Americans Trust Docs, But Not Computerized Records 162
Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."
Not unfounded. (Score:3)
Re: (Score:2)
Couldn't you find ways around the problems? Encrypt the data and store it to a central DB, only the patient keeps a record of his encryption key and allow him to request a new key at any time. Maybe set it up with expiring keys to allow a doctor access for a limited period of time after he sees the patient. Obviously this kind of scheme would restrict access but it would also make bulk exportation of the raw data difficult or impossible.
Of course, there will always be holes in such a set up, but the same
Re: (Score:3)
But that would be hard.
Re: (Score:2)
Couldn't you find ways around the problems? Encrypt the data and store it to a central DB
Why would you put it in a central database when you could just carry it around with you (and back up as required to wherever you chose)?
Re: (Score:3)
Why would you put it in a central database when you could just carry it around with you (and back up as required to wherever you chose)?
Sure, fine, whatever. My point was that while the security and privacy concerns are certainly warranted, they can relatively easily be gaurded against using standard, commodity software and hardware solutions. It isn't as though keeping information from falling into unauthorized people's hands is a problem that has never been encountered before in computer science.
And to more directly answer your question, you might want it in a central DB so that if you're on vacation and end up in the hospital the doct
Re: (Score:2)
Most people are just too stupid to figure out how encryption works or to try to understand why they need it. Even if they use it daily (say, as a part of their job) they will likely neglect it, passing off encryption keys to anyone and everyone. Furthermore, due to the fact that insurance companies and employers love to spy on people's medical records, they would almost certainly be given access in some way, allowing th
Re: (Score:2)
I'd looked into maybe setting up some kind of PGP set up for him...but would be tough to get every dr he might do business with....to get them to set up PGP, generate keys...and set
Re: (Score:3)
What you want is a PACS [wikipedia.org]. These are generally expensive. I can't recommend any specific vendors, but you want to be very careful with HIPAA. They're also FDA regulated, so you also want to be careful about hacking anything together that could be functionally confused with a PACS.
That said, I'd be really surprised if a radiology clinic didn't already have one (that "telerad" you alluded to?). I'd call up the vendor and ask what they can do; any modern system will speak DICOM [wikipedia.org], and a lot (if not most) of th
Re: (Score:2)
What you want is a PACS [wikipedia.org]. These are generally expensive. I can't recommend any specific vendors, but you want to be very careful with HIPAA. They're also FDA regulated, so you also want to be careful about hacking anything together that could be functionally confused with a PACS.
That said, I'd be really surprised if a radiology clinic didn't already have one (that "telerad" you alluded to?). I'd call up the vendor and ask what they can do; any modern system will speak DICOM [wikipedia.org], and a lot (if not most) of them can grab images from outside the facility.
I have heard good things about K-Pacs, which is free. It also has utilities to receive HL7 with worklists and uses DICOM to comunicate with modalities (the x-ray machines). DISCLAIMER: I have just used it for a couple of personal trials, as I work in a public health administration and they are opposed to add systems for which they don't have support. But for your single organization, it might be a valid tool.
Re: (Score:2)
They do have the imaging system set up to transmit images between his office and his clinics.
However, he's generating reports for the study ordering physicians..and cutting and pasting some of the images to put in the reports to the doctors..and wanting to send THAT...not the full image study.
They had been sending stuff in clear text emails with attachments and I told them that was not a good idea..so looking for a way to send this securely...and also not have to have each reci
Re: (Score:2)
Some PACS client software can burn a study to a CD, which is the way we deal with sending images to doctors offices (I work IT in a hospital). These CDs will have self-contained viewing software on them to see the images, and sometimes you can include reports with them. But that's only with the right PACS software... Trying to cut and paste DICOM images into Word sounds like a terrible idea -- not to mention tedious.
However, I know how stubborn doctors can be, and radiologists are often the worst of them
Re: (Score:2)
Re: (Score:2)
Millions of people manage to use encrypted systems every day for Internet banking or shopping. Encryption does not have to be hard.
What is hard is providing a user interface to a means of encryption so that the complications are reduced or eliminated while still maintaining some semblance of security. AFAICT, nobody's managed to do that in a fashion suitable for anyone to use on arbitrary streams of data that need to be encrypted and passed around as part of a batch process.
Re: (Score:3)
only the patient keeps a record of his encryption key and allow him to request a new key at any time
And what happens if the patient can't provide the key, say because they are unconscious and dying? At the least, there would have to be a somewhat centralized authority (that is, someone who is guaranteed to be there, not just a next of kin) with the power to provide a suitable key.
Re: (Score:2)
It doesn't have to be centralized authority, in this case the patient's general practitioner would hold a copy of the key and release it in such a circumstance according to the terms of a legal advance directive, like a limited power of attorney or living will. You just need a central repository of the encrypted data, and a directory service to help an ER find the patient's GP or kin, allow the keyholder to validate the patient's unconscious condition, or that their condition meets the terms of the directi
Re: (Score:2)
It doesn't have to be centralized authority, in this case the patient's general practitioner would hold a copy of the key
Who actually holds the key? The general practitioner can have an accident or medical emergency of their own. The key has to be reliably obtainable.
The scheme is workable, I think, but I think it's worth noting that no matter how it's implemented, there will be a number of people with access to that key ("access" not being the same thing as copying a zillion records for fun and profit). Because otherwise, the doctors treating a patient might not have access to the key.
Re: (Score:2)
The scheme is workable, I think, but I think it's worth noting that no matter how it's implemented, there will be a number of people with access to that key ("access" not being the same thing as copying a zillion records for fun and profit). Because otherwise, the doctors treating a patient might not have access to the key.
Just be like many other databases in the US and use their Social Security number :-)
Re:Not unfounded. (Score:4, Informative)
I have seen medical practices on both ends of the security fence, and it is sad... I've been in practices that I would never, ever, visit as a patient because I have no faith in how things are run there from an IT security view point... At the same time, I have worked with other orginazations that do take security very seriously, and do everything possible to ensure that all data is kept private... The thing that really sucks is that you really have no way of knowing what type of office you are visiting until you see the report that your record has been leaked.
Someone else posted in here that most practices are afraid of HIPAA and will do anything to keep things safe... Unfortionately I have seen alot of practices that couldnt give a crap about HIPAA and won't listen to any reasons as to why they should not run bittorrent on their office computer. The bottom line is that until HIPAA and HITECH start producing more results, busting more practices, and making everyone aware that they do have teeth this is going to continue to be a problem. HIPAA has been around for a long time, but until HITECH came around it has been a joke, and only enforced in the worst of senarios. I still think that both of the policies are too loose, and enforcement on those policies today is still largely reactive, when it's too late.
Re:Never visit because of IT (Score:2)
There may be weird cases where you evaluate the only 4 network providers within 40 miles of you, and 3 have good IT and sloppy care, and the last one has good care and sloppy IT. Med is a weird profession, I'd grudgingly take the good care with bad IT in a pinch.
Re:Not unfounded. (Score:4, Insightful)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Dumpster diving however...
Re: (Score:2)
Please stop with that silly, and offtopic, argument.
Medical records are not meant to be public information. In order to "steel" data, it must have been kept locked in first place. They also have no legitimate use outside of the patient doctor relationship.
And the saying is "copyright infringement is not theft", not "copying".
Re: (Score:2)
It isn't theft. It's copying (or copyright infringement, depending on the situation). He just used the wrong term for it. It does, however, endanger someone's privacy.
Re: (Score:2)
That's because Copying is not Theft. Isn't that the argument used by most digital piracy apologists?
Copying is not theft. Copying medical data, however, does violate doctor-patient confidentiality. Copying other personal information can lead to actual theft, such as through fraud (stupidly referred to as "identity theft").
Re: (Score:2)
I agree. The crime is breaking into the {computer, filing cabinet} to access them in order to copy them.
Re: (Score:2)
Not Too Surprising (Score:3, Insightful)
But on a more serious, and less inflammatory note, this probably has to do with the very high incidence rate of folks in the U.S. getting their financial accounts cracked. Anyone who has had to frack about with their bank or credit agency regarding X many thousands of dollars being debited from their account due to some mysterious "hacker" that stole their identity is probably pretty suspicious of putting any important personal data on the internet period.
Re: (Score:2)
Considering how EHRs are going to be required in the near future, I'm not surprised that hospitals/doctors are still getting dragged kicking and screaming into the 21st century.
HL7 was created in 1988, and over 20 years later, it still has very little penetration in the US. I had friends ask their acquaintances working at hospital IT departments, and many don't even know what HL7 is! Part of this is the government's fault (lack of incentives unlike European countries), but most of this is due to the lack of
Re: (Score:3)
lack of understanding and technophobia
No, it's not technophobia. I'm a technophilic physician, and I know a lot of technophilic physicians, so I may be able to help you understand.
EHRs really cover several different areas. Some areas clearly benefit from computerization; lab reporting is so clearly better done via computer than phone that it makes no sense not to. Having radiology studies available for review outside the radiology department is of significant benefit. Having transcriptions of dictated reports available is tremendously useful
Re: (Score:2)
Vitals can be substantially easier with an EMR since the computers can talk directly to the monitoring equipment - you click a button, and you're done. I've seen nurses break down in tears when this wasn't working; taking vitals three minutes sucks if you have to key them in manually or do it on paper.
Most nurses also like the electronic MAR, since it can automagically calculate dosages and rates for continuous medications, automagically retrieve the right medication from the Pyxis, and automagically get a
Re: (Score:2)
But as I said, physicians oppose changing things in ways that increase their workload if all the benefit goes to someone else. With CPOE, the nurses aren't typically the beneficiaries - they, too, are too well paid to be doing data entry work unless it's an emergency. It's the unit secretary, whose job description
Re: (Score:2)
It's not like doctors and nurses don't benefit from proper records. EMRs are very good at decision support - warning about allergies, drug interactions, wrong patient/wrong site/wrong med/wrong line (barcoding), and the like. Doctors like getting paid, and billing insurance is much easier and more reliable through an EMR.
EMRs are particularly useful in high-liability practices like obstetrics. Being able to produce a record of exactly what interventions were performed, what providers were notified when,
Re: (Score:2)
Working in an hospital IT, too, I have a few points to make:
Re: (Score:3)
I've worked in hospitals with a wide variety of electronic systems. The VA,
I would not say actual, but news fed fear (Score:2)
is probably the basis for most of it. You can't go a day without a news story or advertisement related to financial records being stolen. As with anything else, if you repeat it enough people are going to start to believe it.
Re: (Score:2)
Huh? (Score:2)
Re: (Score:2)
it's not legal.
HIPPA and HITECH make such lack security illegal on systems that hold patient data.
Quite a conundrum... (Score:3, Interesting)
BAM! Access to the doctor's office is now at hand and anyone's records can be had.
Very few people who would do this sort of activity in other situations are doing it for fun. I can only think doing this to make money would be something that would be a scheme, to mostly blackmail people of a region with the largest percentage of ignorant and uneducated people. Who, ironically enough, are going to be sick more and thus go to the doctor more... But how, or why, to exploit these people who have nothing to give is beyond me.
But rich people also go to doctors from time to time as well... so what then?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Now would you trust that doctors office very much? The only consolation I have is that they keep pap
Re: (Score:2)
Wow, so very offensive to the Doctors and your I.T. brethren in the MidWest.
Not only is your assumption false, making you both wrong and ignorant, but you're a JERK to boot.
How does that grab ya'?
Amusingly? (Score:4, Insightful)
It seems we can't have a week go by without some article showing up on Slashdot about how the average person don't have "sufficient" security on their various electronic devices and programs. In which case if those same average people are concerned about a particular set of records being compromised couldn't it be considered wise that they'd rather have someone else who should (theoretically) have better safeguards in place handle those records?
Re: (Score:2)
That's what's amusing. That they actually realize that their own security is inadequate to the task of storing that information securely.
Not amusing. Sensible. (Score:5, Insightful)
What the hell is amusing about this? I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself. For the same reason I keep my money in a bank as opposed to underneath my mattress. Now granted some doctors may have lax security, but for myself to keep the records in addition would just open up more avenues of attacks. The only good reason I can see why I would keep such records myself is to ensure I have a backup of them if my doctor was to screw up and erase them by accident or something.
Re:Not amusing. Sensible. (Score:5, Insightful)
I dare claim I know miles more about information security than your average patient, and I'd certainly prefer to have my medical details kept safe by the pros than trying ( and probably failing ) to do so myself.
The problem is that you can't trust "the pros" to act in your best interests. Money is 100% fungible and misuse is pretty straight-forward -- a bank steals your money and its obvious what happened. But for someone doing searches of healthcare records it is much harder to tell if the intent is nefarious. Even the people doing the searches may not fully understand the implications themselves - ala netflix's "anonymised" data fiasco.
What we need is less centralisation, not more. The push for electronic records in healthcare is inexorable, so we need to develop systems that inherently limit access. Not just fancy permission bits that can be ignored with the right privileges, but actually keeping the data physically inaccessible to those who don't absolutely need it. The best way to do that is to decentralise.
For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.
If we had a system where each person was responsible for their own information, then the overhead of widescale misuse would be significantly increased. You'll never stop one-off abuses, but you can design a system that (a) makes widescale abuse difficult and (b) makes it easy for individuals to safely manage their own records.
Right now are moving to the worst of both worlds - centralisation of data with protection no better than flimsy laws subject to interpretation and rewriting by people with money and interests that conflict with that of the patient.
Re:Not amusing. Sensible. (Score:5, Insightful)
For example, use the patient's smartphone to keep their records (with automated backups of the data as an encrypted blob). If a doctor needs the info, he can request it via a secured version of a text message. Make it a closed system so that when the patient responds to the request, he can set an expiration date for the copy that the doctor gets. Meanwhile the records on the phone are encrypted too prevent loss of the phone exposing records.
1. I don't have a smartphone.
2. I forgot my smartphone, do I have to go back home to get it?
3. The insurance company needs to drop a bill, do they text message you to get the data?
4. Medicare wants to audit the hospital. Do they text a message to get the data?
5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?
6. Oops, the cell phones are down again.
No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.
Re: (Score:2)
1. I don't have a smartphone.
Any widely deployed system would also support dedicated PDA type units for practically nothing.
And my 80 year old mother, who can't remember much at all is supposed to take the bus back home when she forgets her iPad? Nope, not happening in the real world.
2. I forgot my smartphone, do I have to go back home to get it?
Yes. If you forget your wallet you have to go back home and get it too.
No, not at all. I don't necessarily need anything to show up at the doctors' office. The feds make me show ID for the ER but that's their insanity showing. So, in your magic world, we keep some of the most private information we have, our medical history, on our persons at all times? Again, not in the real world.
3. The insurance company needs to drop a bill, do they text message you to get the data?
Yes, but only if you envision health insurance working exactly the way it does today. For example, a record of services rendered could be transmitted to the insurance company at point of sale with 3 parties required - doctors office, patient and insurance company.
And you're going to fund an enormous initiative to force hospitals and doctors to be able to drop bills as the patient wanders off, not twelve times in the next two weeks like they do now. I personally have no interest in getting texts every couple of days for two weeks after my colonoscopy, thank you very much.
4. Medicare wants to audit the hospital. Do they text a message to get the data?
Yes.
Right. And if you refuse, or turn your phone off, the whole survey team has to wait for you to wake up?
5. Oops, my smartphone got squashed when I got run over by a bus and they need my data ASAP, now what do I do?
No different than what happens today when they can't call up your doctor and get something faxed over.
No, in a decent EMR world (not that we have one now), it's in there. We just punch it up. From what I understand about your system, the data is held in the smartphone which has just been converted to rubble in this particular scenario.
6. Oops, the cell phones are down again.
See #5. But this is scenario is even sillier because if we have that level of infrastructure failure, medical records are not going to be a priority,
Hah. Cell phones routinely fail where I live and yet the rest of our little world wanders on.
No, this makes no sense at all. People don't WANT to manage their information. Most people CAN'T manage their information.
You suffer from a failure of imagination. Unable to conceive of a system that HELPS people to manage their information you can only see the crap that we have now. Its like someone who has only driven stick-shift completely dismissing the utility of an automatic transmission in favor of hiring a taxi.
And you suffer from an overactive imagination. That's not necessarily a bad thing, but your system has no possible way of working in any feasible way. It would take enormous amounts of money and social change merely to put the individual completely in charge of something they don't want to be completely in charge of. The system as it stands is far from perfect and really does need to be improved if digitalized medical records are going to do much useful, and individuals should indeed take more of an int
Re: (Score:2)
And you suffer from an overactive imagination.
Actually that is precisely your problem. All of your counterpoints are nothing more than rare corner-cases blown out of proportion. No system will ever be free of corner-cases. The trick is to design for the common case and make it work as well as possible. Your blindered focus on corner cases and your desire to throw the baby out with the bathwater doesn't prove anything other than you aren't willing to give the idea more than a passing thought because you have your own predispositions.
Re: (Score:2)
And you suffer from an overactive imagination.
Actually that is precisely your problem. All of your counterpoints are nothing more than rare corner-cases blown out of proportion. No system will ever be free of corner-cases. The trick is to design for the common case and make it work as well as possible. Your blindered focus on corner cases and your desire to throw the baby out with the bathwater doesn't prove anything other than you aren't willing to give the idea more than a passing thought because you have your own predispositions.
-And nobody will care when the corner cases drop dead? If you are a store owner and plan to go into a "pay only with card" schema, then maybe losing 1% of customers is not worth the inconvenience of working with notes. But if you system means that you lose 1% of pacients who end dead, maybe you want to improve it (and btw, if you give the bad drug to someone who is allergic to it, do not think that their relatives will say "he should have thought of carrying his PDA with him". They are going to sue you, and
Re: (Score:2)
Simply put, failure rates that are ok for other bussiness are just not acceptable to live-or-death bussiness (do you want a nuclear central with the same rate of failures that the shop at the next corner?).
Are you familiar with the term "false equivalence?" You should be. You just made one.
So far the best anyone has been able to do is point out extremely rare, though possible, failure modes - but you seem to think that any alternative system is 100% failure-proof and that's just not the case. There will always be failures - the goal is that any new system reduce the rate of failures. Expecting a new system to eliminate failures is just magical thinking.
Re: (Score:2)
Your idea isn't going to work, and it's not because of ColdWetDog's "lack of imagination.
Re: (Score:2)
Requiring everyone to own a smartphone or PDA just to have a medical record is impractical, at best.
Really? If it is practical to spend a couple of billion on national healthcare data centres it is practical to give everyone a $25 PDA.
You currently can't "forget" your medical record. This isn't an improvement, or even necessary.
Not sure what you mean here. If I go to a new doctor without doing the legwork to transfer my records from my other doctors then I certainly have "forgotten" my medical records. Maybe you mean something else, the context is not clear.
You've made your entire medical record essentially patient reported. Your insurance company isn't going to write you a check just on your word, and that's now all you have.
Digital signatures can insure the integrity of the records. You aren't even trying to make it work. If you want to poke holes you gotta at
Re: (Score:2)
OK - we have a central certificate authority and some checksums. Your device is tamper-proof, and will always be tamper-proof. It is perfectly reliable for the purposes of determining who diagnosed who with what. Here's what you're blithely ignoring:
Re: (Score:2)
Your device is tamper-proof, and will always be tamper-proof. It is perfectly reliable for the purposes of determining who diagnosed who with what.
Unneccessary, that's what digital signatures are for.
You cannot receive healthcare without the PDA.
Obviously not true - tons of healthcare don't require access to medical records until after the fact - routine check-ups, sore throats, even broken bones don't generally require access in order to treat. The results only need to be logged which can be done well after the fact. So in the infrequent case where the PDA isn't immediately available, treatment is going to be at least as good as walking into an urgent care clinic today.
You're requiring millions of people, who may not even know how to operate a computer, to keep encrypted backups
Obviously not true - a c
Re: (Score:3)
How about developing a standard medical record access protocol. Companies can compete to store your information. They would compete based on who guards the information best. A service is defined via URL. So if you want to grant a hospital access to your records, you supply the URL and credentials (maybe a key/certificate stored on a card). They use a standard access protocol to fetch and/or update the data. The standard may also define how the client (hospital) may access the records, preventing a leak from
Re: (Score:2)
By saying set an expiration date for a copy aren't you basically asking for DRM. And we all know how DRM cannot work in reality.
The situation with medical records is different from the piracy scenario.
Piracy wins because all it takes is for one person to extract a copy and then everybody can get a copy for free. With medical records and other personal information the biggest risk is not to any specific individual but rather systemic misuse. DRM plus policy can be effective against systemic misuse because (a) individual records are of limited value to big brother and big corp and (b) swiping a ton of records at once hard to do beca
Firewall what, exactly? (Score:4, Interesting)
The majority of doctor's offices I've been around aren't connected to the Internet at all. For instance, my wife's practice has a WPA2 secured Wi-Fi network so that her laptop (whole-drive TrueCrypt) can talk to the database server that manages her records, and none of the hosts on the WLAN have any form of Internet connection. As it turns out, they do have AV programs (MS Security Essentials), but without any removable media coming into the office and no net connection, it's pretty much just a formality.
My kid's orthodontist's network has Internet access, but it's a bunch of Macs behind a firewall+NAT and a strict "no personal browsing at the office" policy. (I know this because I bartered net admin chores for dental work :-) ).
I'm certain there are insecure medical offices, but the doctors I've talked to are so terrified HIPAA that they'll take almost any security tips you give them.
Re: (Score:3)
Just curious, but how many of those HIPAA-fearing doctors use plain-text email to correspond with patients? How many of them have their email addresses on their business cards? I routinely ask providers if they realize that sending patient health information via e-mail is a HIPAA violation. Most haven't ever given the question a moment's thought.
Re: (Score:2)
Re: (Score:2)
On the other end of what? Her records never leave her office network, which is the most common arrangement I've seen.
Re: (Score:2)
On the other end of what? Her records never leave her office network, which is the most common arrangement I've seen.
If she takes health insurance, then yes, plenty of data about her patients and up far beyond her control.
HIPAA security audits? (Score:4, Interesting)
Why doesn't some organization come up with a set of standards and best practices to ensure that HIPAA protected data is actually protected as it should be? I'm thinking something like the PCI security council started by the credit card companies that mandates a set of rules and best practices that have to be followed for all merchants that handle credit cards.
Following the PCI standard doesn't guarantee data security, but it is a big step in the right direction. Doctors need the same kind of prodding to get them to implement real security controls and not just say "Oh, well i checked the WEP encryption box on my Wifi router, so all of my data is encrypted and safe - I know it's safe because I backed up my patient records to my iPhone".
Re: (Score:2)
HIPPA and HITECH cover more than just protecting data. It covers communication of the data as well, both digital communication and analog communication. it is hard to come up with a test suite for that.
Re: (Score:2)
PCI is not just about protecting computers and networks, but is about policies that companies are required to have in place to protect cardholder data (i.e. don't write a card number on scrap paper and toss it in the trash). Network vulnerability testing is a part of the compliance process, but developing policies and procedures for keeping the data safe is a large part of it.
Does HIPAA cover having network firewalls and anti-virus software? If it does, then the law has no teeth since 30% of doctors were fo
Re:HIPAA security audits? (Score:4, Informative)
The problem is that HIPAA is severely broken. Most hospitals violate some part of HIPAA countless times per day as it's not even possible to operate within it's guidelines and be able to realistically treat patients. Another issue is the FDA understands how to deal with IT about as much as it knows how to building a Saturn 5 rocket.
Here's an example that I've witnessed many times over the years. A vendor installs an MRI system in a hospital, the control computer the technologist uses to scan patients is Windows based. Obviously the system needs to at least be on the local hospital network so that the patient scans can be sent to a reading station so that a Dr. can look at the images. Neither of these systems can have any software installed on them that is not FDA approved. So by law, unless you have an FDA approved security program you cannot install it on either of these systems, or any system that contains patient data for that matter. If you do have an FDA approved program you need to prove that it will not affect any of the calculations that are made for determining a diagnosis as well. It gets even better though. If you do find a security suite that you can use, the vendor is not responsible for worrying about it in the case of system updates. So when an update comes out the vendor sends in an engineer who generally will simply re-image the drive with the new update, thereby wiping out your security programs.
Re: (Score:2)
Sorry, you are incorrect in stating that non FDA-approved software may not be installed in a medical device. It depends on the function of the software within the system and whether it deals directly with PHI (patient healthcare information) or not. Both security (anti-virus) software and the OS itself fall under COTS, or commercial off-the-shelf software. The only software required to comply with FDA and/or HIPAA is the software that deals directly with patient and medical data. Neither the OS nor the secu
What's the point of all the worry? (Score:2)
Why are people so worried about their medical information going public?
First of all, you can't get most people to shut up about what happened at the doctor's office. (And the older the person, the more likely this will dominate their idea of interesting conversation.)
And if this guy [slashdot.org] can't get a few days' quiet time to himself before he dies, then just who the fuck do the rest of us think we are?
Frankly, I'm going to start posting the boroscope videos of my colonoscopies. Hopefully the karma buildup will m
Re: (Score:3)
Why are people so worried about their medical information going public?
I think your comment about Steve Jobs would be enough to explain why people don't want everyone to have access to their medical records.
Common Law (Score:4, Insightful)
In the UK, and therefore probably the USA too, there is a Common Law expectation of privacy in this situation.
If I tell my neighbour over the garden fence that I am going in for a prostate examination tomorrow, there is not necessarily a legal duty on the part of my neighbour to keep this confidential,If a different neighbour is my doctor it is very different. I can reasonably expect that they will not blab about it at a party.
That common law duty extends to keeping the matter private as best they can. They should not leave printed notes on display. They should not send it around by insecure fax, unencrypted email or put it on Twitter.
They should, in fact, take every reasonable precaution to ensure that this matter stays secret until I choose to let it be known. Reasonable precautions include things like having firewalls and controlled access to my data.
If a doctor, hospital or any other medical organisation, does not take suitable actions to protect such patient information, there are specific laws in developed countries (and most undeveloped ones) which will penalise them even if no information leaks out. My earlier comments on Common Law are because we don't even need written laws to deal with this. Common law is the effect of all those books full of legal precedents that lawyers have on their walls.
If the doctors don't even have firewalls and a patient finds out lawyers could get busy...
Re: (Score:2)
The reason why this information should not be public is because it's open to abuse and discrimination. What about the employer who chooses not to hire you because you have a rare disease that may cause their insurance costs to increase? Is it fair to allow them to use this information against you in this manner?
No, it is not. You should be hired based upon your qualifications for the job and your previous references. US companies are increasingly turning to this type of information for job discrimination an
Re: (Score:2)
And the fact that most people speak openly about it (is it actually really most, or does it only feel like that?) doesn't invalidate the rights of those who don't want others to know about their illnesses or other medical conditions.
Yeah, he was making the Zuckerberg argument - most people use facebook so we should all just make our lives an open book to anyone and everyone.
Americans Are Idiots, news at eleven (Score:2)
Drs fail more than machines. These are the same folks who have tried to kill me several times, often have no idea about me when I visit because they fail to read charts, and prescribe medicine they feel comfortable with instead of checking actually studies.
Re: (Score:2)
they fail to read charts
Hard to read information that isn't there. Asking people what's wrong with them, in their own words, is a very useful guide to dealing with them, because it gives you a good idea from the start how well they understand what is going on.
Sorry you've had such bad experiences with my profession. There are some inexcusable jackasses out there, and I regret them.
Re: (Score:2)
I mean when they don't even know the fact that while my serum potassium is on the low side of the average that is a huge improvement for me.
If I showed up to work as unprepared as these folks I would have been fired long ago.
This is information that is there, it is not subjective either, it is written in black and white by the lab.
pre existing conditions and job discrimination (Score:2)
pre existing conditions and job discrimination are the big fears with Computerized Records.
Re: (Score:2)
I don't think there is a defense against that. You have to sign a third party release for your current insurance, and the insurance companies pool data. Physicians have to code diagnoses and treatments and key them into the system to get paid. Your nosey friends might not have access, but the people you most worry about do.
I'm not worried about "the internet"... (Score:2)
...or Betty in Records getting snoopy.
What I worry about are the 23872832387 "health information sharing authorization" forms I'm basically required to sign every time I do anything remotely related to my health care, whether in the physician's office, renewing benefits at work, etc.
With paper records, the insurance companies, employers, and others who are constantly looking for a way to use your health status against you had to work a damn sight harder to get their hands on this info.
With electronic record
Dr's are tech idiots (Score:5, Interesting)
I work for a large regional provider of EMR hardware and software and I can tell you first hand that you should be afraid, very afraid, of anything your Dr. does with health records that involve a computer. Anti-virus is the tip of the iceberg. You install it for them and their brother in law who's a burger flipper helpfully uninstalls it to "speed things up." Hilarity ensues. Entire offices are implementing EMR that refuse separate usernames and passwords because it's "just too damn hard to remember all that" so everyone logs in as user with some simple password; that's if they even bother to log in or off at all. Of course they have to have admin rights because it's their hardware and they know what's best.
Since most of the offices that are being force-fed EMR because of the lure of up to $44,000 in "stimulus" funds [allscripts.com] are smaller practices, they don't have domains that can be used to enforce universal security policies.
The larger ones, sure, but most of them already use EMR and have on site servers etc. along with the requisite firewalls and VPNs. The vast majority of the new ones though are being sold "cloud" based systems with no local servers at all, so it's a friggin' free for all in terms of security (or lack thereof). They're just lining up for a swipe at the stimulus golden ring but half of them shouldn't even be entrusted with anything as complicated as a TV remote, let alone computer systems.
Re: (Score:2)
A-freakin-men to your whole post, you took all the words right out of my mouth. I'm often shocked at how lax the doctors and staff are even with simple stuff like Windows updates. Just today I found 3 computers at a client's office that were running WinXP SP2!
34% Percent have no antivirus (Score:3)
Also for firewall do they mean a separate dodgy product and are they ignoring the quite reasonable Ms Windows and Apple firewalls? How about the situation where just about every modem or router made after about 2005 has half decent firewall rules as a default?
It's not as if 34% of these computers are actually naked to the net.
Re: (Score:2)
I hope you don't manage the infrastructure at a medical practice. Based on your comments you'd be part of the problem.
what about all the vender systems / medical device (Score:2)
what about all the vender systems / medical device that run windows but are no installing updates and the venders say you are not to install them or they just lock you out of the admin password.
Re: (Score:2)
You isolate them and do not allow access to those systems from the outside. Inside the network, you allow only carefully selected access and block everything else. It's not rocket science.
Not amusing, more like enlightening (Score:2)
Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records.
I find this statement damn interesting, certainly more so than amusing. This sounds like the general public is becoming more knowledgeable than I would have guessed.
Not what I'm worried about (Score:3)
Re: (Score:2)
I know the popular thing is to constantly cry about our precious privacy, but I'm more worried about my medical records not showing up when they are needed, not the other way around. I'm thinking of allergies, drug interaction, and relevant medical history during emergencies, and the like.
That's a strong argument for each person to keep a copy of their records physically with them - like on their smartphone, ipod or a MedicAlert bracelet souped up with flash-storage.
Re: (Score:2)
Re: (Score:2)
and probably 80% of doctors over 45 have a password of "password"
I work in the medical field and I'm going to call bull shit. Actually IME generally the older doctors are safer with computers than the fellows and younger drs. They bring in a MP3 player of their own, or listen to an actual radio, Where as the younger doctors tend to install all kinds of music players and other downloaded programs. Basically the older docs tend to listen to the IT guys whereas the younger ones tend to think they know what they're doing. Believing that if it was that big of a security risk
Re: (Score:2)
Re: (Score:2)
Most doctors don't have access to all patients, and most systems will log every record you view anyway. It's kind of disturbing that the doctors let you shoulder surf, though.
Re: (Score:2)
Re: (Score:2)
The logging helps mitigate the privacy concerns of a doctor being able to see some/most/all of the hospital, but you're right that it wouldn't stop someone off the street from logging in and opening a record.
But, the whole situation you describe is relaly, really depressing. Usually, hospitals are pretty on-the-ball when it comes to security, or at least moreso than individual clinics are. It's particularly surprising that they're overlooking the password sharing - most CIOs/CMIOs will shriek and faint if
Re: (Score:2)
But, the whole situation you describe is relaly, really depressing. Usually, hospitals are pretty on-the-ball when it comes to security, or at least moreso than individual clinics are. It's particularly surprising that they're overlooking the password sharing - most CIOs/CMIOs will shriek and faint if you jump out from behind a corner screaming "HIPAA HIPAA HIPAA!"
Maybe I should write to the CIO of the hospital with my concerns... after all, my records are stored there (and while there's nothing scandalous in my medical records, I do consider them to be some of my most private information). I don't want to get my personal doctor in trouble though, he's the 4th doctor my rural office has had in the last 8 years and I'm glad to finally have one that is competent and I feel I can trust again (the previous three were incompetent and outright assholes - one was a holy rol
Re: (Score:2)
It sounds like between the trouble keeping doctors, the politics, and the IT director, your stress levels would probably be lower as an air traffic controller. I'm guessing the IT director is also responsible for managing peoples logins and privileges, so she's unlikely to fix them. C*Os probably won't care until you mention HIPAA, but it's not a HIPAA violation unless you mention that passwords are being shared, which implies you know who is sharing them.
Either way, that all blows chunks. I wish you and
Re: (Score:2)
Yes, HIPAA does provide "strict guidelines," but how often do they audit? Guidelines are useless when not followed. I have several clients who are doctors/dentists and I know more about HIPAA than they do. To them, it's just a piece of paper w/ rules written on it.