Slashdot Mirror
Americans Trust Docs, But Not Computerized Records
Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."
People notice when their filing cabinet goes missing, they are less likly to notice the theft of digital records. This does make it more likely that employees etc will abscond with the data.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It seems like most of us Americans are also content to trust our eternal souls and moral decisions to an imaginary sky fairy with an epic beard.
But on a more serious, and less inflammatory note, this probably has to do with the very high incidence rate of folks in the U.S. getting their financial accounts cracked. Anyone who has had to frack about with their bank or credit agency regarding X many thousands of dollars being debited from their account due to some mysterious "hacker" that stole their identity is probably pretty suspicious of putting any important personal data on the internet period.
Motorcycles, Robots, Space Gossip and More!
"30% and 34% of doctors lack basic anti-virus software and network firewalls" ... what? How is this legal?
You will always have uneducated and educated people. And you will have educated people who aren't computer savvy. This means you will end up with a percentage (probably based on region - I feel sorry for people in the midwest) of doctors who offices are completely unsecure and all it would take is a patient walking in with the appropriate thumb drive at the appropriate time.
BAM! Access to the doctor's office is now at hand and anyone's records can be had.
Very few people who would do this sort of activity in other situations are doing it for fun. I can only think doing this to make money would be something that would be a scheme, to mostly blackmail people of a region with the largest percentage of ignorant and uneducated people. Who, ironically enough, are going to be sick more and thus go to the doctor more... But how, or why, to exploit these people who have nothing to give is beyond me.
But rich people also go to doctors from time to time as well... so what then?
"Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."
It seems we can't have a week go by without some article showing up on Slashdot about how the average person don't have "sufficient" security on their various electronic devices and programs. In which case if those same average people are concerned about a particular set of records being compromised couldn't it be considered wise that they'd rather have someone else who should (theoretically) have better safeguards in place handle those records?
This Space Intentionally Left Blank
and probably 80% of doctors over 45 have a password of "password"
What the hell is amusing about this? I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself. For the same reason I keep my money in a bank as opposed to underneath my mattress. Now granted some doctors may have lax security, but for myself to keep the records in addition would just open up more avenues of attacks. The only good reason I can see why I would keep such records myself is to ensure I have a backup of them if my doctor was to screw up and erase them by accident or something.
The majority of doctor's offices I've been around aren't connected to the Internet at all. For instance, my wife's practice has a WPA2 secured Wi-Fi network so that her laptop (whole-drive TrueCrypt) can talk to the database server that manages her records, and none of the hosts on the WLAN have any form of Internet connection. As it turns out, they do have AV programs (MS Security Essentials), but without any removable media coming into the office and no net connection, it's pretty much just a formality.
My kid's orthodontist's network has Internet access, but it's a bunch of Macs behind a firewall+NAT and a strict "no personal browsing at the office" policy. (I know this because I bartered net admin chores for dental work :-) ).
I'm certain there are insecure medical offices, but the doctors I've talked to are so terrified HIPAA that they'll take almost any security tips you give them.
Dewey, what part of this looks like authorities should be involved?
Why doesn't some organization come up with a set of standards and best practices to ensure that HIPAA protected data is actually protected as it should be? I'm thinking something like the PCI security council started by the credit card companies that mandates a set of rules and best practices that have to be followed for all merchants that handle credit cards.
Following the PCI standard doesn't guarantee data security, but it is a big step in the right direction. Doctors need the same kind of prodding to get them to implement real security controls and not just say "Oh, well i checked the WEP encryption box on my Wifi router, so all of my data is encrypted and safe - I know it's safe because I backed up my patient records to my iPhone".
Why are people so worried about their medical information going public?
First of all, you can't get most people to shut up about what happened at the doctor's office. (And the older the person, the more likely this will dominate their idea of interesting conversation.)
And if this guy can't get a few days' quiet time to himself before he dies, then just who the fuck do the rest of us think we are?
Frankly, I'm going to start posting the boroscope videos of my colonoscopies. Hopefully the karma buildup will mean -- when the time comes to hole up in the hospice eating ring-dings by the boxful and watching DVDs of Firefly in my last few days -- that nobody will even think to bother me.
Drs fail more than machines. These are the same folks who have tried to kill me several times, often have no idea about me when I visit because they fail to read charts, and prescribe medicine they feel comfortable with instead of checking actually studies.
As a physician, the article misses a few points.
First, most hospitals currently use online recording notes of some sort, or at least a hybrid system with paper charts and computerized charts. While I can believe 30% lack firewalls and antivirus software, the systems that record patient information are highly governed and regulated. HIPAA provides strict guidelines on access control, how data can be managed remotely (eg. log in from office to check hospital records on a patient that was transferred, etc.)
For someone looking to 'steal' records, it would be much easier to break a window, and jimmy a file cabinet and run off with records than 'hack' into a online patient registry and steal information.
pre existing conditions and job discrimination are the big fears with Computerized Records.
One has to wonder if you can make money at setting up an online database with encryption, where only access is granted through virtual machines to prevent viruses, malware, etc and contracting out with doctors and hospitals. I'm just musing here that is seems like this would allow a fairly good security with less chance of problems.
who guards the data on the other end? I have found 3 types of guardians of data: 1. a corporation with no liability, and legally capable of selling data, 2. a corporation that is not very good at security, 3. Both.
"Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records." These are the smart ones.
...or Betty in Records getting snoopy.
What I worry about are the 23872832387 "health information sharing authorization" forms I'm basically required to sign every time I do anything remotely related to my health care, whether in the physician's office, renewing benefits at work, etc.
With paper records, the insurance companies, employers, and others who are constantly looking for a way to use your health status against you had to work a damn sight harder to get their hands on this info.
With electronic records, it makes it much easier for people who formerly wouldn't be able to make sharp-pencil decisions about coverage or other tangential decisions to make your life harder.
I'm sure somehow electronic records make healthcare "more efficient" but at the same time the controls and aggregation of this data in the hands of people whose mission is to make Lloyd Blankfein richer scares me. I'm sure it's a problem long-term, but there are a number of issues I won't discuss with my doctor because once into the computer, I'm afraid of where they'll go.
I work for a large regional provider of EMR hardware and software and I can tell you first hand that you should be afraid, very afraid, of anything your Dr. does with health records that involve a computer. Anti-virus is the tip of the iceberg. You install it for them and their brother in law who's a burger flipper helpfully uninstalls it to "speed things up." Hilarity ensues. Entire offices are implementing EMR that refuse separate usernames and passwords because it's "just too damn hard to remember all that" so everyone logs in as user with some simple password; that's if they even bother to log in or off at all. Of course they have to have admin rights because it's their hardware and they know what's best.
Since most of the offices that are being force-fed EMR because of the lure of up to $44,000 in "stimulus" funds are smaller practices, they don't have domains that can be used to enforce universal security policies.
The larger ones, sure, but most of them already use EMR and have on site servers etc. along with the requisite firewalls and VPNs. The vast majority of the new ones though are being sold "cloud" based systems with no local servers at all, so it's a friggin' free for all in terms of security (or lack thereof). They're just lining up for a swipe at the stimulus golden ring but half of them shouldn't even be entrusted with anything as complicated as a TV remote, let alone computer systems.
Then != than you morons.
Perhaps that number is completely meaningless. I've noticed anecdotally that many doctors have Macs, perhaps 34% have Apple computers and don't need antivirus?
Also for firewall do they mean a separate dodgy product and are they ignoring the quite reasonable Ms Windows and Apple firewalls? How about the situation where just about every modem or router made after about 2005 has half decent firewall rules as a default?
It's not as if 34% of these computers are actually naked to the net.
Firstly, the security of EHR's depend largely on how the network on which they are stored, implements security. Thus, your giants, like Children's Hospitals for instance may have a nice security model in place for global settings. However, the article being more about private practice, presents some high level of risk. "Computer Saavy" may mean two different things to two different folks. This is the reason I have no intention of trusting my private physician.
One would hope that HRSA, or the HIPPA law would have some plan/guideline laid out for security at the private practice. Moreover, it would be better if private practices could pool their money and contract large reputable IT firms implement their security as opposed to cousin Vinny dropping in to install AVG Free. I for one believe the health care system is very flawed at the level of private practice, and this needs further attention. I'm not certain what the correct approach would be, though in the end, some folks will be unpleased with the results.
As a security Officer once told me, "Security is not an achievement, but an ongoing battle"
what about all the vender systems / medical device that run windows but are no installing updates and the venders say you are not to install them or they just lock you out of the admin password.
Maybe all the info should be stored on some "cloud" somewhere.
Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.
I find this statement damn interesting, certainly more so than amusing. This sounds like the general public is becoming more knowledgeable than I would have guessed.
There may be weird cases where you evaluate the only 4 network providers within 40 miles of you, and 3 have good IT and sloppy care, and the last one has good care and sloppy IT. Med is a weird profession, I'd grudgingly take the good care with bad IT in a pinch.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
most think that consultant surveys are BS produced to boost sales of their own products and services.
In the UK, and therefore probably the USA too, there is a Common Law expectation of privacy in this situation.
If I tell my neighbour over the garden fence that I am going in for a prostate examination tomorrow, there is not necessarily a legal duty on the part of my neighbour to keep this confidential,If a different neighbour is my doctor it is very different. I can reasonably expect that they will not blab about it at a party.
That common law duty extends to keeping the matter private as best they can. They should not leave printed notes on display. They should not send it around by insecure fax, unencrypted email or put it on Twitter.
They should, in fact, take every reasonable precaution to ensure that this matter stays secret until I choose to let it be known. Reasonable precautions include things like having firewalls and controlled access to my data.
If a doctor, hospital or any other medical organisation, does not take suitable actions to protect such patient information, there are specific laws in developed countries (and most undeveloped ones) which will penalise them even if no information leaks out. My earlier comments on Common Law are because we don't even need written laws to deal with this. Common law is the effect of all those books full of legal precedents that lawyers have on their walls.
If the doctors don't even have firewalls and a patient finds out lawyers could get busy...
I'll see your Constitution and raise you a Queen.
I know the popular thing is to constantly cry about our precious privacy, but I'm more worried about my medical records not showing up when they are needed, not the other way around. I'm thinking of allergies, drug interaction, and relevant medical history during emergencies, and the like.
sic transit gloria mundi
So from the article you can find that O'Keefe and Co. and ResearchNow are the folks responsible for conducting the survey... O'Keefe is a PR firm, ResearchNow is a provider of data collection tools, neither seem to be all that involved in independent studies of citizen welfare... So who footed the bill? CDW Healthcare
CDW was Computer Discount Warehouse years ago and now are either CDW or CDWg (CDW Healthcare is their healthcare products branch). I'm thinking maybe the healthcare data reform would loose business for them in some way, either by adding technology efficiency and thus reducing the need for their medical-tech services or regulations regarding technology which requires certification they are not capable of achieving...
At the time my health care provider began implementing Electronic Medical Records I was working as the network engineer and Information Security Officer for a fairly large organization that was also subject to HIPAA I also was on the HIPAA technical implementation team for the organization. I was very concerned as to whether it would be done right and securely. Although I had no access to what back end controls the provider implemented, the front end I used to interact with it greatly exceeded my expectations. The advantages of such a system in terms of patient care and coordination among different doctors is something that anyone who has not been a part of such a system can not really appreciate. Whether I went to my regular primary care doctor, an alternate doctor since I needed to see a doctor NOW since I was sick, or when I had to go to either a routine specialist appointment or for a diagnostic procedure the doctors and medical personnel had ALL my medical records available. Think of how many times you have to list what medications you are taking whenever you see a different doctor. Think of how useful it might be to a doctor to see your detailed medical history to know whether something he or she was considering might be contraindicated by something in that history. Also when I had lab work done, I would get an email telling me to check the secure web site for results often on the same day as the tests! Also I could send private emails on that site to my doctor and medical team and they could reply for routine questions. It was wonderful. Now, this was probably a special case since it was a closed HMO to be specific, it was Kaiser Permanente in Georgia -- and it worked and worked well. Unfortunately my employer dropped them as an option last year and I am now back with whatever doctors are on the current plan and none are anywhere near this point technically. Electronic Medical Records are not a panacea and they have to be done right or really could put you at risk. I still question whether this can be done the way medicine is practiced in this country. It has become a three way adversarial contest with the interests of the patients, the doctors and the insurance companies all going in different directions. In a three person zero sum game there are no winners.
Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.
We have banks for the same reason. Guess the stupid gene that had all those mental midgets trying to secure their money themselves for the past 700 years bred through to us ahmurkins. How amusing.
What is your recourse when, NOT IF, the records rotting in the 'cloud' get compromised? Not a damn thing. You'll sit their and fume like the WoW playing office drone you are while the entire world, not just every government bureaucrat with a keyboard, rifles through your shit.
If the records kept at the hospital or doctors office get out of hand you know who is responsible. You won't need $8E6 worth of legal representation some senators private number and a class action lawsuit to get some answers.
People trust their doctors because their doctors are trust worthy; they are recognized professionals with reputations to maintain and vast liabilities if they fuck up. This is just the sort of concept that always evades the snarky malcontent fuckwits that find any of this "amusing."
I mean it, seriously! What is wrong with your medical history showing up online? How can anyone monetize it?
Seriously, what is with you privacy folks?
I actually want my medical history to be online so that different doctors can view it and suggest if something different could be tried. Honestly, I never trust the doctor. Doctors have vested interest to push for a option in which they are good at. This happens very subtly and people may not notice it.
I have seen two common complaints about unlimited access to medical data. In my opinion both lack any merit.
1. Insurance rates go up: Sure they do. Its better that your insurance rates go up (if you have a problem that is), as opposed to the entire community's. You are at fault so you pay for it.
2. Employer Screening: This is even better. The employer is the best judge (at least before hiring) on what the job takes. If you have a problem and you wanna hide it, how will it help you while you are performing the duties. It is better for the employer and the employee to have the access to medical records. For example, if you are a former drug addict, I wanna know that before I hire you.
FRANCE. That's right Captain America, the French beat you to the punch.
Snap to it Super-Soldiers!
One of my clients a surgeon used to get his computer so loaded up with spyware from porn or whatever that he would go to the corner computer which happened to be his server to use it to surf the web lol.
because anything in electronic format is always going to be less secure than a paper format. Remember the most secure (running) computer is one that is not connected to a network.
The only question that remains is: Do the benefits of EHR outweigh the security risks?
You isolate them and do not allow access to those systems from the outside. Inside the network, you allow only carefully selected access and block everything else. It's not rocket science.
is probably the basis for most of it. You can't go a day without a news story or advertisement related to financial records being stolen. As with anything else, if you repeat it enough people are going to start to believe it.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Why are mission critical (to a physician) servers on the internet?
Not to down play the implications, but just how visible are these medical records servers on the internet?
My doctor does not own a computer. He keeps everything in filefolders. I think that one full room of his office is just filled with filing cabinets containing patient records. He doesn't eveng Google for possible diagnosises
Leslie Satenstein Montreal Quebec Canada
Believe it or not this train of the public is not entirely wrong. For instance, if medical records can be accessed by the internet and you know that there are a class of criminals hacking away at sensitive web site for information that will profit them or their employer then you would be nervous about that. The public knows that the doctor has a lot to lose if it is known that medical information was negligently or deliberately leaked. They also know that if access to it is too secure then the doctors will not be able to access it when needed.
If the medical records are given to you on a USB drive then that causes the "nervous dog with a bone" syndrome (from an Insurance Company TV ad). How will you access it? What if a hidden virus is on the PC you are using? If you copy it to your PC will your medical records ever be 100% safe from attack? Would I need to install an enterprise quality firewall to prevent that? What if the USB drive gets damaged, will I lose all of my medical records?
Remember that the more valuable the information is the harder it is to deal with the consequences of making it available electronically. Paper is a lot easier to secure than electronic records. It is difficult to clandestinely copy thousands of medical records on paper. It is difficult to access since the paper medical record itself must be transported. Paper medical records are difficult to overwrite and change. None of this is true with electronic records.
Discuss.