remember Hailstorm? The plan was to expand Passport to first include calendar, todo, and some other web services, and then to provide an ActiveDirectory back-end for auth and ultimately to include all these kinds of services (including payroll and AR/AP data) in a massive cloud.

Privacy experts freaked out, but Microsoft never cancels anything.

Lock up

[OK+PC]

Well at least the Vault will always lock up...

Google Searches too

[svendsen]

Man if anyone could link Google searches to individuals we would know every person's medical condition.

Google Search: Itchy crotch

NSA: Hey Fred Smith has crabs again...lol

microsoft vs security

[oktokie]

I personally think microsoft windows server is a great platform to build websites.
There are range of tools and cookie cutter stuffs already written for in asp/net allows very powerful function to exist especially inter-operate ability with different MS product like sharing outlook generated schedule via exchange server out to web portal.

However, putting medical records requires requires middleware between ms platform and medical softwares. I see this use of middleware becomes security problem here. Windows do not work very well when 3rd party glue is applied to the what seems to be rigid architecture it shares between products of ms. This inability to have full control over the protocol, situation usually involving previously unthoughtful of...should I say out of boundary for what original purpose of the software calls for...ends up becoming the problem.

Oktokie

And sell your health info back to you

[christian.einfeldt]

and require Microsoft Windows to access it.

No thanks.

Just look at what Microsoft is planning to do with Office Live or whatever they are calling it. You need to have Microsoft Office installed locally on your HD. All you are storing is your data. GNU Linux OSes probably won't even be able to run WINE to access those Office Live files. So even if they don't actually charge to access the data, it extends their reach into your life.

Re:MS and security?

[suv4x4]

The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

As you know, Windows' security issues are ones of legacy. The more they fix it, the more they wreck existing apps.

Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

Microsoft is here to stay, and while they may not end up with the most perfect solution possible, they don't need the money desperately, and can't hide if a major security breach occurs (and it's their fault).

Sounds Good

[RAMMS+EIN]

``...privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or...''

That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

I have about zero trust that Microsoft will actually implement this correctly and securely (I've seen far too many stupid bugs from them lately), but at least they're saying the right things. Not vague promises that it will be "very secure", but an actual description of the security controls they are planning to provide. Moreover, those security controls seem to actually provide the security one would want in such a system.

Re:Let the Stone Throwing Begin!

[blcamp]

Actually, I would have said "Let the CHAIR Throwing Begin!"

Re:Free medical records on the web?

[mpapet]

The actual HIPAA regs appear quite stringent, but you'll find that they don't make the data more secure.

For example, Use is well-defined in many cases, but actual security mechanisms are not. This kind of programming is right up Microsoft's alley. Not only is the security model pretty weak, there's limited interoperability requirements.

Please, read the standard. It's not fun reading, but the average /.'er will probably discover it addresses some basic stuff, but leaves the door wide open for familiar and massive compromises.

http://www.hhs.gov/ocr/hipaa/

Except for the tinfoil hat crowd...not a bad idea

[notaprguy]

Putting paranoia aside, managing healthcare information is a major pain in the butt. I see this as a way for ME to control how my information is shared rather than my Dr. or my insurance provider. If this idea matures I can see how insurance providers and health providers would need to ask for the patients permission to exchange information rather than just doing it...which is what happens today. If you're worried about the CIA looking into your health information this isn't going to make the problem any worse. Perhaps a little medication might alleviate your stress on that...

Next Doctors visit might go something like...

[EvilSpudBoy]

Doctor: I've examined you, and reviewed your MSMedicalHistory(tm) and it looks like you are in fine health, though I see your blood pressure is slightly higher than last time.

Patient: Well, work has been a bit stressful, should I worry?

Doctor: Not at all. It is still good for your age. Have you tried Halo 3?

Patient: huh?

Doctor: Video games are a great stress reliever. If you don't have an Xbox 360 with Halo3, I can put in an order for one for you. Have you had any other problems?

Patient: Sometimes I get a headache from staring at the computer too long.

Doctor: Hold on -- there, I've adjusted your screen resolution and font size on your home and work computers.

Patient: Umm.....

Re:Monopoly Abuse. Re:Microsoft's successful formu

[everphilski]

It's nice of them to admit they are and be described as a one trick pony.

One hell of a pony ...

VA (not MS!) VISTA?

[xanthines-R-yummy]

As someone in the healthcare field, I've found that the VA has the best electronic record keeping system. It's logical, complete, reliable, and relatively easy to use. Why can't the government just lease that out? Or does it violate some kind of law regarding competition? Does anyone know how MS Vault is going to compare? I guess the VA system probably has weaker encryption, but I don't know that for sure. Here's the home site if you don't know what I'm talking about:

http://www1.va.gov/CPRSdemo/

Please fill out and sign these forms.

[Valdrax]

That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

Prepare to see a new waiver in the stack of crap you have to sign when going to a new doctor's office requiring you to give permission for full access to your records for any purpose not prohibited by law.

This will happen because doctors will not want to spend time having you okay access to each locked off section of your records that they might need, and they sure as heck don't want to spend time arguing with you about it when it's something you find embarrassing and don't know may be relevant.

You're easily troubled

[overshoot]

The thought that they could be responsible for securing my health history is particularly troubling.

If that bothers you, how do you feel about the fact that they're right, and you don't get any say in the matter?

MS has the marketing, economic, and political clout to get themselves the contract for keeping the health records for everyone in the USA. Washington is already salivating over the prospect of:

• Saving hundreds of billions on health care costs, and
• All of the money that companies will make from providing medical informatics services [1]

Curiously, they don't see any conflict between those two points.

One way or another, though, giving MS (or possibly someone else, but MS is the main chance) custody over your health records is well on its way to being a requirement for getting any kind of medical care in the USA.

[1] Sort of the way the FCC is drooling over all the money that the carriers will make from the spectrum they buy.

I worried that health companies will fall for it

[KWTm]

"... a strategy that borrows from the company's successful formula in personal computer software."
I'll bet this sentence is not going to go over too well with the slashdot crowd.

Unfortunately, it will sound nice to health care companies. I am involved in the healthcare sector, and I am worried that this will succeed, without the health care companies knowing (or caring) about the issues. Microsoft has the cash, the clout and the reputation for this. (Remember, to non-geeks, Microsoft is the premier computer company --lay people can't even tell whether Microsoft is software or hardware.)

The health care industry is greatly dependent on information technology, and is beholden to IT --without realizing it. People in healthcare have this attitude, for better or worse, that they are more important and special and have a unique place high on the totem pole, so they don't really see their vulnerability to some run-of-the-mill thing like IT, which is held with the same regard as the people who answer the phones or clean the medical instruments.

I just pray that Microsoft can have some high-profile screw-ups, maybe a few databases hacked here and there, that can reveal to non-geeks the dangers of having a convicted monopolist at the reins of the nation's healthcare info.

LGPL Version of this already exists.

[ivaldes3]

It's called Indivo Health, formerly known as Ping on Sourceforge. It's been around for years and it is LGPL licensed. There's been some recent activity with the Dossia Group. More information and links here. -- IV

Sounds exactly like my old Company NDMA

[Benjamin+Shniper]

This will probably crush a couple of small startups - like my previous job here:

www.ndma.us
(National Digital Medical Archive)
NDMA never did get all the bugs out. It was a little slow and lacked some key xml protocol sharing features. Security and never losing a file are a legitimately difficult task, in itself, and that was addressed. Maybe Microsoft will come up with better ideas than NDMA did. The protocol for the application there was terribly slow, but the website to access the information eventually came through.

Selling anonymous data is, unfortunately, a necessary evil. It's already happening, all Hospitals require you to sign things on joining that will give them rights to sell your data, with your name and ID numbers removed. Doctors do truly need that information, especially for disease outbreaks and drug treatment information. This system by Microsoft just makes it more practical.

With Microsoft entering, it probably means Oracle, IBM, and maybe Sun will as well. There's tens of billions of dollars to be made.

-Ben