Accessing Medical Files Over P2P Networks

← Back to Stories (view on slashdot.org)

Accessing Medical Files Over P2P Networks

Posted by Soulskill on Saturday February 28, 2009 @02:18AM from the doctor-patient-entire-internet-confidentiality dept.

Gov IT writes with this excerpt from NextGov: "Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. ... The basic technology that runs peer-to-peer networks inadvertently exposed the files probably without the computer user's knowledge, Johnson said. A health care worker might have loaded patient files onto a laptop, for example, and taken it home where a son or daughter could have downloaded a peer-to-peer client onto the laptop to share music."

25 of 137 comments (clear)

Min score:

Reason:

Sort:

P2P?! Oh no! by Manip · 2009-02-28 02:24 · Score: 4, Insightful

Sorry but what does one have to do with another?
Currently Doctors are using word documents with every patient's name as the title in some locations. While others are using VB apps with a Acess Database type solution.
Putting real money into a real electronic system with access controls and a audit trail is a GOOD thing and will stop things like records spreading onto P2P networks.
It is good for patients, it is good for doctors, and it is good for the general quality of healthcare.
I grant that it is expensive though. I also grant that governments are bad at large IT projects and always give it to the lowest bidder.
1. Re:P2P?! Oh no! by Anonymous Coward · 2009-02-28 02:57 · Score: 2, Interesting
  
  I also grant that governments... always give it to the lowest bidder.
  This is a problem within a lie. Governments outsource to whomever civil servants or politicians are friends with, where friendship in politics is all about the kick-backs. This is true whether we're talking about a multi-billion dollar IT project or who gets chosen to clean the office. It's more obvious in the latter case, where there's always that mysterious 100% agency mark-up over simply hiring an employee directly. In the former case, it's about tailoring requirements so that precisely one bidder will be deemed appropriate (the core of this approach being a straightforward lie about what's going to be charged).
  The correct solution is for the government to do its own work. If it finds that it needs outside help, it's probably trying to do something the government shouldn't be doing at all.
2. Re:P2P?! Oh no! by commodore64_love · 2009-02-28 03:03 · Score: 3, Insightful
  
  >>>will stop things like records spreading onto P2P networks.
  Right because the government has never, ever accidentally let private information leak out ("Congressional worker has laptop stolen)." They government has never, ever let anyone have access to my social security number ("State website published millions of SS numbers online"). We can trust the government to keep our stuff secure ("Our records show you were unemployed in 2003." "How do you know that?" "We just called the IRS; they reported your income was near-zero.")
  Go watch GATTACA if you believe having our medical records available to any doctor who asks is such a great idea. With public sharing of formerly-private data, companies can discriminate against unhealthy persons whenever they desire. Here's a link: http://isohunt.com/torrent_details/39287978/GATTACA?tab=summary
  It's bad enough I have a credit score attached to my name, along with how much debt I owe, with which employers can decide to hire or not hire me. Now they'll learn about my heart condition, and in order to reduce medical costs, decide to skip-over me and give the job to someone else.
  This idea is all kinds of bad.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
3. Re:P2P?! Oh no! by drewvr6 · 2009-02-28 03:05 · Score: 2, Insightful
  
  On top of being expensive, I have a concern that such a huge system would be extrememly hard to upgrade on a consistent basis. My experience has been that government computer systems (outside of No Such Agency) tend to lag far behind commercial IT infrastructures. Quite possibly due to the massive budget/oversight/scale that the government impliments. I see in our own environment the difficulty in maintaining the most up-to-date versions of our software much less implimenting new technologies as they come to the forefront. Can a beauracracy stay close enough to cutting-edge to warrant the expenditure or are they biting off more than they can chew?
  
  --
  Now we see the violence inherent in the system.
4. Re:P2P?! Oh no! by webnut77 · 2009-02-28 03:56 · Score: 2, Insightful
  
  Mod parent up!
  
  When Big Brother collects information about us, the potential for harm far out-weighs the good. I think only I should decide who has access to my medical records. Not some secretary who gets charmed by an insurance company rep or bribed by a scam artist wanting to take advantage of my medical condition.
  
  And billions of dollars! The President and Congress have no concept of how hard we work to get that money.
5. Re:P2P?! Oh no! by RiotingPacifist · 2009-02-28 04:20 · Score: 4, Insightful
  
  >>>will stop things like records spreading onto P2P networks.
  Right because the government has never, ever accidentally let private information leak out ("Congressional worker has laptop stolen)." They government has never, ever let anyone have access to my social security number ("State website published millions of SS numbers online"). We can trust the government to keep our stuff secure ("Our records show you were unemployed in 2003." "How do you know that?" "We just called the IRS; they reported your income was near-zero.")
  An inperfect but well designed system is miles better than the current system.
  
  Go watch GATTACA if you believe having our medical records available to any doctor who asks is such a great idea. With public sharing of formerly-private data, companies can discriminate against unhealthy persons whenever they desire. Here's a link: http://isohunt.com/torrent_details/39287978/GATTACA?tab=summary
  Go watch people die when a doctor doesn't have a full medical record when treating a patient.Wow a sci-fi film must obviously have taken a lot more time to do a cost benifit analysis of the situation, and come to a much better conclusion about what would really happen, than an actual analysis of the situation.
  
  It's bad enough I have a credit score attached to my name, along with how much debt I owe, with which employers can decide to hire or not hire me. Now they'll learn about my heart condition, and in order to reduce medical costs, decide to skip-over me and give the job to someone else.
  This idea is all kinds of bad.
  Erm when did the medical records become public information? Having a system where a doctor (when authorized), can access your medical records (when needed ( with proper punishment when its abused)), is very different from given everybody full access to your medical records.
  
  --
  IranAir Flight 655 never forget!
6. Re:P2P?! Oh no! by RiotingPacifist · 2009-02-28 04:23 · Score: 2, Insightful
  
  why does it need to be accessible from the latest and greatest system?
  
  --
  IranAir Flight 655 never forget!
7. Re:P2P?! Oh no! by webnut77 · 2009-02-28 04:38 · Score: 2, Informative
  
  yeah the potential harm, if they are out to get you, outweighs the benifit of you not dying.
  Where there is money to be made (or for that matter, power to be gained) they are out to get you.
  
  Explain the part about dying.
8. Re:P2P?! Oh no! by mattwarden · 2009-02-28 05:13 · Score: 2, Insightful
  
  Spoken like an IT genius who doesn't understand a thing about non-technical business folk, especially non-technical government folk.
  Would you care to estimate the percentage of end users who will copy&paste everything from this shiny new fully-encrypted fully-audited health records management system into their personal collection of word docs and excel sheets?
9. Re:P2P?! Oh no! by p0tat03 · 2009-02-28 06:16 · Score: 3, Insightful
  
  That makes no sense. Public health care has nothing to do with an advanced IT system; up here in Canada we didn't have anything that can even share files between doctors until relatively recently (less than a decade). The public health care system works without it.
  The GP's point is that given this sort of system in a private health care environment, abuse is not only probable, but inevitable.
10. Re:P2P?! Oh no! by commodore64_love · 2009-02-28 23:41 · Score: 2, Informative
  
  >>>your health history is not your employer's business.
  It's not their business about my IRS or SS earnings either, and yet a potential employer (CarMax) still managed to recover my annual income levels for the last 10 years, and uncovered that I was unemployed for most of 2003 ("You're income levels were near-zero that year; what happened?"). You're naive if you think your information is secure.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
11. Re:P2P?! Oh no! by mattwarden · 2009-03-02 03:06 · Score: 2, Informative
  
  If the data is being displayed, then it is unencrypted in memory. The doctor doesn't have to do anything. An enterprising IT individual who understands the doctor's wishes to manage the data in their own way will write a tool -- perhaps even open source -- that will extract the data from memory and output to a comma separated file. Done.
Wrong issue by ZouPrime · 2009-02-28 02:24 · Score: 5, Insightful

The issue here aren't P2P networks. The issue is government employees either loading confidential data on non-approved environments, or unauthorized software being installed on supposedly restricted environments. Both these problems must be addressed with traditional security controls that are completely independent of P2P technologies.
1. Re:Wrong issue by evilkasper · 2009-02-28 02:28 · Score: 5, Insightful
  
  Exactly until they people handling the sensitive or classified material learn how to handle it with the care it needs we will keep seeing things like this. I mean how many times a week do we see something about a lost or stolen laptop or device that contained sensitive information. The issue (as per normal) is the USERS
2. Re:Wrong issue by ValentineMSmith · 2009-02-28 02:33 · Score: 5, Insightful
  
  Neither the story nor the summary mentioned anything about government employees. The private sector is just as capable of screwing up as the government is.
  
  --
  Karma: Chameleon - mostly influenced by bad '80s New Wave music
3. Re:Wrong issue by mc1138 · 2009-02-28 02:46 · Score: 3, Informative
  
  I used to work as an IT outsourcer, and security becomes a big headache with lots of Doctors. Quite often Doctors like to be able to work from home either via VPN or some other remote solution, or just taking work home with them. Then comes the problem that most of them aren't very technically inclined and/or let their kids do whatever they want. It doesn't matter how much training or what you implement, Doctor's especially those with private practices will always find a way to mess things up and pose security risks.
  
  --
  The musings of just another geek and his junk.
4. Re:Wrong issue by __aajwxe560 · 2009-02-28 03:23 · Score: 3, Interesting
  
  The private sector indeed is just as capable at screwing this up. In my own experience doing some moonlighting systems/network consulting, I have come across a Doctor's office that had a wide open network hanging off of a cable modem connecting with a Comcast business account, no firewall, Windows desktops completely open. The home-based DLink router they had as a central hub did actually have some base firewall capabilities, but was a previous consultant thought it was interfering with a software capability to talk to the insurance company, and so thoughtfully turned it off completely.
  
  You would think a hospital with their own full time technical staff might rank better. A prominent Boston area hospital was building out a branch location in the suburbs. I visited to install an Oracle server, and noticed that because of constraints on network cabling at the time, they were using Linksys wireless through-out the office for connectivity, with no encryption. I raised this concern immediately with the director of the office, but was told not to worry, as this was only a "temporary" solution until they could get a cabling vendor in to run something more formal. My largest concern was that this office was still directly tied into the back-end of the main hospital data network, and thus, from the parking lot, it was trivial at best to get onto the hospital network.
  
  I understand these are only two limited examples, but their still lacks any real capabilities to be able to keep medical records secure through-out the chain. Until something akin to PCI for medical records really takes place, complete with audit controls, etc, I don't see the situation changing all that much. PCI itself has flaws, but it is an attempt to actually place controls on credit card data from swipe to credit card company.
5. Re:Wrong issue by Ihmhi · 2009-02-28 04:41 · Score: 2, Funny
  
  but the concept of storing medical info and data in something like Google Docs just leaves me cold and clammy.
  Considering that as well as the other symptoms I read on your chart that I downloaded from Limewire, I really think you should see your doctor!
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
Wouldn't a better headline be... by scbomber · 2009-02-28 02:44 · Score: 2, Insightful

"Clueless docs store patient data on wide-open PCs?"
Re:The government doesn't give ... by mspohr · 2009-02-28 02:55 · Score: 2, Funny

I personally pay my taxes by check in the mail and no guns are involved. If you are paying your taxes at gunpoint then I think you may be doing it wrong. Perhaps you are actually paying it to a local bandito group.
There are several things to check. 1. Do you get a receipt? 2. Do they say thank you? 3. Do you have an opportunity to fill out a customer service questionnaire? 4. Do they have a toll free number to call if you have questions about your payment?
If you cannot answer 'Yes' to all of these questions, then the people with guns are probably not a legitimate government and you should call your local sheriff to run them off. (You can find the number for your local sheriff in the telephone book under 'Government services'. The sheriff is funded by your taxes and is happy to assist in running off banditos.)

--
I don't read your sig. Why are you reading mine?
Comment removed by account_deleted · 2009-02-28 03:14 · Score: 2, Interesting

Comment removed based on user account deletion
The real problem here... by jsiren · 2009-02-28 03:24 · Score: 2, Insightful

If a doctor kept medical records on paper in a filing cabinet at home, would they let anybody else touch that cabinet?
The real problem here is that doctors take patient information home on a laptop, then allow somebody else to access that laptop. It's easiest to just get another laptop for the kids and not let them near your work computer.

--
Usage: km/h for speed (kilometers per hour); kph for very slow impulses (kilopond hours).
Did some work for a pharmacy by transporter_ii · 2009-02-28 03:56 · Score: 2, Interesting

And part of what I needed to do was block myspace, etc., on the LAN. But the head pharmacist had some P2P running on his computer (its good to be the king). I remember thinking at the time how insecure to run P2P on a business machine with a lot of confidential information on it.
I don't think the customer data was stored locally, but that doesn't stop spyware, key loggers, etc., from still being an issue.
Free music or maintaining the integrity of customer data. That's a tough call.
transporter_ii

--
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
Its an idiot user problem by PPH · 2009-02-28 05:46 · Score: 3, Interesting

I have a friend who runs an insurance investigation business. A lot of his data includes claimants' medical, criminal, income, and other assorted records. He has several investigators working in his office, each with a PC (fortunately, no laptops) and all behind a secure(?) firewall. From time to time, I've helped him configure or repair his network and/or desktop systems. In doing so, I've noted that every system has their C: drive shared out on the LAN with read/write privileges granted to everyone else in the office. In spite of the problems with security or system corruption (why anyone would need to share out all their system .DLLs with write permission is beyond me), he insists that everyone in the office 'needs' complete access to everyone else's files. A disaster waiting to happen, IMO.
People just don't understand, or give a sh*t about the consequences of lax data security. P2P networks, or the mis-configuration of file sharing s/w is just one symptom of this.

--
Have gnu, will travel.
GATTICA is fiction by CrankinOut · 2009-02-28 11:11 · Score: 3, Interesting

and this concern about access to medical records is paranoia.
Federal law (Health Insurance Portability and Accountability Act - or HIPAA) levels serious legal liability on "any doctor who asks" (or any other person in a health-care organization who looks at a medical record outside of their job responsibilities. By definition, this, then is not "public sharing of information." XYZ company is not entitled to look at your health information.
Do errors occur? Hell, yes, they do. Laptops get stolen, people screw up. But to deny the benefits of having access to critical information in emergency situations, or to avoid repeating a test done last week, or to avoid a person getting a medication that doesn't work because another doctor recently changed another of the meds, or to get a drug that can be fatal to a person because the information wasn't available, is to say that you'd rather life be a crap-shoot.
The way for this technology to get better is for people to work on the solutions to the issues of security and privacy, not to keep medicine in the stone-age of information utility.
For an interesting read about why this is so important, read the Medicare Annual Report. Everyone's payroll taxes have to go up 3.5 percent to cover the estimated shortfall of Medicare for the next 75 years (I expect to retire sometime in that timeframe). With life expectancy increasing, and the baby boom generation in retirement for the next 40-50 years, OASDI and MMS look take a bigger bite out of everyone's paycheck.
One solution to this projected problem is to reduce the cost of healthcare by reducing errors, repeating unnecessary tests because of lack of access to a record, having technology that alerts clinical staff (doctors aren't going to be the only people providing medical care) to potential interactions, matching medications/treatments to genetic likelihood of therapeutic benefit, and enabling greater home health care. All of these opportunities require increasing use of information technology.
Good luck with that heart condition.