Americans Trust Docs, But Not Computerized Records

Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."

Not amusing. Sensible.

[BlueParrot]

Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.

What the hell is amusing about this? I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself. For the same reason I keep my money in a bank as opposed to underneath my mattress. Now granted some doctors may have lax security, but for myself to keep the records in addition would just open up more avenues of attacks. The only good reason I can see why I would keep such records myself is to ensure I have a backup of them if my doctor was to screw up and erase them by accident or something.

Re:Not amusing. Sensible.

[Jah-Wren+Ryel]

I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself.

The problem is that you can't trust "the pros" to act in your best interests. Money is 100% fungible and misuse is pretty straight-forward -- a bank steals your money and its obvious what happened. But for someone doing searches of healthcare records it is much harder to tell if the intent is nefarious. Even the people doing the searches may not fully understand the implications themselves - ala netflix's "anonymised" data fiasco.

What we need is less centralisation, not more. The push for electronic records in healthcare is inexorable, so we need to develop systems that inherently limit access. Not just fancy permission bits that can be ignored with the right privileges, but actually keeping the data physically inaccessible to those who don't absolutely need it. The best way to do that is to decentralise.

For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

If we had a system where each person was responsible for their own information, then the overhead of widescale misuse would be significantly increased. You'll never stop one-off abuses, but you can design a system that (a) makes widescale abuse difficult and (b) makes it easy for individuals to safely manage their own records.

Right now are moving to the worst of both worlds - centralisation of data with protection no better than flimsy laws subject to interpretation and rewriting by people with money and interests that conflict with that of the patient.

Re:Not amusing. Sensible.

[ColdWetDog]

For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.

1. I don't have a smartphone.
2. I forgot my smartphone, do I have to go back home to get it?
3. The insurance company needs to drop a bill, do they text message you to get the data?
4. Medicare wants to audit the hospital. Do they text a message to get the data?
5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?
6. Oops, the cell phones are down again.

No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.

Dr's are tech idiots

[Ludedude]

I work for a large regional provider of EMR hardware and software and I can tell you first hand that you should be afraid, very afraid, of anything your Dr. does with health records that involve a computer. Anti-virus is the tip of the iceberg. You install it for them and their brother in law who's a burger flipper helpfully uninstalls it to "speed things up." Hilarity ensues. Entire offices are implementing EMR that refuse separate usernames and passwords because it's "just too damn hard to remember all that" so everyone logs in as user with some simple password; that's if they even bother to log in or off at all. Of course they have to have admin rights because it's their hardware and they know what's best.

Since most of the offices that are being force-fed EMR because of the lure of up to $44,000 in "stimulus" funds are smaller practices, they don't have domains that can be used to enforce universal security policies.

The larger ones, sure, but most of them already use EMR and have on site servers etc. along with the requisite firewalls and VPNs. The vast majority of the new ones though are being sold "cloud" based systems with no local servers at all, so it's a friggin' free for all in terms of security (or lack thereof). They're just lining up for a swipe at the stimulus golden ring but half of them shouldn't even be entrusted with anything as complicated as a TV remote, let alone computer systems.

Re:Not unfounded.

[kullnd]

It would not be possible to do this... A healthcare org has to refer to the patient records long after your visit is over. In a hospital, there is generally reporting that takes place which requires extensive reviews and audits of the care given, and alot of these audits can take place nearly half a year after you were seen. There is also the fact that after your visit, the record will be reviewed for medical coding, which is how you, your insurance, and or the gov't are billed for the care that you were given. The idea that when you leave, your record is locked, is just not realisitic. I can also say that the latest push by the federal government, with these EHR incentives, is pretty much going to do the opposite of what you are asking for.

I have seen medical practices on both ends of the security fence, and it is sad... I've been in practices that I would never, ever, visit as a patient because I have no faith in how things are run there from an IT security view point... At the same time, I have worked with other orginazations that do take security very seriously, and do everything possible to ensure that all data is kept private... The thing that really sucks is that you really have no way of knowing what type of office you are visiting until you see the report that your record has been leaked.

Someone else posted in here that most practices are afraid of HIPAA and will do anything to keep things safe... Unfortionately I have seen alot of practices that couldnt give a crap about HIPAA and won't listen to any reasons as to why they should not run bittorrent on their office computer. The bottom line is that until HIPAA and HITECH start producing more results, busting more practices, and making everyone aware that they do have teeth this is going to continue to be a problem. HIPAA has been around for a long time, but until HITECH came around it has been a joke, and only enforced in the worst of senarios. I still think that both of the policies are too loose, and enforcement on those policies today is still largely reactive, when it's too late.