Slashdot Mirror
Americans Trust Docs, But Not Computerized Records
Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."
People notice when their filing cabinet goes missing, they are less likly to notice the theft of digital records. This does make it more likely that employees etc will abscond with the data.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It seems like most of us Americans are also content to trust our eternal souls and moral decisions to an imaginary sky fairy with an epic beard.
But on a more serious, and less inflammatory note, this probably has to do with the very high incidence rate of folks in the U.S. getting their financial accounts cracked. Anyone who has had to frack about with their bank or credit agency regarding X many thousands of dollars being debited from their account due to some mysterious "hacker" that stole their identity is probably pretty suspicious of putting any important personal data on the internet period.
Motorcycles, Robots, Space Gossip and More!
"30% and 34% of doctors lack basic anti-virus software and network firewalls" ... what? How is this legal?
You will always have uneducated and educated people. And you will have educated people who aren't computer savvy. This means you will end up with a percentage (probably based on region - I feel sorry for people in the midwest) of doctors who offices are completely unsecure and all it would take is a patient walking in with the appropriate thumb drive at the appropriate time.
BAM! Access to the doctor's office is now at hand and anyone's records can be had.
Very few people who would do this sort of activity in other situations are doing it for fun. I can only think doing this to make money would be something that would be a scheme, to mostly blackmail people of a region with the largest percentage of ignorant and uneducated people. Who, ironically enough, are going to be sick more and thus go to the doctor more... But how, or why, to exploit these people who have nothing to give is beyond me.
But rich people also go to doctors from time to time as well... so what then?
"Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."
It seems we can't have a week go by without some article showing up on Slashdot about how the average person don't have "sufficient" security on their various electronic devices and programs. In which case if those same average people are concerned about a particular set of records being compromised couldn't it be considered wise that they'd rather have someone else who should (theoretically) have better safeguards in place handle those records?
This Space Intentionally Left Blank
and probably 80% of doctors over 45 have a password of "password"
What the hell is amusing about this? I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself. For the same reason I keep my money in a bank as opposed to underneath my mattress. Now granted some doctors may have lax security, but for myself to keep the records in addition would just open up more avenues of attacks. The only good reason I can see why I would keep such records myself is to ensure I have a backup of them if my doctor was to screw up and erase them by accident or something.
The majority of doctor's offices I've been around aren't connected to the Internet at all. For instance, my wife's practice has a WPA2 secured Wi-Fi network so that her laptop (whole-drive TrueCrypt) can talk to the database server that manages her records, and none of the hosts on the WLAN have any form of Internet connection. As it turns out, they do have AV programs (MS Security Essentials), but without any removable media coming into the office and no net connection, it's pretty much just a formality.
My kid's orthodontist's network has Internet access, but it's a bunch of Macs behind a firewall+NAT and a strict "no personal browsing at the office" policy. (I know this because I bartered net admin chores for dental work :-) ).
I'm certain there are insecure medical offices, but the doctors I've talked to are so terrified HIPAA that they'll take almost any security tips you give them.
Dewey, what part of this looks like authorities should be involved?
Why doesn't some organization come up with a set of standards and best practices to ensure that HIPAA protected data is actually protected as it should be? I'm thinking something like the PCI security council started by the credit card companies that mandates a set of rules and best practices that have to be followed for all merchants that handle credit cards.
Following the PCI standard doesn't guarantee data security, but it is a big step in the right direction. Doctors need the same kind of prodding to get them to implement real security controls and not just say "Oh, well i checked the WEP encryption box on my Wifi router, so all of my data is encrypted and safe - I know it's safe because I backed up my patient records to my iPhone".
Why are people so worried about their medical information going public?
First of all, you can't get most people to shut up about what happened at the doctor's office. (And the older the person, the more likely this will dominate their idea of interesting conversation.)
And if this guy can't get a few days' quiet time to himself before he dies, then just who the fuck do the rest of us think we are?
Frankly, I'm going to start posting the boroscope videos of my colonoscopies. Hopefully the karma buildup will mean -- when the time comes to hole up in the hospice eating ring-dings by the boxful and watching DVDs of Firefly in my last few days -- that nobody will even think to bother me.
Drs fail more than machines. These are the same folks who have tried to kill me several times, often have no idea about me when I visit because they fail to read charts, and prescribe medicine they feel comfortable with instead of checking actually studies.
pre existing conditions and job discrimination are the big fears with Computerized Records.
On the other end of what? Her records never leave her office network, which is the most common arrangement I've seen.
Dewey, what part of this looks like authorities should be involved?
"Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records." These are the smart ones.
...or Betty in Records getting snoopy.
What I worry about are the 23872832387 "health information sharing authorization" forms I'm basically required to sign every time I do anything remotely related to my health care, whether in the physician's office, renewing benefits at work, etc.
With paper records, the insurance companies, employers, and others who are constantly looking for a way to use your health status against you had to work a damn sight harder to get their hands on this info.
With electronic records, it makes it much easier for people who formerly wouldn't be able to make sharp-pencil decisions about coverage or other tangential decisions to make your life harder.
I'm sure somehow electronic records make healthcare "more efficient" but at the same time the controls and aggregation of this data in the hands of people whose mission is to make Lloyd Blankfein richer scares me. I'm sure it's a problem long-term, but there are a number of issues I won't discuss with my doctor because once into the computer, I'm afraid of where they'll go.
I work for a large regional provider of EMR hardware and software and I can tell you first hand that you should be afraid, very afraid, of anything your Dr. does with health records that involve a computer. Anti-virus is the tip of the iceberg. You install it for them and their brother in law who's a burger flipper helpfully uninstalls it to "speed things up." Hilarity ensues. Entire offices are implementing EMR that refuse separate usernames and passwords because it's "just too damn hard to remember all that" so everyone logs in as user with some simple password; that's if they even bother to log in or off at all. Of course they have to have admin rights because it's their hardware and they know what's best.
Since most of the offices that are being force-fed EMR because of the lure of up to $44,000 in "stimulus" funds are smaller practices, they don't have domains that can be used to enforce universal security policies.
The larger ones, sure, but most of them already use EMR and have on site servers etc. along with the requisite firewalls and VPNs. The vast majority of the new ones though are being sold "cloud" based systems with no local servers at all, so it's a friggin' free for all in terms of security (or lack thereof). They're just lining up for a swipe at the stimulus golden ring but half of them shouldn't even be entrusted with anything as complicated as a TV remote, let alone computer systems.
Then != than you morons.
Perhaps that number is completely meaningless. I've noticed anecdotally that many doctors have Macs, perhaps 34% have Apple computers and don't need antivirus?
Also for firewall do they mean a separate dodgy product and are they ignoring the quite reasonable Ms Windows and Apple firewalls? How about the situation where just about every modem or router made after about 2005 has half decent firewall rules as a default?
It's not as if 34% of these computers are actually naked to the net.
Damned "Lupe." If only everyone were white there would be no problems, right?
what about all the vender systems / medical device that run windows but are no installing updates and the venders say you are not to install them or they just lock you out of the admin password.
On the other end of what? Her records never leave her office network, which is the most common arrangement I've seen.
If she takes health insurance, then yes, plenty of data about her patients and up far beyond her control.
When information is power, privacy is freedom.
Maybe all the info should be stored on some "cloud" somewhere.
Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.
I find this statement damn interesting, certainly more so than amusing. This sounds like the general public is becoming more knowledgeable than I would have guessed.
There may be weird cases where you evaluate the only 4 network providers within 40 miles of you, and 3 have good IT and sloppy care, and the last one has good care and sloppy IT. Med is a weird profession, I'd grudgingly take the good care with bad IT in a pinch.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
In the UK, and therefore probably the USA too, there is a Common Law expectation of privacy in this situation.
If I tell my neighbour over the garden fence that I am going in for a prostate examination tomorrow, there is not necessarily a legal duty on the part of my neighbour to keep this confidential,If a different neighbour is my doctor it is very different. I can reasonably expect that they will not blab about it at a party.
That common law duty extends to keeping the matter private as best they can. They should not leave printed notes on display. They should not send it around by insecure fax, unencrypted email or put it on Twitter.
They should, in fact, take every reasonable precaution to ensure that this matter stays secret until I choose to let it be known. Reasonable precautions include things like having firewalls and controlled access to my data.
If a doctor, hospital or any other medical organisation, does not take suitable actions to protect such patient information, there are specific laws in developed countries (and most undeveloped ones) which will penalise them even if no information leaks out. My earlier comments on Common Law are because we don't even need written laws to deal with this. Common law is the effect of all those books full of legal precedents that lawyers have on their walls.
If the doctors don't even have firewalls and a patient finds out lawyers could get busy...
I'll see your Constitution and raise you a Queen.
I know the popular thing is to constantly cry about our precious privacy, but I'm more worried about my medical records not showing up when they are needed, not the other way around. I'm thinking of allergies, drug interaction, and relevant medical history during emergencies, and the like.
sic transit gloria mundi
At the time my health care provider began implementing Electronic Medical Records I was working as the network engineer and Information Security Officer for a fairly large organization that was also subject to HIPAA I also was on the HIPAA technical implementation team for the organization. I was very concerned as to whether it would be done right and securely. Although I had no access to what back end controls the provider implemented, the front end I used to interact with it greatly exceeded my expectations. The advantages of such a system in terms of patient care and coordination among different doctors is something that anyone who has not been a part of such a system can not really appreciate. Whether I went to my regular primary care doctor, an alternate doctor since I needed to see a doctor NOW since I was sick, or when I had to go to either a routine specialist appointment or for a diagnostic procedure the doctors and medical personnel had ALL my medical records available. Think of how many times you have to list what medications you are taking whenever you see a different doctor. Think of how useful it might be to a doctor to see your detailed medical history to know whether something he or she was considering might be contraindicated by something in that history. Also when I had lab work done, I would get an email telling me to check the secure web site for results often on the same day as the tests! Also I could send private emails on that site to my doctor and medical team and they could reply for routine questions. It was wonderful. Now, this was probably a special case since it was a closed HMO to be specific, it was Kaiser Permanente in Georgia -- and it worked and worked well. Unfortunately my employer dropped them as an option last year and I am now back with whatever doctors are on the current plan and none are anywhere near this point technically. Electronic Medical Records are not a panacea and they have to be done right or really could put you at risk. I still question whether this can be done the way medicine is practiced in this country. It has become a three way adversarial contest with the interests of the patients, the doctors and the insurance companies all going in different directions. In a three person zero sum game there are no winners.
Yes, HIPAA does provide "strict guidelines," but how often do they audit? Guidelines are useless when not followed. I have several clients who are doctors/dentists and I know more about HIPAA than they do. To them, it's just a piece of paper w/ rules written on it.
Much easier than parking in the lot, cracking a weak WEP key and having a field day on the network? I think not.
When you recognize love in another and realize how precious it is, everything else seems so insignificant.
I mean it, seriously! What is wrong with your medical history showing up online? How can anyone monetize it?
Seriously, what is with you privacy folks?
I actually want my medical history to be online so that different doctors can view it and suggest if something different could be tried. Honestly, I never trust the doctor. Doctors have vested interest to push for a option in which they are good at. This happens very subtly and people may not notice it.
I have seen two common complaints about unlimited access to medical data. In my opinion both lack any merit.
1. Insurance rates go up: Sure they do. Its better that your insurance rates go up (if you have a problem that is), as opposed to the entire community's. You are at fault so you pay for it.
2. Employer Screening: This is even better. The employer is the best judge (at least before hiring) on what the job takes. If you have a problem and you wanna hide it, how will it help you while you are performing the duties. It is better for the employer and the employee to have the access to medical records. For example, if you are a former drug addict, I wanna know that before I hire you.
You isolate them and do not allow access to those systems from the outside. Inside the network, you allow only carefully selected access and block everything else. It's not rocket science.
is probably the basis for most of it. You can't go a day without a news story or advertisement related to financial records being stolen. As with anything else, if you repeat it enough people are going to start to believe it.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Why are mission critical (to a physician) servers on the internet?
Not to down play the implications, but just how visible are these medical records servers on the internet?
My doctor does not own a computer. He keeps everything in filefolders. I think that one full room of his office is just filled with filing cabinets containing patient records. He doesn't eveng Google for possible diagnosises
Leslie Satenstein Montreal Quebec Canada