Problems with the national health data-base (an example)
Assembled cognoscenti ! The national health data-base seems to have a number of problems: -financial, -data-acquisition and -legal , I am wondering if it has a low-tech distributed solution.! Firstly let me say as a result of two contacts with hospitals I am really enthusiastic about the idea of having all my medical history accessible to doctors (with my permission) available 'on-line' During these contacts, it was quite frightening to realise that doctors were relying on my memory for for details of diagnostic and prescription history. (Yesterday is not quite an unknown land, but it often requires quite a lot of reconstruction !) So when the option came up I jumped through all the hoops to enable an online version of my medical history. Problems which became apparent in discussions with my local GP recently 1/ My 'paper' medical history is physically distributed amongst the various doctors I have used over the years, so it would need to be gathered from these doctors, -data acquisition problem #1 2/ IF it could be gathered and IF a standardised data-base format could be agreed, upon it would need to be converted; - data acquisition problem #2; 3/ Thus far per capita cost of the above seems not to have been calculated, or if calculated pubicised; not to mention who is to pay ; me, my doctor or the Australian taxpayer ? -The direct beneficiary would seem to be myself, but thus far no-one seems to be asking me for money, 4/ Thus far the current model seems to be a vast centralised repository, Further problems become apparent : - having gathered, converted and transmitted the data to this repository; complex data access permission problems seem to remain because, 'publicising ' the data in this way (even with my permission) seems to expose my GP's and respective diagnostic test providers to legal liabilities -thus currently accessing my data would seem to involve not just my permission but the permission of the GP and if relevant the permission of any diagnostic test provider, on a per item basis !.....an extremely unwieldy arrangement It occurred that perhaps it might be cheaper and easier to leave the records where they are and unconverted and have the central repository merely consist of a set of links to this raw data. If a solution to legal liability of the test- providers could be found ; then it might be simpler and cheaper to just pay the GP's to copy and transmit the records on demand; flames, thoughts, queries ? regards Rohan McLeod
[MUA went funny, this might be a resend. If so, sorry.] Rohan McLeod wrote:
4/ Thus far the current model seems to be a vast centralised repository, Further problems become apparent :
- having gathered, converted and transmitted the data to this repository; complex data access permission problems seem to remain because, 'publicising ' the data in this way (even with my permission) seems to expose my GP's and respective diagnostic test providers to legal liabilities
- thus currently accessing my data would seem to involve not just my permission but the permission of the GP and if relevant the permission of any diagnostic test provider, on a per item basis !.....an extremely unwieldy arrangement
This would also turn the hospital's ADSL connection into a life-critical service. Ross J. Anderson has written UK health record policy, the most notable post being this one: http://www.lightbluetouchpaper.org/2013/01/16/privacy-considered-harmful/ See also http://www.lightbluetouchpaper.org/?s=health https://en.wikipedia.org/wiki/Ross_J._Anderson
Trent W. Buck wrote:
[MUA went funny, this might be a resend. If so, sorry.]
Rohan McLeod wrote:
4/ Thus far the current model seems to be a vast centralised repository, Further problems become apparent :
- having gathered, converted and transmitted the data to this repository; complex data access permission problems seem to remain because, 'publicising ' the data in this way (even with my permission) seems to expose my GP's and respective diagnostic test providers to legal liabilities
- thus currently accessing my data would seem to involve not just my permission but the permission of the GP and if relevant the permission of any diagnostic test provider, on a per item basis !.....an extremely unwieldy arrangement This would also turn the hospital's ADSL connection into a life-critical service.
Ross J. Anderson has written UK health record policy, the most notable post being this one:
http://www.lightbluetouchpaper.org/2013/01/16/privacy-considered-harmful/
1/ No one seems to be considering just leaving the data distributed;even if only initially. Nether does their seem to be much argument " pro electronic health records for citizens ". presumably these are considered obvious; but it does no harm to spell these out. Much of the article and following comments seemed like FUD with perhaps the exception being: * "6.* Dave Walker | January 16th, 2013 at 19:04 UTC" 2/ regarding: https://en.wikipedia.org/wiki/Ross_J._Anderson "For years Anderson has been arguing that by their nature large databases will never be free of abuse by breaches of security. He has said that if a large system is designed for ease of access it becomes insecure; if made watertight it becomes impossible to use. This is sometimes known as Anderson's Rule." <https://en.wikipedia.org/wiki/Ross_J._Anderson#cite_note-14> -perhaps if some metric for 'security' (S) and ' convenience' (C) could be found; we could hypothesis S x C = some constant (K) and security design generally with increasing the value of K ? 3/ My 'philosophy of privacy' is simply ' reverse the onus of proof, aka 'demonstrate a need to know'; if some person, organisation or government department needs access to my personal information; they need to establish (to the possible satisfaction of a court of law, if necessary); that they 'need to know' certain personal information about myself ; in terms of explicit or implicit tasks demanded by me or the legislature. -Thanks for a reply by the way; regards Rohan McLeod
Rohan McLeod <rhn@jeack.com.au> wrote:
3/ My 'philosophy of privacy' is simply ' reverse the onus of proof, aka 'demonstrate a need to know'; if some person, organisation or government department needs access to my personal information; they need to establish (to the possible satisfaction of a court of law, if necessary); that they 'need to know' certain personal information about myself ; in terms of explicit or implicit tasks demanded by me or the legislature.
I'm really not concerned about the possibility that a government department or a health professional could gain access to my records without my consent. In fact, I want hospital emergency departments, medical specalists, etc., to be able to retrieve my medical details and history quickly in order to fulfill their responsibilities more effectively, and this benefit, for me, far outweighs the possibility of misuse. I would be much more concerned about my ability to obtain a copy of the data and to have errors or misleading information corrected, should they arise. Of course, I'm not in favour of open access either - there are organizations and individuals who could use such information for harmful or discriminatory purposes, so it should be confined to health professionals and subject to reasonable technical measures of access control. The paramount consideration, however, is that any health-care specialist with whom I'm dealing should be able to access it without much difficulty, especially in an emergency. I'm prepared to trade this off against lower security, if need be.
Jason White wrote:
..............snip I'm really not concerned about the possibility that a government department or a health professional could gain access to my records without my consent. In fact, I want hospital emergency departments, medical specalists, etc., to be able to retrieve my medical details and history quickly in order to fulfill their responsibilities more effectively, and this benefit, for me, far outweighs the possibility of misuse. .................snip
So beyond the privacy issue; -should we have a centralised or decentralised model? and -do you see legal liability as a problem ? and if so - what to do ? regards Rohan McLeod
Rohan McLeod <rhn@jeack.com.au> wrote:
So beyond the privacy issue; -should we have a centralised or decentralised model? and
Could you clarify what the differences would be? We certainly need high reliability and availability; any authorized user should be able to log in and retrieve database records for any individual at any time.
-do you see legal liability as a problem ? and if so - what to do ?
No, I don't see legal liability as an obvious problem, and I have a law degree, so I'm probably better qualified than most to think about it.
Jason White wrote:
Rohan McLeod <rhn@jeack.com.au> wrote:
So beyond the privacy issue; -should we have a centralised or decentralised model? and Could you clarify what the differences would be? We certainly need high reliability and availability; any authorized user should be able to log in and retrieve database records for any individual at any time.
I think Trent's suggestion illustrates an example of a decentralised model; the current British solution would seem to be an example of a centralised model !
-do you see legal liability as a problem ? and if so - what to do ? No, I don't see legal liability as an obvious problem, and I have a law degree, so I'm probably better qualified than most to think about it.
I don't doubt your knowledge of the law or your capacity to think about the problem; but as a strategic problem that thinking needs like the basis of a chess move , to be laid out as move and counter move, with all eventualities considered, to whatever depth. regards Rohan McLeod
Jason White wrote:
I'm really not concerned about the possibility that a government department or a health professional could gain access to my records without my consent.
From rja's Security Engineering, http://www.cl.cam.ac.uk/~rja14/book.html http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c02.pdf 2.2.1 Pretexting Colleagues of mine did an experiment in England in 1996 to determine the threat posed by pretexting to medical privacy. We trained the staff at a health authority (a government-owned health insurer that purchased medical services for a district of maybe 250,000 people) to identify and report false-pretext calls. A typical private eye would pretend to be a doctor involved in the emergency care of a patient, and he could be detected because the phone number he gave wasn’t that of the hospital at which he claimed to work. We detected about 30 false-pretext calls a week. Unfortunately, we were unable to persuade the UK government to make this training mandatory for health authority staff. Thirty attacks per week times 52 weeks in a year times 200 health authorities in England is a lot of privacy compromise! If the data is only with your local GP, the attacker has to attack that GP. If the data is centralized such that a quarter of a million people can access it, the attacker can attack the most credulous individual in that group. There are also issues with improperly anonymized records appearing in research papers. I just had an idea -- store the canonical copy of the data on your medicare card. Most people, most of the time, will have a wallet and a phone on them, and they're already used to the idea of managing secrecy of their wallets' contents. Your active caregiver has a cached copy that they pull from your medicare card with a card reader on their desk. If you go to ER without your wallet, they have to pull it from there -- same as they do now with paper records. Remaining logistics issues are left as an exercise for the reader. (Like, upgrading everyone to a smartcard, since a magstrip doesn't have enough storage.)
Trent W. Buck <trentbuck@gmail.com> wrote:
Thirty attacks per week times 52 weeks in a year times 200 health authorities in England is a lot of privacy compromise!
It is, but this scenario wouldn't apply in the case of an electronic health record system. In the scenario, someone claiming to be a doctor calls a health authority and asks for records. With a health database, anyone who is a doctor would have access already, and would need to supply credentials (e.g., login/password) to retrieve records. Next, ensure that health care workers are trained not to give login details to others and not to retrieve records for people who contact them requesting information. Obviously, that's only one attack vector and there are other social techniques of compromising security; the point is merely to make it difficult enough to carry out that the number of incidents is kept down, while still supporting legitimate access. Storing the data on a card, or at least using the card as an authentication mechanism, are entirely reasonable measures, too, for the reasons you give.
Trent W. Buck wrote:
Jason White wrote:
I'm really not concerned about the possibility that a government department or a health professional could gain access to my records without my consent. ........snip
There are also issues with improperly anonymized records appearing in research papers.
I just had an idea -- store the canonical copy of the data on your medicare card. Most people, most of the time, will have a wallet and a phone on them, and they're already used to the idea of managing secrecy of their wallets' contents.
Well that is certainly a decentralised model; the simplest and cheapest version would just be just an electronic copy of the paper record; there is still the problem of collecting that paper record, when it is spread over multiple GP's ; a common situation, I would have thought ? If it is to be in data-base format there would be issues of standardisation and conversion; which would probably have a higher cost. Regarding privacy; it occurs that the chief issue is the privacy of the identity of the owner of that record and any identifying information within those records, which probably isn't substantial . .This being important because it suggests a privatised solution .might be possible with a business model, whereby a company (with a patient's permission) pays doctors for access to the paper record, then converts and processes the record; identifying the record only by a code. Those anonymous records would be a valuable resource , which pharmaceutical companies etc. would pay to have access to. What will you call your company ? and when will it go public ?
Your active caregiver has a cached copy that they pull from your medicare card with a card reader on their desk. If you go to ER without your wallet, they have to pull it from there
Well my experience was that they just asked me ! Reminded me of Dirty Harry's immortal line "Feeling lucky punk ?"
-- same as they do now with paper records.
...........snip
Remaining logistics issues are left as an exercise for the reader.
The card reader ?.........apologies I couldn't resist there is no real ambiguity ! regards Rohan McLeod
participants (3)
-
Jason White -
Rohan McLeod -
Trent W. Buck