Accessing Medical Files Over P2P Networks

Gov IT writes with this excerpt from NextGov: "Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. ... The basic technology that runs peer-to-peer networks inadvertently exposed the files probably without the computer user's knowledge, Johnson said. A health care worker might have loaded patient files onto a laptop, for example, and taken it home where a son or daughter could have downloaded a peer-to-peer client onto the laptop to share music."

Re:P2P?! Oh no!

I also grant that governments... always give it to the lowest bidder.

This is a problem within a lie. Governments outsource to whomever civil servants or politicians are friends with, where friendship in politics is all about the kick-backs. This is true whether we're talking about a multi-billion dollar IT project or who gets chosen to clean the office. It's more obvious in the latter case, where there's always that mysterious 100% agency mark-up over simply hiring an employee directly. In the former case, it's about tailoring requirements so that precisely one bidder will be deemed appropriate (the core of this approach being a straightforward lie about what's going to be charged).

The correct solution is for the government to do its own work. If it finds that it needs outside help, it's probably trying to do something the government shouldn't be doing at all.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Wrong issue

[__aajwxe560]

The private sector indeed is just as capable at screwing this up. In my own experience doing some moonlighting systems/network consulting, I have come across a Doctor's office that had a wide open network hanging off of a cable modem connecting with a Comcast business account, no firewall, Windows desktops completely open. The home-based DLink router they had as a central hub did actually have some base firewall capabilities, but was a previous consultant thought it was interfering with a software capability to talk to the insurance company, and so thoughtfully turned it off completely.

You would think a hospital with their own full time technical staff might rank better. A prominent Boston area hospital was building out a branch location in the suburbs. I visited to install an Oracle server, and noticed that because of constraints on network cabling at the time, they were using Linksys wireless through-out the office for connectivity, with no encryption. I raised this concern immediately with the director of the office, but was told not to worry, as this was only a "temporary" solution until they could get a cabling vendor in to run something more formal. My largest concern was that this office was still directly tied into the back-end of the main hospital data network, and thus, from the parking lot, it was trivial at best to get onto the hospital network.

I understand these are only two limited examples, but their still lacks any real capabilities to be able to keep medical records secure through-out the chain. Until something akin to PCI for medical records really takes place, complete with audit controls, etc, I don't see the situation changing all that much. PCI itself has flaws, but it is an attempt to actually place controls on credit card data from swipe to credit card company.

Did some work for a pharmacy

[transporter_ii]

And part of what I needed to do was block myspace, etc., on the LAN. But the head pharmacist had some P2P running on his computer (its good to be the king). I remember thinking at the time how insecure to run P2P on a business machine with a lot of confidential information on it.

I don't think the customer data was stored locally, but that doesn't stop spyware, key loggers, etc., from still being an issue.

Free music or maintaining the integrity of customer data. That's a tough call.

transporter_ii

RIAA/MPAA FUD Tactics?

This is the second story this week I've heard villainising P2P beyond basic piracy.

The first, from the Today show I think, was about somebody having their identity stolen because somebody accidentally shared some financial records. The reason a FUD campaign came to mind was the way my wife reacted to the story. Some comment about how dangerous P2P applications were.

Anybody else think these stories could an organized effort to create paranoia in the less technical crowd?

Its an idiot user problem

[PPH]

I have a friend who runs an insurance investigation business. A lot of his data includes claimants' medical, criminal, income, and other assorted records. He has several investigators working in his office, each with a PC (fortunately, no laptops) and all behind a secure(?) firewall. From time to time, I've helped him configure or repair his network and/or desktop systems. In doing so, I've noted that every system has their C: drive shared out on the LAN with read/write privileges granted to everyone else in the office. In spite of the problems with security or system corruption (why anyone would need to share out all their system .DLLs with write permission is beyond me), he insists that everyone in the office 'needs' complete access to everyone else's files. A disaster waiting to happen, IMO.

People just don't understand, or give a sh*t about the consequences of lax data security. P2P networks, or the mis-configuration of file sharing s/w is just one symptom of this.

GATTICA is fiction

[CrankinOut]

and this concern about access to medical records is paranoia.

Federal law (Health Insurance Portability and Accountability Act - or HIPAA) levels serious legal liability on "any doctor who asks" (or any other person in a health-care organization who looks at a medical record outside of their job responsibilities. By definition, this, then is not "public sharing of information." XYZ company is not entitled to look at your health information.

Do errors occur? Hell, yes, they do. Laptops get stolen, people screw up. But to deny the benefits of having access to critical information in emergency situations, or to avoid repeating a test done last week, or to avoid a person getting a medication that doesn't work because another doctor recently changed another of the meds, or to get a drug that can be fatal to a person because the information wasn't available, is to say that you'd rather life be a crap-shoot.

The way for this technology to get better is for people to work on the solutions to the issues of security and privacy, not to keep medicine in the stone-age of information utility.

For an interesting read about why this is so important, read the Medicare Annual Report. Everyone's payroll taxes have to go up 3.5 percent to cover the estimated shortfall of Medicare for the next 75 years (I expect to retire sometime in that timeframe). With life expectancy increasing, and the baby boom generation in retirement for the next 40-50 years, OASDI and MMS look take a bigger bite out of everyone's paycheck.

One solution to this projected problem is to reduce the cost of healthcare by reducing errors, repeating unnecessary tests because of lack of access to a record, having technology that alerts clinical staff (doctors aren't going to be the only people providing medical care) to potential interactions, matching medications/treatments to genetic likelihood of therapeutic benefit, and enabling greater home health care. All of these opportunities require increasing use of information technology.

Good luck with that heart condition.