Americans Trust Docs, But Not Computerized Records

Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."

Not Too Surprising

[BJ_Covert_Action]

It seems like most of us Americans are also content to trust our eternal souls and moral decisions to an imaginary sky fairy with an epic beard.

But on a more serious, and less inflammatory note, this probably has to do with the very high incidence rate of folks in the U.S. getting their financial accounts cracked. Anyone who has had to frack about with their bank or credit agency regarding X many thousands of dollars being debited from their account due to some mysterious "hacker" that stole their identity is probably pretty suspicious of putting any important personal data on the internet period.

Amusingly?

[Daetrin]

"Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."

It seems we can't have a week go by without some article showing up on Slashdot about how the average person don't have "sufficient" security on their various electronic devices and programs. In which case if those same average people are concerned about a particular set of records being compromised couldn't it be considered wise that they'd rather have someone else who should (theoretically) have better safeguards in place handle those records?

Not amusing. Sensible.

[BlueParrot]

Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.

What the hell is amusing about this? I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself. For the same reason I keep my money in a bank as opposed to underneath my mattress. Now granted some doctors may have lax security, but for myself to keep the records in addition would just open up more avenues of attacks. The only good reason I can see why I would keep such records myself is to ensure I have a backup of them if my doctor was to screw up and erase them by accident or something.

Re:Not amusing. Sensible.

[Jah-Wren+Ryel]

I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself.

The problem is that you can't trust "the pros" to act in your best interests. Money is 100% fungible and misuse is pretty straight-forward -- a bank steals your money and its obvious what happened. But for someone doing searches of healthcare records it is much harder to tell if the intent is nefarious. Even the people doing the searches may not fully understand the implications themselves - ala netflix's "anonymised" data fiasco.

What we need is less centralisation, not more. The push for electronic records in healthcare is inexorable, so we need to develop systems that inherently limit access. Not just fancy permission bits that can be ignored with the right privileges, but actually keeping the data physically inaccessible to those who don't absolutely need it. The best way to do that is to decentralise.

For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

If we had a system where each person was responsible for their own information, then the overhead of widescale misuse would be significantly increased. You'll never stop one-off abuses, but you can design a system that (a) makes widescale abuse difficult and (b) makes it easy for individuals to safely manage their own records.

Right now are moving to the worst of both worlds - centralisation of data with protection no better than flimsy laws subject to interpretation and rewriting by people with money and interests that conflict with that of the patient.

Re:Not amusing. Sensible.

[ColdWetDog]

For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

1. I don't have a smartphone.
2. I forgot my smartphone, do I have to go back home to get it?
3. The insurance company needs to drop a bill, do they text message you to get the data?
4. Medicare wants to audit the hospital. Do they text a message to get the data?
5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?
6. Oops, the cell phones are down again.

No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.

Common Law

[Gonoff]

In the UK, and therefore probably the USA too, there is a Common Law expectation of privacy in this situation.

If I tell my neighbour over the garden fence that I am going in for a prostate examination tomorrow, there is not necessarily a legal duty on the part of my neighbour to keep this confidential,If a different neighbour is my doctor it is very different. I can reasonably expect that they will not blab about it at a party.

That common law duty extends to keeping the matter private as best they can. They should not leave printed notes on display. They should not send it around by insecure fax, unencrypted email or put it on Twitter.
They should, in fact, take every reasonable precaution to ensure that this matter stays secret until I choose to let it be known. Reasonable precautions include things like having firewalls and controlled access to my data.

If a doctor, hospital or any other medical organisation, does not take suitable actions to protect such patient information, there are specific laws in developed countries (and most undeveloped ones) which will penalise them even if no information leaks out. My earlier comments on Common Law are because we don't even need written laws to deal with this. Common law is the effect of all those books full of legal precedents that lawyers have on their walls.
If the doctors don't even have firewalls and a patient finds out lawyers could get busy...

Re:Not unfounded.

[Stregano]

It depends on what you are diagnosed with or what doctor you go to. If you have a medical marijuana card, you do not want hard copies. Many dispensaries get raided, and then the feds have your information and you get marked as a pothead. If they are digital, if there is a raid, most professional places have ways of handling digital documents properly. Something like that would be an instance where I don't want teh feds to have my records. And shut your lips, I have a condition I am getting treated for and need a way to get rid of the pain. You are not my doctor Mr. Judgy McJudgy Pants