Slashdot Mirror

← Back to Stories (view on slashdot.org)

Americans Trust Docs, But Not Computerized Records

Posted by timothy on from the and-scarcely-themselves dept.

Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."

28 of 162 comments (clear)

  1. Not unfounded. by Kenja · · Score: 2

    People notice when their filing cabinet goes missing, they are less likly to notice the theft of digital records. This does make it more likely that employees etc will abscond with the data.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Not unfounded. by Korin43 · · Score: 2

      But that would be hard.

    2. Re:Not unfounded. by MozeeToby · · Score: 2

      Why would you put it in a central database when you could just carry it around with you (and back up as required to wherever you chose)?

      Sure, fine, whatever. My point was that while the security and privacy concerns are certainly warranted, they can relatively easily be gaurded against using standard, commodity software and hardware solutions. It isn't as though keeping information from falling into unauthorized people's hands is a problem that has never been encountered before in computer science.

      And to more directly answer your question, you might want it in a central DB so that if you're on vacation and end up in the hospital the doctor there can access your records and find out that you're allergic to such-and-such drugs, have a history of this-and-that disease, and here's what your blood pressure was when you went in for your physical 6 months ago. Personally, if it were properly secured, I would prefer the information be accessible from anywhere with an internet connection so long as I or someone I trust with it supplies you with the key.

    3. Re:Not unfounded. by khallow · · Score: 2

      only the patient keeps a record of his encryption key and allow him to request a new key at any time

      And what happens if the patient can't provide the key, say because they are unconscious and dying? At the least, there would have to be a somewhat centralized authority (that is, someone who is guaranteed to be there, not just a next of kin) with the power to provide a suitable key.

    4. Re:Not unfounded. by kullnd · · Score: 4, Informative

      It would not be possible to do this... A healthcare org has to refer to the patient records long after your visit is over. In a hospital, there is generally reporting that takes place which requires extensive reviews and audits of the care given, and alot of these audits can take place nearly half a year after you were seen. There is also the fact that after your visit, the record will be reviewed for medical coding, which is how you, your insurance, and or the gov't are billed for the care that you were given. The idea that when you leave, your record is locked, is just not realisitic. I can also say that the latest push by the federal government, with these EHR incentives, is pretty much going to do the opposite of what you are asking for.

      I have seen medical practices on both ends of the security fence, and it is sad... I've been in practices that I would never, ever, visit as a patient because I have no faith in how things are run there from an IT security view point... At the same time, I have worked with other orginazations that do take security very seriously, and do everything possible to ensure that all data is kept private... The thing that really sucks is that you really have no way of knowing what type of office you are visiting until you see the report that your record has been leaked.

      Someone else posted in here that most practices are afraid of HIPAA and will do anything to keep things safe... Unfortionately I have seen alot of practices that couldnt give a crap about HIPAA and won't listen to any reasons as to why they should not run bittorrent on their office computer. The bottom line is that until HIPAA and HITECH start producing more results, busting more practices, and making everyone aware that they do have teeth this is going to continue to be a problem. HIPAA has been around for a long time, but until HITECH came around it has been a joke, and only enforced in the worst of senarios. I still think that both of the policies are too loose, and enforcement on those policies today is still largely reactive, when it's too late.

      --
      +++ATH0 NO CARRIER
    5. Re:Not unfounded. by Stregano · · Score: 3, Insightful

      It depends on what you are diagnosed with or what doctor you go to. If you have a medical marijuana card, you do not want hard copies. Many dispensaries get raided, and then the feds have your information and you get marked as a pothead. If they are digital, if there is a raid, most professional places have ways of handling digital documents properly. Something like that would be an instance where I don't want teh feds to have my records. And shut your lips, I have a condition I am getting treated for and need a way to get rid of the pain. You are not my doctor Mr. Judgy McJudgy Pants

      --
      The world is how you make it
    6. Re:Not unfounded. by Z34107 · · Score: 2

      What you want is a PACS. These are generally expensive. I can't recommend any specific vendors, but you want to be very careful with HIPAA. They're also FDA regulated, so you also want to be careful about hacking anything together that could be functionally confused with a PACS.

      That said, I'd be really surprised if a radiology clinic didn't already have one (that "telerad" you alluded to?). I'd call up the vendor and ask what they can do; any modern system will speak DICOM, and a lot (if not most) of them can grab images from outside the facility.

      --
      DATABASE WOW WOW
    7. Re:Not unfounded. by demonlapin · · Score: 2

      There's nothing hypocritical about it. He doesn't want to go to jail; he does want to smoke weed. Hypocritical would be advocating for harsher penalties for pot possession.

  2. Not Too Surprising by BJ_Covert_Action · · Score: 3, Insightful

    It seems like most of us Americans are also content to trust our eternal souls and moral decisions to an imaginary sky fairy with an epic beard.

    But on a more serious, and less inflammatory note, this probably has to do with the very high incidence rate of folks in the U.S. getting their financial accounts cracked. Anyone who has had to frack about with their bank or credit agency regarding X many thousands of dollars being debited from their account due to some mysterious "hacker" that stole their identity is probably pretty suspicious of putting any important personal data on the internet period.

    --
    Motorcycles, Robots, Space Gossip and More!
    1. Re:Not Too Surprising by |TheMAN · · Score: 2

      Considering how EHRs are going to be required in the near future, I'm not surprised that hospitals/doctors are still getting dragged kicking and screaming into the 21st century.

      HL7 was created in 1988, and over 20 years later, it still has very little penetration in the US. I had friends ask their acquaintances working at hospital IT departments, and many don't even know what HL7 is! Part of this is the government's fault (lack of incentives unlike European countries), but most of this is due to the lack of understanding and technophobia.

      The other problem is HL7 is epicly hard to learn. There's a major shortage of trained/certified people to help hospitals deploy this right now. I'm trying to learn some of this so I can take on a job in Tokyo (part of getting my work visa approved involves understanding HL7). But with the lack of free resources or books, it appears to be a feat that requires divine intervention.

    2. Re:Not Too Surprising by demonlapin · · Score: 2

      lack of understanding and technophobia

      No, it's not technophobia. I'm a technophilic physician, and I know a lot of technophilic physicians, so I may be able to help you understand.

      EHRs really cover several different areas. Some areas clearly benefit from computerization; lab reporting is so clearly better done via computer than phone that it makes no sense not to. Having radiology studies available for review outside the radiology department is of significant benefit. Having transcriptions of dictated reports available is tremendously useful.

      Some areas are somewhat suspect. For example, nurses now often have to perform their hospital admission documentation on a computer. This is somewhat slower than using a handwritten method, and so nurses tend to dislike it - they are now doing data entry that is of only marginal benefit to them; the primary benefit is to the physician. Nonetheless, because a nurse will probably spend 20 minutes doing that admission work, the login/logout process is not usually painful (vital sign checks, on the other hand, are incredibly tedious on computer).

      Finally, there are areas where the benefit is fairly small by comparison to the cost. From a doctor's perspective, a brief note in the chart is a trivially easily way to make a small update on a patient's status or convey an important point to consultants - much faster than finding a computer, logging in, waiting for Windows to load (the VA, for example, does not have generic logins to Windows - in addition to logging into the EHR, you have to log into Windows to be able to access the EHR), loading the EHR software, logging into it, and then finding the appropriate spot to enter a note. You can't flip back and forth between two pages in an EHR, the way you can with a paper chart.

      With too many EHRs, doctors become data entry clerks for the hospital and insurance companies, and we don't like doing that. People are naturally resistant to changing how they do things if they bear all the cost while someone else reaps all the benefit.

    3. Re:Not Too Surprising by demonlapin · · Score: 2

      I don't know why you think that it's "thinking of yourself as a god" if you don't want to do painful data entry tasks, especially when the UI is a nightmare. Please, think of the UI. It's nearly always horrendous and painful, because even the good ones are designed by a guy who sits at the same desk every day and doesn't have to log into a different machine every ten minutes and get presented with the uncustomizable landing screen.

      I've worked in hospitals with a wide variety of electronic systems. The VA, for example, has everything on the computer. It is also very secure; there are not even generic logins to Windows. However, this means that every time you want to enter an order, you have to log into Windows, wait a minute or two for it to boot up, then start CPRS, then log into it, and then find the patient and begin ordering. Finding old notes is theoretically possible - everything is preserved - but there is no compartmentalization, and you'll have to look at the title of every single note generated by anyone at the VA - from a nurses' aide documenting urine output, to a pharmacist noting that a 90-day supply of medication X has been sent, to a PT/OT note, in order to find what you want. For those in VA nursing homes, especially, that can be a lot.

      At the university hospital where I trained, and at my current hospital, all lab reports and dictations (like admissions and discharges) are available in the systems for all visits after about 2000. Furthermore, the system only requires you to log into it - the Windows desktop does not have to be loaded. This is, to me, a much better system because it provides what I want - easy access to the most pertinent records - without increasing my workload appreciably. This is the crux of a lot of resistance: I can get 99% of what I want from a system that never makes me enter an order (and most order entry systems are clunky and slow) and that never makes me type a note (because the information I really need is almost always in the admission or discharge dictation). And the other 1%? I'm an anesthesiologist, and nobody ever sends the anesthesia records over. Ever.

  3. Huh? by thenickdude · · Score: 2

    "30% and 34% of doctors lack basic anti-virus software and network firewalls" ... what? How is this legal?

  4. Quite a conundrum... by Rooked_One · · Score: 2, Interesting

    You will always have uneducated and educated people. And you will have educated people who aren't computer savvy. This means you will end up with a percentage (probably based on region - I feel sorry for people in the midwest) of doctors who offices are completely unsecure and all it would take is a patient walking in with the appropriate thumb drive at the appropriate time.

    BAM! Access to the doctor's office is now at hand and anyone's records can be had.

    Very few people who would do this sort of activity in other situations are doing it for fun. I can only think doing this to make money would be something that would be a scheme, to mostly blackmail people of a region with the largest percentage of ignorant and uneducated people. Who, ironically enough, are going to be sick more and thus go to the doctor more... But how, or why, to exploit these people who have nothing to give is beyond me.

    But rich people also go to doctors from time to time as well... so what then?

  5. Amusingly? by Daetrin · · Score: 3, Insightful

    "Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."

    It seems we can't have a week go by without some article showing up on Slashdot about how the average person don't have "sufficient" security on their various electronic devices and programs. In which case if those same average people are concerned about a particular set of records being compromised couldn't it be considered wise that they'd rather have someone else who should (theoretically) have better safeguards in place handle those records?

    --
    This Space Intentionally Left Blank
  6. Not amusing. Sensible. by BlueParrot · · Score: 4, Insightful

    Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.

    What the hell is amusing about this? I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself. For the same reason I keep my money in a bank as opposed to underneath my mattress. Now granted some doctors may have lax security, but for myself to keep the records in addition would just open up more avenues of attacks. The only good reason I can see why I would keep such records myself is to ensure I have a backup of them if my doctor was to screw up and erase them by accident or something.

    1. Re:Not amusing. Sensible. by Jah-Wren+Ryel · · Score: 4, Insightful

      I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself.

      The problem is that you can't trust "the pros" to act in your best interests. Money is 100% fungible and misuse is pretty straight-forward -- a bank steals your money and its obvious what happened. But for someone doing searches of healthcare records it is much harder to tell if the intent is nefarious. Even the people doing the searches may not fully understand the implications themselves - ala netflix's "anonymised" data fiasco.

      What we need is less centralisation, not more. The push for electronic records in healthcare is inexorable, so we need to develop systems that inherently limit access. Not just fancy permission bits that can be ignored with the right privileges, but actually keeping the data physically inaccessible to those who don't absolutely need it. The best way to do that is to decentralise.

      For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

      If we had a system where each person was responsible for their own information, then the overhead of widescale misuse would be significantly increased. You'll never stop one-off abuses, but you can design a system that (a) makes widescale abuse difficult and (b) makes it easy for individuals to safely manage their own records.

      Right now are moving to the worst of both worlds - centralisation of data with protection no better than flimsy laws subject to interpretation and rewriting by people with money and interests that conflict with that of the patient.

      --
      When information is power, privacy is freedom.
    2. Re:Not amusing. Sensible. by ColdWetDog · · Score: 4, Insightful

      For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

      1. I don't have a smartphone.
      2. I forgot my smartphone, do I have to go back home to get it?
      3. The insurance company needs to drop a bill, do they text message you to get the data?
      4. Medicare wants to audit the hospital. Do they text a message to get the data?
      5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?
      6. Oops, the cell phones are down again.

      No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.

      --
      Faster! Faster! Faster would be better!
    3. Re:Not amusing. Sensible. by randallman · · Score: 2

      How about developing a standard medical record access protocol. Companies can compete to store your information. They would compete based on who guards the information best. A service is defined via URL. So if you want to grant a hospital access to your records, you supply the URL and credentials (maybe a key/certificate stored on a card). They use a standard access protocol to fetch and/or update the data. The standard may also define how the client (hospital) may access the records, preventing a leak from that side.

      On the client side, a dedicated machine would be a good idea. No web browsers or email clients installed, nor any other software that isn't necessary for interfacing with the medical records services. Strip it down and guard it enough so that there's no need for AV or other half-measures. For example, at the OS level there could be a whitelist of URLs accessible by the client application.

  7. Firewall what, exactly? by Just+Some+Guy · · Score: 3, Interesting

    The majority of doctor's offices I've been around aren't connected to the Internet at all. For instance, my wife's practice has a WPA2 secured Wi-Fi network so that her laptop (whole-drive TrueCrypt) can talk to the database server that manages her records, and none of the hosts on the WLAN have any form of Internet connection. As it turns out, they do have AV programs (MS Security Essentials), but without any removable media coming into the office and no net connection, it's pretty much just a formality.

    My kid's orthodontist's network has Internet access, but it's a bunch of Macs behind a firewall+NAT and a strict "no personal browsing at the office" policy. (I know this because I bartered net admin chores for dental work :-) ).

    I'm certain there are insecure medical offices, but the doctors I've talked to are so terrified HIPAA that they'll take almost any security tips you give them.

    --
    Dewey, what part of this looks like authorities should be involved?
    1. Re:Firewall what, exactly? by yuna49 · · Score: 2

      Just curious, but how many of those HIPAA-fearing doctors use plain-text email to correspond with patients? How many of them have their email addresses on their business cards? I routinely ask providers if they realize that sending patient health information via e-mail is a HIPAA violation. Most haven't ever given the question a moment's thought.

  8. HIPAA security audits? by hawguy · · Score: 3, Interesting

    Why doesn't some organization come up with a set of standards and best practices to ensure that HIPAA protected data is actually protected as it should be? I'm thinking something like the PCI security council started by the credit card companies that mandates a set of rules and best practices that have to be followed for all merchants that handle credit cards.

    Following the PCI standard doesn't guarantee data security, but it is a big step in the right direction. Doctors need the same kind of prodding to get them to implement real security controls and not just say "Oh, well i checked the WEP encryption box on my Wifi router, so all of my data is encrypted and safe - I know it's safe because I backed up my patient records to my iPhone".

    1. Re:HIPAA security audits? by The+Grim+Reefer2 · · Score: 3, Informative

      The problem is that HIPAA is severely broken. Most hospitals violate some part of HIPAA countless times per day as it's not even possible to operate within it's guidelines and be able to realistically treat patients. Another issue is the FDA understands how to deal with IT about as much as it knows how to building a Saturn 5 rocket.

      Here's an example that I've witnessed many times over the years. A vendor installs an MRI system in a hospital, the control computer the technologist uses to scan patients is Windows based. Obviously the system needs to at least be on the local hospital network so that the patient scans can be sent to a reading station so that a Dr. can look at the images. Neither of these systems can have any software installed on them that is not FDA approved. So by law, unless you have an FDA approved security program you cannot install it on either of these systems, or any system that contains patient data for that matter. If you do have an FDA approved program you need to prove that it will not affect any of the calculations that are made for determining a diagnosis as well. It gets even better though. If you do find a security suite that you can use, the vendor is not responsible for worrying about it in the case of system updates. So when an update comes out the vendor sends in an engineer who generally will simply re-image the drive with the new update, thereby wiping out your security programs.

  9. Re:What's the point of all the worry? by 0123456 · · Score: 2

    Why are people so worried about their medical information going public?

    I think your comment about Steve Jobs would be enough to explain why people don't want everyone to have access to their medical records.

  10. Dr's are tech idiots by Ludedude · · Score: 5, Interesting

    I work for a large regional provider of EMR hardware and software and I can tell you first hand that you should be afraid, very afraid, of anything your Dr. does with health records that involve a computer. Anti-virus is the tip of the iceberg. You install it for them and their brother in law who's a burger flipper helpfully uninstalls it to "speed things up." Hilarity ensues. Entire offices are implementing EMR that refuse separate usernames and passwords because it's "just too damn hard to remember all that" so everyone logs in as user with some simple password; that's if they even bother to log in or off at all. Of course they have to have admin rights because it's their hardware and they know what's best.

    Since most of the offices that are being force-fed EMR because of the lure of up to $44,000 in "stimulus" funds are smaller practices, they don't have domains that can be used to enforce universal security policies.

    The larger ones, sure, but most of them already use EMR and have on site servers etc. along with the requisite firewalls and VPNs. The vast majority of the new ones though are being sold "cloud" based systems with no local servers at all, so it's a friggin' free for all in terms of security (or lack thereof). They're just lining up for a swipe at the stimulus golden ring but half of them shouldn't even be entrusted with anything as complicated as a TV remote, let alone computer systems.

    --
    Then != than you morons.
  11. 34% Percent have no antivirus by dbIII · · Score: 2

    Perhaps that number is completely meaningless. I've noticed anecdotally that many doctors have Macs, perhaps 34% have Apple computers and don't need antivirus?
    Also for firewall do they mean a separate dodgy product and are they ignoring the quite reasonable Ms Windows and Apple firewalls? How about the situation where just about every modem or router made after about 2005 has half decent firewall rules as a default?
    It's not as if 34% of these computers are actually naked to the net.

  12. Common Law by Gonoff · · Score: 3, Insightful

    In the UK, and therefore probably the USA too, there is a Common Law expectation of privacy in this situation.

    If I tell my neighbour over the garden fence that I am going in for a prostate examination tomorrow, there is not necessarily a legal duty on the part of my neighbour to keep this confidential,If a different neighbour is my doctor it is very different. I can reasonably expect that they will not blab about it at a party.

    That common law duty extends to keeping the matter private as best they can. They should not leave printed notes on display. They should not send it around by insecure fax, unencrypted email or put it on Twitter.
    They should, in fact, take every reasonable precaution to ensure that this matter stays secret until I choose to let it be known. Reasonable precautions include things like having firewalls and controlled access to my data.

    If a doctor, hospital or any other medical organisation, does not take suitable actions to protect such patient information, there are specific laws in developed countries (and most undeveloped ones) which will penalise them even if no information leaks out. My earlier comments on Common Law are because we don't even need written laws to deal with this. Common law is the effect of all those books full of legal precedents that lawyers have on their walls.
    If the doctors don't even have firewalls and a patient finds out lawyers could get busy...

    --
    I'll see your Constitution and raise you a Queen.
  13. Not what I'm worried about by glwtta · · Score: 2

    I know the popular thing is to constantly cry about our precious privacy, but I'm more worried about my medical records not showing up when they are needed, not the other way around. I'm thinking of allergies, drug interaction, and relevant medical history during emergencies, and the like.

    --
    sic transit gloria mundi