Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft Working On Health Information 'Vault' System

Journal written by josmar52789 (1152461) and posted by Zonk on Thu Oct 04, 2007 01:22 PM
from the vaults-can-be-cracked dept.
Microsoft Privacy The Internet Technology
josmar52789 wrote with an article from the New York Times, discussing Microsoft's new push into the consumer health care market. The plan is to offer personal health care records online via a system called HealthVault. Numerous big names in the medical field have signed up for the service, including the 'American Heart Association, Johnson & Johnson LifeScan, NewYork-Presbyterian Hospital, the Mayo Clinic and MedStar Health'. The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities: "The personal information, Microsoft said, will be stored in a secure, encrypted database. Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol levels. "
+ -
story

Related Stories

Journal: Microsoft Working for Healthcare Monopoly by josmar52789 (1152461)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft Working On Health Information 'Vault' System 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • unsubscribe (Score:4, Funny)

    by Anonymous Coward on Thursday October 04 2007, @01:25PM (#20855461)
    unsubscribe

      • Re:unsubscribe (Score:5, Insightful)

        by Mister Whirly (964219) on Thursday October 04 2007, @02:32PM (#20856537) Homepage
        "I'll be damned if any of my personal medical information will be entrusted to anything using M$ junk."

        It already is. Look around your doctor's office next time you are there. See the computers? They aren't Macs now, are they?

                • Re: (Score:3, Interesting)

                  by cayenne8 (626475)
                  "I know what HIPPA is, and have taken training on it, and even passed a HIPPA audit. All the medical data was stored on a Windows server, and guess what? Still passed with flying colors. HIPPA does not stipulate certain operating systems - any OS can be used as long as it passes the requirements."

                  This article, at least my understanding of it...isn't just about keeping medical info on a computer running MS Windows....it is more about a centralized medical record datastore that Microsoft is building and its

  • Microsoft's successful formula (Score:5, Funny)

    by us7892 (655683) on Thursday October 04 2007, @01:27PM (#20855485) Homepage
    Microsoft is starting its long-anticipated drive into the consumer health care market by offering free personal health records on the Web and pursuing a strategy that borrows from the company's successful formula in personal computer software.

    I'll bet this sentence is not going to go over too well with the slashdot crowd.

  • Oh yeah, triple secure. (Score:3, Insightful)

    by photomonkey (987563) on Thursday October 04 2007, @01:27PM (#20855495)

    This sounds like one horribly, terribly bad idea to me from a security standpoint.

    Also, I can't help but believe that 'anonymous' information will be handed over to drug companies so they can 'research' their 'market'.

    Some things are still best done with paper and pen.

    • This sounds like a horrible idea to me from other standpoints too:

      1) Medical professionals never like patients to have full access to their records, as if a patient misunderstands something on their file, their life could be at stake based on the decisions they make.

      2) The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

      3) The system appears to be designed so that MS can sell aggregated data to drug companies and insurance companies. Seems to me though that even with aggregated data, you could reverse-mine it to have a reasonable suspicion regarding individuals (you'd know trends, which would help in searching for more specific details)

      Anyway, the whole thing could be really useful if used correctly, but there are so many ways it could be misused even if the system doesn't have a major security breach that I for one would never use it.

      • The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

        Proof?

      • Re:Oh yeah, triple secure. (Score:4, Interesting)

        by Bacon Bits (926911) on Thursday October 04 2007, @02:49PM (#20856819)
        1. HIPPA says no. You ask, they must give you complete and total access to your own medical records. They have no authiruty to deny them to you unless you suffer from some fairly specific medical conditions (namely, mental illness).

        2. HIPPA says no. If a nurse accidentally allows access to your health information, that's a $10,000 fine for her and a $100,000 fine for the hospital.

        3. HIPPA says no.

        WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

        SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--

        (1) uses or causes to be used a unique health identifier;

        (2) obtains individually identifiable health information relating to an individual; or

        (3) discloses individually identifiable health information to another person,

        shall be punished as provided in subsection (b).

        (b) PENALTIES.--A person described in subsection (a) shall--

        (1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

        (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

        (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

        -- http://aspe.hhs.gov/admnsimp/pl104191.htm#1177 [hhs.gov]

        Geez, you'd think that people involved in IT would be somewhat aware of the demands of HIPPA PHI.

    • Re:Oh yeah, triple secure. (Score:5, Insightful)

      by Evanisincontrol (830057) on Thursday October 04 2007, @01:41PM (#20855723)
      Like it or not, your medical information is going to become electronic. Microsoft isn't the first company to propose an Electronic Health Record [wikipedia.org] -- not by far. The Cerner Corporation [cerner.com], for example, has been working modernize the health record since 1980. There are at least two universities [rit.edu] in the U.S. which host a major in Medical Informatics, a program specifically designed to produce experts in this very subject.

      Try to fight the Electronic Health Record is like trying to fight the use of computers in any other field -- it's inevitable.

  • Uh uh. (Score:3, Insightful)

    by morgan_greywolf (835522) <morgan_greywolf@ ... m ['rr.' in gap]> on Thursday October 04 2007, @01:27PM (#20855499) Homepage Journal

    Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol level
    The hell I will! No way, Jose. Fuggeddaboudit!

    The last thing I need is an employer or potential employer tracking down my medical records. Or the CIA, NSA, ATF, or cybercriminals or any other organization or individual who wishes to covertly steal my personal data for nefarious purposes.

    Do you know what your medical history contains and how it can be used against you? I do.

    • Re: (Score:2, Funny)

      by Anonymous Coward
      You do? How did my last screening turn out? I can't get hold of a real person to ask.

    • Re:Uh uh. (Score:5, Interesting)

      by nine-times (778537) <nine.times@gmail.com> on Thursday October 04 2007, @01:38PM (#20855657) Homepage

      Well, yes, there's a potential problem any time you put enough personal information into one place: sure, it's more convenient for the appropriate people to access, but it's also more convenient for someone to steal.

      My bigger concern, however, is that this is Microsoft proposing this. It makes me want to vet the idea for possible abuses. Beyond the obvious privacy concerns, is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

      Even if such a system is going to be set up, I'd rather someone with a good track record build something that makes use of open formats and protocols. I'd like to know that my family's medical records aren't going to go up in a puff of smoke because Windows Update decided my Office license wasn't "genuine", or something other bizarre thing.

      • Re:Uh uh. (Score:5, Funny)

        by jimicus (737525) on Thursday October 04 2007, @01:52PM (#20855903) Homepage
        is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

        Not at all. It will be web based, and provided you're running Internet Explorer 8 you're fine.

        Oh, didn't we mention? IE 8 will be Vista with SP1 only.
  • meaning, that is.
  • What I'll find amusing is if Microsoft actually follows the legal protocol that such an application has to follow. There are many laws dictating how medical data get's stored, how, and how it is to be accessed. My guess is that MS will "do their own thing" and try to market it as a new feature, even if it breaks a couple laws or compromises our medical info.

  • Hailstorm (Score:4, Insightful)

    by Saint Stephen (19450) on Thursday October 04 2007, @01:30PM (#20855529) Homepage Journal
    Remember Hailstorm? The plan was to expand Passport to first include calendar, todo, and some other web services, and then to provide an ActiveDirectory back-end for auth and ultimately to include all these kinds of services (including payroll and AR/AP data) in a massive cloud.

    Privacy experts freaked out, but Microsoft never cancels anything.
  • Well at least the Vault will always lock up...
  • The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities:

    Yeah...That's gonna work out well. After all, whose products are more secure than Microsoft's?

  • Google Searches too (Score:5, Funny)

    by svendsen (1029716) on Thursday October 04 2007, @01:34PM (#20855603)
    Man if anyone could link Google searches to individuals we would know every person's medical condition.

    Google Search: Itchy crotch

    NSA: Hey Fred Smith has crabs again...lol
  • The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

    Say, are the people who are in charge of this living on another planet? I mean, even a non-technical person should have heard by now that "MS" and "security" in the same sentence are usually only used if there is also at least one of the group "flaw", "leak", "compromised" or "nonexistant" in the close vicinity.

    In other words: How much was it?

    • Re:MS and security? (Score:4, Interesting)

      by suv4x4 (956391) on Thursday October 04 2007, @01:41PM (#20855725)
      The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

      As you know, Windows' security issues are ones of legacy. The more they fix it, the more they wreck existing apps.

      Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

      Microsoft is here to stay, and while they may not end up with the most perfect solution possible, they don't need the money desperately, and can't hide if a major security breach occurs (and it's their fault).
      • ...and can't hide if a major security breach occurs (and it's their fault).

        No, they can't hide. And won't. And needn't. They'll simply say "gee, we're sorry" and get away with it. As usual.

        When was the last time you've seen a large (IT) corporation being forced to take responsibility for the damage they did? Especially if it's "only" privacy leaking.

      • Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

        Yes, but the other entities getting into this space aren't exactly little and unknown, either. One of those has a name that starts with a "G", and I personally suspect that MS decided to get into this field principally to avoid one of their major competitors pulling one over on them again.

  • I personally think microsoft windows server is a great platform to build websites.
    There are range of tools and cookie cutter stuffs already written for in asp/net allows very powerful function to exist especially inter-operate ability with different MS product like sharing outlook generated schedule via exchange server out to web portal.

    However, putting medical records requires requires middleware between ms platform and medical softwares. I see this use of middleware becomes security problem here. Windows
  • Actually, 2 lotteries, one for how long it will take before this system is first compromised and the second for how long after that until MicroSoft admits that the breakin occurred.

    I pick 6 months & 7 months, respectively.
  • I'm not about to give MS any person medical information.
  • and require Microsoft Windows to access it.

    No thanks.

    Just look at what Microsoft is planning to do with Office Live or whatever they are calling it. You need to have Microsoft Office installed locally on your HD. All you are storing is your data. GNU Linux OSes probably won't even be able to run WINE to access those Office Live files. So even if they don't actually charge to access the data, it extends their reach into your life.

  • So, great, they got their grubby hands on a copy of the HL7 schema and dropped in into an encrypted database. Whoop-dee-doo.

  • Sounds Good (Score:3, Informative)

    by RAMMS+EIN (578166) on Thursday October 04 2007, @01:43PM (#20855777) Homepage Journal
    ``...privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or...''

    That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

    I have about zero trust that Microsoft will actually implement this correctly and securely (I've seen far too many stupid bugs from them lately), but at least they're saying the right things. Not vague promises that it will be "very secure", but an actual description of the security controls they are planning to provide. Moreover, those security controls seem to actually provide the security one would want in such a system.
    • That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

      Prepare to see a new waiver in the stack of crap you have to sign when going to a new doctor's office requiring you to give permission for full access to your records for any purpose not prohibited by law.

      This will happen because doctors will not want to spend time having you okay access to each locked off section of your records that they might need, and they sur

  • Except for the tinfoil hat crowd...not a bad idea (Score:4, Insightful)

    by notaprguy (906128) * on Thursday October 04 2007, @01:46PM (#20855827) Journal
    Putting paranoia aside, managing healthcare information is a major pain in the butt. I see this as a way for ME to control how my information is shared rather than my Dr. or my insurance provider. If this idea matures I can see how insurance providers and health providers would need to ask for the patients permission to exchange information rather than just doing it...which is what happens today. If you're worried about the CIA looking into your health information this isn't going to make the problem any worse. Perhaps a little medication might alleviate your stress on that...

  • The HealthVault searches are conducted anonymously

    What does this mean? I hope it doesn't mean that there's no record of who it was that peaked into your medical records.

  • Next Doctors visit might go something like... (Score:5, Funny)

    by EvilSpudBoy (1159091) on Thursday October 04 2007, @01:49PM (#20855863)
    Doctor: I've examined you, and reviewed your MSMedicalHistory(tm) and it looks like you are in fine health, though I see your blood pressure is slightly higher than last time.

    Patient: Well, work has been a bit stressful, should I worry?

    Doctor: Not at all. It is still good for your age. Have you tried Halo 3?

    Patient: huh?

    Doctor: Video games are a great stress reliever. If you don't have an Xbox 360 with Halo3, I can put in an order for one for you. Have you had any other problems?

    Patient: Sometimes I get a headache from staring at the computer too long.

    Doctor: Hold on -- there, I've adjusted your screen resolution and font size on your home and work computers.

    Patient: Umm.....
  • I've been wishing for a system like this, but on a much more mandatory basis for some time now. It is one reason I am in favor of a universal health care system, where all hospitals, clinics, doctors, etc. have access to a single health care information system. Anyone who's been to an emergency room can see the benefits of such a system. Instead of playing 20 questions with the emergency room docs and hoping you don't leave out anything important, they can instantly download your file. They don't' have
  • Given Microsoft's track record in the last 20 years for security flaws, I don't think I'll be participating with this one. I'd rather my personal and medical data be safer locked in a nice, strong FILE CABINET, thank you very much.

  • It understands neither security, nor the enterprise market. The thought that they could be responsible for securing my health history is particularly troubling.

    Yes, I understand that a lot of healthcare providers use MS products internally. However, gaining access to that information requires a concerted attack against a particular target, rather than just "listening" on a wire for healthcare info... The difference is that attempting the first is a crime, while even succeeding in the latter is not.

    • The thought that they could be responsible for securing my health history is particularly troubling.

      If that bothers you, how do you feel about the fact that they're right, and you don't get any say in the matter?

      MS has the marketing, economic, and political clout to get themselves the contract for keeping the health records for everyone in the USA. Washington is already salivating over the prospect of:

      • Saving hundreds of billions on health care costs, and
      • All of the money that companies will make fro
  • Microsoft better not botch the security on this one, there's alot of people whom don't look at medical records as numbers that can just be reset in a database & make things all better.

  • Why do I have a feeling that no one will ever be able to implement a medical records application, which is simultaneously able to interoperate with HealthVault, and also not run on MS Windows?

    As a customer, you have to be fucking crazy (and downright hostile to your stockholders), to want more MS lock-in. Auditors, if any of your people don't look terrified by this, start looking for kickbacks. By trying to start a new monopoly, Microsoft is actually doing a wonderful thing: showing you exactly which emp

  • VA (not MS!) VISTA? (Score:4, Interesting)

    by xanthines-R-yummy (635710) on Thursday October 04 2007, @02:16PM (#20856305) Homepage Journal
    As someone in the healthcare field, I've found that the VA has the best electronic record keeping system. It's logical, complete, reliable, and relatively easy to use. Why can't the government just lease that out? Or does it violate some kind of law regarding competition? Does anyone know how MS Vault is going to compare? I guess the VA system probably has weaker encryption, but I don't know that for sure. Here's the home site if you don't know what I'm talking about:

    http://www1.va.gov/CPRSdemo/ [va.gov]

  • This will probably crush a couple of small startups - like my previous job here:

    www.ndma.us
    (National Digital Medical Archive)
    NDMA never did get all the bugs out. It was a little slow and lacked some key xml protocol sharing features. Security and never losing a file are a legitimately difficult task, in itself, and that was addressed. Maybe Microsoft will come up with better ideas than NDMA did. The protocol for the application there was terribly slow, but the website to access the information eventually came through.

    Selling anonymous data is, unfortunately, a necessary evil. It's already happening, all Hospitals require you to sign things on joining that will give them rights to sell your data, with your name and ID numbers removed. Doctors do truly need that information, especially for disease outbreaks and drug treatment information. This system by Microsoft just makes it more practical.

    With Microsoft entering, it probably means Oracle, IBM, and maybe Sun will as well. There's tens of billions of dollars to be made.

    -Ben

    • Re:Free medical records on the web? (Score:4, Interesting)

      by mpapet (761907) on Thursday October 04 2007, @01:46PM (#20855825) Homepage
      The actual HIPAA regs appear quite stringent, but you'll find that they don't make the data more secure.

      For example, Use is well-defined in many cases, but actual security mechanisms are not. This kind of programming is right up Microsoft's alley. Not only is the security model pretty weak, there's limited interoperability requirements.

      Please, read the standard. It's not fun reading, but the average /.'er will probably discover it addresses some basic stuff, but leaves the door wide open for familiar and massive compromises.

      http://www.hhs.gov/ocr/hipaa/ [hhs.gov]

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.