Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Medical Records Online

Posted by jamie on from the get-me-a-browser-stat dept.

um... Lucas writes "Apparently, Intel's teaming with the AMA to help post patient records online. It's way too early to tell what they're thinking, but I want to know if I can opt-out now." This could be a good thing if it's done right ... or a privacy disaster if it's done wrong.

4 of 73 comments (clear)

  1. Be Afraid. by Anonymous Coward · · Score: 4

    A hospital I used to work for was implementing a system to allow patients to access their medical records via the internet. The idea was that you could access your medical records, send emails to your Doctor's office, etc. They were doing this in conjunction with a vendor.

    This was all very well and good, except that this hospital, like most hospitals, took technical incompetence to a level that I have never seen anywhere else. I am not exaggerating in the slightest -- most of the "IS Staff" were nurses who had been promoted into IS!

    You can imagine what security looked like. Literally, all the passwords in the NT domain were "password" or null. Likewise for Netware passwords. Passwords for system accounts were things like "nascar" (the nurse who ran that system was a fan -- but that password had been changed when I left). In fact, I don't think I ever saw anyone but myself set a password that could not be broken by crack in 30 seconds flat.

    On top of that, this organization would try to run on the least technical staff possible. That's good as far as it goes, but when you have a $500,000 UNIX system that you are trying to run with a mail clerk! I'm not exaggerating in the slightest: this organization spent upwards of $3 million on software, $500,000 on the database server, and tried to run it with an employee making less that $10/hour. On this particular system, mos accounts had a password of their user name. After all, anything else was too hard to remember. The root password (until I came on and straightened them out) was "superman".

    And, you guessed it, all those wide open accounts were accessible from the dial-in rack. Any fool with a war dialer could get in at any time. I tried to inform them of this, and they ignored me. On the other hand, they were genuinely paranoid about Internet access. So paranoid that they refused to allow access to just about anything without begging, cajoling and everything else, but not so paranoid that they would hire someone technically competent to manage it.

    Their biggest problem was that they had no respect for or desire to have around technical competence. I was isolated from day one because I did not pander to their sloppy practices. They didn't want a nerd, they wanted a "manager".

    At any rate: do you think that this bunch could keep your data secure? Get real.

  2. rural medicine by cogitatio · · Score: 4

    Having health records online would be a huge boon to rural medical practice, especially given the already surging growth in telemedicine. By having medical records already available online, practitioners in areas with limited medical resources (such as Alaska's bush communities) could greatly increase the speed of treatment for difficult medical and trauma patients. By already having the records online, the temporal gap between presentation in the primary care clinic and a second opinion by a specialist would be greatly shorted, in many cases increasing the chances of a successful recovery. Having medical records online wouldn't just help "one or two patients" as someone else commented, it would be of great advantage to many....IF they can get the encryption software to work properly. As a future rural physician, I know I would appreciate having my patients' records online. Knowing what I do about encryption and the privacy issues involved in an issue like this, I'm just not so sure I'd want MY records online. Hopefully they'll work it out, because this could be a huge advantage to the medical community, as well as to they patients they treat.

  3. As always...caution should be paramount... by Dark+Father+Amadeus · · Score: 4

    I've worked in the information systems branch of the medical industry for the past four years now. I've seen time and again how badly patient records are protected electronically in clinic, hospital, and corporate office.

    Where possible, I've always taken steps as the chief technology employee to protect the patient's records and rights to privacy. I've tightened security systems, making workflow in the clinic a little more attentive to computer usage, so that our patients could rest with the knowledge that all steps had been taken to protect their privacy.

    This development scares me. Certainly there is the possiblity to use this information to detect patterns otherwise unseen, but largely such patterns are detected from abstract databases already maintained at the state or inter-state level. For example, cancer clinics maintain tumor information at the state level not only for statistical reporting usage, but also for usage as a pattern detector. But the patients are ultimately proctected from becoming anything more than a number.

    A nationwide system with full medical records runs dangerously close to causing mroe harm than good. The patients are no longer a statistical element whose anonymity is fairly well protected by abstraction from their medical chart. Instead, their medical chart is now a part of this database? I am indeed most concerned as to where this development will lead.

    Obviously it could be a Good Thing for both patients and their physicians to have quick and ready access to a patient's medical record and history. However, the rush of technology must be tempered with a careful evaluation of necessity. Is it absolutely necessary for this sytem to be available to both the public and physicians. Would it not instead be better served as a carefully controlled, non internet, system available only through licensed professionals?

    I would say the patients should express any concerns they have to the proper branch of the AMA. They can try to protect this information all they want. The ultimate question is whether or not the information needs to be made available in such a venue in the first place.


    ta,
    Jason
    # Jason A. Dour

    --
    # Jason A. Dour
    # Founder / Executive Producer - PJ Harvey Online (pjh.org)
  4. HIPAA - You need to know this by the+red+pen · · Score: 5
    Healthcare Information Portability and Accountability Act. It's not just a good idea, it's the law (in the USA). Within the next two years, agencies dealing in personalized medical records will be forced to submit to HIPPA regulation. This includes hospitals, "health web sites," pharmaceutical companies and so forth. If they have your medical data, they must conform to HIPPA.

    What does that mean?

    • Medical data must be stored in a secure manner. Yes, there is no perfect security, but let's just say that Windows NT is about to suffer greatly in the medical marketplace...
    • Medical data must be protected in transit. That means RC4-128bit or 3DES. Even on a hospital LAN. That's right: sanity at last.
    • There must be published and audited policies and procedures governing storage, transit and disclosure of electronic medical records. That may sound like a drag to Slashdotter's who work in chaotic, fast-paced tech companies, but this bureucratic overhead means clear liability concerning your personal data.
    • Included in the auditability guidelines is non-repudiation. This means digital signatures and X.509 certificates. This is an excellent technology which has been resisted due to cost and complexity. Not anymore.
    Bottom line: nobody is going to be putting your medical records on a public website.