Microsoft Working On Health Information 'Vault' System

josmar52789 wrote with an article from the New York Times, discussing Microsoft's new push into the consumer health care market. The plan is to offer personal health care records online via a system called HealthVault. Numerous big names in the medical field have signed up for the service, including the 'American Heart Association, Johnson & Johnson LifeScan, NewYork-Presbyterian Hospital, the Mayo Clinic and MedStar Health'. The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities: "The personal information, Microsoft said, will be stored in a secure, encrypted database. Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol levels. "

unsubscribe

[Anonymous Coward]

unsubscribe

Re:unsubscribe

[Mister Whirly]

"I'll be damned if any of my personal medical information will be entrusted to anything using M$ junk."

It already is. Look around your doctor's office next time you are there. See the computers? They aren't Macs now, are they?

Re:

[cayenne8]

"It already is. Look around your doctor's office next time you are there. See the computers? They aren't Macs now, are they?"

Actually, MANY MANY Dr.s offices still primarily use paper records for perm. records, often computers are mostly used for scheduling. At least for smaller private doctors.

At the very least, this MS system sounds like it would be web accessible....with the part of patients being able to type in their info....

Snowballs chance in hell baby, snowballs chance in hell.....

Re:

[Mister Whirly]

And on which systems do you think they store all the health information gathered by the doctors? Such as your charts, test results, prescriptions, etc. You don't have any control over how these are stored, nor can you selectively edit the information according to your needs. Giving them a fake address doesn't change anything.

And if they have no clue about Microsoft's security record, do you honestly think they will know or care what Linux is?? Save the lecture.

Re:

[Mister Whirly]

I know what HIPPA is, and have taken training on it, and even passed a HIPPA audit. All the medical data was stored on a Windows server, and guess what? Still passed with flying colors. HIPPA does not stipulate certain operating systems - any OS can be used as long as it passes the requirements.

Re:

[cayenne8]

"I know what HIPPA is, and have taken training on it, and even passed a HIPPA audit. All the medical data was stored on a Windows server, and guess what? Still passed with flying colors. HIPPA does not stipulate certain operating systems - any OS can be used as long as it passes the requirements."

This article, at least my understanding of it...isn't just about keeping medical info on a computer running MS Windows....it is more about a centralized medical record datastore that Microsoft is building and its

Microsoft's successful formula

[us7892]

Microsoft is starting its long-anticipated drive into the consumer health care market by offering free personal health records on the Web and pursuing a strategy that borrows from the company's successful formula in personal computer software.

I'll bet this sentence is not going to go over too well with the slashdot crowd.

Re:

[Opportunist]

Must've been borrowing for a while now. If I was MS, I'd sue to get it back.

Re:

[SoCalChris]

I don't think that anyone can argue about whether they have a successful formula in personal computer software. They've made billions using that formula.

Re:

[iONiUM]

You can dislike Microsoft's business practice all you want, but they are "successful" in a financial sense. Nobody, not even slashdot users, can deny that.

Re:Microsoft's successful formula

[h2_plus_O]

Nobody, not even slashdot users, can deny that.

you must be new here.

Re:

[Stormwatch]

I'll bet this sentence is not going to go over too well with the slashdot crowd.

Not really. Nobody can deny that Microsoft is successful. Now, do they deserve said success? Now that's debatable.

And let's be realistic: not all of it comes from unethical business practices. Despite the security issues and mediocre design, Windows was "good enough" for most people. And they cheated sometimes, sure, but their rivals mostly failed by themselves. For example, back in the early 90s, I recall that IBM sold PCs load

Re:

[Mister Whirly]

"Microsoft is starting its long-anticipated drive into the consumer health care market by offering free personal health records on the Web and pursuing a strategy that borrows from the company's successful formula in personal computer software."

I'll bet this sentence is not going to go over too well with the slashdot crowd.

Yeah. Everyone knows that a business with over 90% of desktop marketshare is an utter failure. Not saying I agree with their "formula", but one could hardly call it "unsuccessful".

I worried that health companies will fall for it

[KWTm]

"... a strategy that borrows from the company's successful formula in personal computer software."
I'll bet this sentence is not going to go over too well with the slashdot crowd.

Unfortunately, it will sound nice to health care companies. I am involved in the healthcare sector, and I am worried that this will succeed, without the health care companies knowing (or caring) about the issues. Microsoft has the cash, the clout and the reputation for this. (Remember, to non-geeks, Microsoft is the premier co

Re:

[synthespian]

To me, security is not even the question. The question is that health care has been persuing open standards (like HealthLevel7) and Microsoft and open standards do not mix - at least, that has been Microsoft's track record and policy for more than 20 years.

Governments have a huge stake in this. Anything to do with Microsoft-only solution is bound to hurt the public health sector. I understand that, the public health sector being virtually non-existent in the U.S., this doesn't represent a big problem there.

Re:Monopoly Abuse. Re:Microsoft's successful formu

[everphilski]

It's nice of them to admit they are and be described as a one trick pony.

One hell of a pony ...

Oh yeah, triple secure.

[photomonkey]

This sounds like one horribly, terribly bad idea to me from a security standpoint.

Also, I can't help but believe that 'anonymous' information will be handed over to drug companies so they can 'research' their 'market'.

Some things are still best done with paper and pen.

Re:Oh yeah, triple secure.

[Em Adespoton]

This sounds like a horrible idea to me from other standpoints too:

1) Medical professionals never like patients to have full access to their records, as if a patient misunderstands something on their file, their life could be at stake based on the decisions they make.

2) The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

3) The system appears to be designed so that MS can sell aggregated data to drug companies and insurance companies. Seems to me though that even with aggregated data, you could reverse-mine it to have a reasonable suspicion regarding individuals (you'd know trends, which would help in searching for more specific details)

Anyway, the whole thing could be really useful if used correctly, but there are so many ways it could be misused even if the system doesn't have a major security breach that I for one would never use it.

Re:

[ejdmoo]

The US has this thing called the PATRIOT act, and MS has agreements with some agencies allowing back-door access to data they host. Let's just say that I highly doubt this information will be protected from people working for US "security" agencies.

Proof?

Re:

[Deadplant]

proof?
There is no disputing it, you can read it yourself if like:
http://www.epic.org/privacy/terrorism/hr3162.html [epic.org]

There is no argument on this subject that I am aware of.
The administration is actually proud of it. They think it is a good thing.

I have not heard about MS allowing backdoor access to some data but that would be nothing more than an administrative efficiency which I would have assumed they would have implemented by now. The 'right' of the CIA/SS/FBI/DHS/NSA to access the data is laid out in th

Re:

[hazem]

1) Medical professionals never like patients to have full access to their records, as if a patient misunderstands something on their file, their life could be at stake based on the decisions they make.

To paraphrase Asimov, "if knowledge is dangerous, I can't believe the solution is ignorance". What useful knowledge is NOT dangerous in some way? Fire? Automobiles? Speech?

Those records are about me and I should have the ability to see/read/have copies of them. I should be able take them to another provid

Re:

[CodeBuster]

The question isn't whether normal people are smart but how the records would be used. Suppose that the insurance companies got access to the records and used them to price discriminate or deny coverage? How would you know that the record had been accessed or, more succinctly, how would you prove that they discriminated or denied coverage based upon a peek at your medical records?

Re:Oh yeah, triple secure.

[Bacon Bits]

1. HIPPA says no. You ask, they must give you complete and total access to your own medical records. They have no authiruty to deny them to you unless you suffer from some fairly specific medical conditions (namely, mental illness).

2. HIPPA says no. If a nurse accidentally allows access to your health information, that's a $10,000 fine for her and a $100,000 fine for the hospital.

3. HIPPA says no.

WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (b).

(b) PENALTIES.--A person described in subsection (a) shall--

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

-- http://aspe.hhs.gov/admnsimp/pl104191.htm#1177 [hhs.gov]

Geez, you'd think that people involved in IT would be somewhat aware of the demands of HIPPA PHI.

Re:

[UncleTogie]

I just checked, and the section allows for law enforcement access....

Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court- ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

Pretty nebulous there, and I'll bet 10-to-1 that the system WILL be socially engineered based on this section...

Re:

[freemywrld]

The tone of your post should answer your own question. Why do people want the opportunity to keep certain information about themselves private? Discrimination, that's why. The automatic judgements you make in your post lead me to believe that you would treat people differently based on such information. People keep irrelevant personal information private to protect themselves from people like you.

Re:Oh yeah, triple secure.

[Evanisincontrol]

Like it or not, your medical information is going to become electronic. Microsoft isn't the first company to propose an Electronic Health Record [wikipedia.org] -- not by far. The Cerner Corporation [cerner.com], for example, has been working modernize the health record since 1980. There are at least two universities [rit.edu] in the U.S. which host a major in Medical Informatics, a program specifically designed to produce experts in this very subject.

Try to fight the Electronic Health Record is like trying to fight the use of computers in any other field -- it's inevitable.

Re:

[ceoyoyo]

Yes, but perhaps the Internet isn't the best place for such data.

Re:

[Evanisincontrol]

There are plenty of organizations (especially the govt) pushing for standardization, but it's going to be really difficult to pull off.

You don't think the ANSI-accredited HL7 [wikipedia.org] is doing a good job pushing for standardization? Hell, they've completely revolutionized Health Informatics standards in the last few years. Especially with Version 3 being based on XML, I predict a HUGE portion of the Health Informatics market to adopt HL7 as a standard.

Uh uh.

[morgan_greywolf]

Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol level

The hell I will! No way, Jose. Fuggeddaboudit!

The last thing I need is an employer or potential employer tracking down my medical records. Or the CIA, NSA, ATF, or cybercriminals or any other organization or individual who wishes to covertly steal my personal data for nefarious purposes.

Do you know what your medical history contains and how it can be used against you? I do.

Re:

[Anonymous Coward]

You do? How did my last screening turn out? I can't get hold of a real person to ask.

Re:Uh uh.

[nine-times]

Well, yes, there's a potential problem any time you put enough personal information into one place: sure, it's more convenient for the appropriate people to access, but it's also more convenient for someone to steal.

My bigger concern, however, is that this is Microsoft proposing this. It makes me want to vet the idea for possible abuses. Beyond the obvious privacy concerns, is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Even if such a system is going to be set up, I'd rather someone with a good track record build something that makes use of open formats and protocols. I'd like to know that my family's medical records aren't going to go up in a puff of smoke because Windows Update decided my Office license wasn't "genuine", or something other bizarre thing.

Re:Uh uh.

[jimicus]

is Microsoft going to make it accessible only to Windows Vista machines, thereby forcing the entire medical system and any potential clients to upgrade, followed by years of lock-in?

Not at all. It will be web based, and provided you're running Internet Explorer 8 you're fine.

Oh, didn't we mention? IE 8 will be Vista with SP1 only.

Re:

[???]

Online Etymology Dictionary - Cite This Source - Share This
vet (1)
1862, shortened form of veterinarian. The verb "to submit (an animal) to veterinary care" is attested from 1891; the colloquial sense of "subject to careful examination" (as of an animal by a veterinarian, especially of a horse before a race) is first attested 1904, in Kipling.

Re:

[nine-times]

Thanks for that. I was tempted to respond to that. "Vet" is correct, but AFAIK, "vett" is wrong. I think it only adds the extra "t" when you change tense, i.e. "vetted" or "vetting", unless there's some unconventional spelling that's become accepted.

Re:

[Cecil]

A vote for ron paul would also allow you to say "No, thanks" and if needed, get healthcare from someone else.

"Blue screen of Death" to have a whole new

[unity100]

meaning, that is.

Re:"Blue screen of Death" to have a whole new

[Joe the Lesser]

Error: Could not find liver.dll

Re:

[mangu]

Error: Could not find liver.dll

Have you looked into the C:\booze folder?

Try uninstalling your CD burning software.

[Valdrax]

Error: Could not find liver.dll

Seems to be a conflict with Alcohol 120%.

Standards

[jshriverWVU]

What I'll find amusing is if Microsoft actually follows the legal protocol that such an application has to follow. There are many laws dictating how medical data get's stored, how, and how it is to be accessed. My guess is that MS will "do their own thing" and try to market it as a new feature, even if it breaks a couple laws or compromises our medical info.

Re:

[ScentCone]

My guess is that MS will "do their own thing" and try to market it as a new feature, even if it breaks a couple laws or compromises our medical info.

No, my guess is that they'll follow all of the HIPPA requirements, and as a result their service (and anyone else's, trying to accomplish the same thing) will be - just as HIPPA requires - such a gigantic PITA to use that it simply won't be used. People will just die from drug interactions the good old fashioned way, but do so with more privacy.

Hailstorm

[Saint Stephen]

Remember Hailstorm? The plan was to expand Passport to first include calendar, todo, and some other web services, and then to provide an ActiveDirectory back-end for auth and ultimately to include all these kinds of services (including payroll and AR/AP data) in a massive cloud.

Privacy experts freaked out, but Microsoft never cancels anything.

Lock up

[OK PC]

Well at least the Vault will always lock up...

Yeah...

[Cleon]

The ultimate purpose of the service is to provide an online accessible but highly secure service to patients and medical facilities:

Yeah...That's gonna work out well. After all, whose products are more secure than Microsoft's?

Re:

[jonesy16]

Well, NTFS may be a major pain when it comes to fragmentation and journalling support, but it does have one of the best security systems out there in terms of cascading permissions. Most *NIX filesystems only provide you with three tiers of controls: owner, group, everyone. On XP/Vista/NT you can provide as many levels of permissions for as many users as you want with much finer control than just read, write, access. With this in mind, we shouldn't say that microsoft is completely insecure. It's much ea

Google Searches too

[svendsen]

Man if anyone could link Google searches to individuals we would know every person's medical condition.

Google Search: Itchy crotch

NSA: Hey Fred Smith has crabs again...lol

MS and security?

[Opportunist]

The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

Say, are the people who are in charge of this living on another planet? I mean, even a non-technical person should have heard by now that "MS" and "security" in the same sentence are usually only used if there is also at least one of the group "flaw", "leak", "compromised" or "nonexistant" in the close vicinity.

In other words: How much was it?

Re:MS and security?

[suv4x4]

The company that gave us the ultimately secure Windows OS and the uncrackable Passport?

As you know, Windows' security issues are ones of legacy. The more they fix it, the more they wreck existing apps.

Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

Microsoft is here to stay, and while they may not end up with the most perfect solution possible, they don't need the money desperately, and can't hide if a major security breach occurs (and it's their fault).

Re:

[Opportunist]

...and can't hide if a major security breach occurs (and it's their fault).

No, they can't hide. And won't. And needn't. They'll simply say "gee, we're sorry" and get away with it. As usual.

When was the last time you've seen a large (IT) corporation being forced to take responsibility for the damage they did? Especially if it's "only" privacy leaking.

Re:

[cduffy]

Apart from this, I have to be honest with you: I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

Yes, but the other entities getting into this space aren't exactly little and unknown, either. One of those has a name that starts with a "G", and I personally suspect that MS decided to get into this field principally to avoid one of their major competitors pulling one over on them again.

Re:

[Salsaman]

Microsoft is here to stay

I damn well hope not.

I prefer someone with less cash

[KWTm]

I'd rather have Microsoft work on this health information system, than some unknown little entity that just is in to grab the money and run.

I'd rather have some small company that has to build up trust and earn the respect of the healthcare industry, rather than some big convicted monopolist that has enough cash to do what it wants with impunity, and has enough monopoly-generated momentum that it can market an OS like Vista and make statements like "Google's success was only because of us!"

If Microsoft was

microsoft vs security

[oktokie]

I personally think microsoft windows server is a great platform to build websites.
There are range of tools and cookie cutter stuffs already written for in asp/net allows very powerful function to exist especially inter-operate ability with different MS product like sharing outlook generated schedule via exchange server out to web portal.

However, putting medical records requires requires middleware between ms platform and medical softwares. I see this use of middleware becomes security problem here. Windows

Re:

[SixDimensionalArray]

Welll... except for Microsoft's huge investment in web services and service oriented architectures (SOA). I don't see the problem you describe so long as people follow, say, the SOAP protocol over some TCP port, and make use of the WS-* frameworks, or even common sense, for securing their web services. The format of the actual messages exchanged - well - that's a different story.. in the healthcare industry we have the X12 (still not XML) and HL7 (some XML, some not XML) data standards which are not rigid

Let's start a lottery on this

[n0ano]

Actually, 2 lotteries, one for how long it will take before this system is first compromised and the second for how long after that until MicroSoft admits that the breakin occurred.

I pick 6 months & 7 months, respectively.

I wouldn't trust MS to store my phone number

[olddotter]

I'm not about to give MS any person medical information.

And sell your health info back to you

[christian.einfeldt]

and require Microsoft Windows to access it.

No thanks.

Just look at what Microsoft is planning to do with Office Live or whatever they are calling it. You need to have Microsoft Office installed locally on your HD. All you are storing is your data. GNU Linux OSes probably won't even be able to run WINE to access those Office Live files. So even if they don't actually charge to access the data, it extends their reach into your life.

Per usual "revise and extend" behavior...

[C10H14N2]

So, great, they got their grubby hands on a copy of the HL7 schema and dropped in into an encrypted database. Whoop-dee-doo.

Re:

[???]

I like your nickname so much that I'm going out for a smoke now.

Sounds Good

[RAMMS+EIN]

``...privacy controls are set entirely by the individual, including what information goes in and who gets to see it. The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record. Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or...''

That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

I have about zero trust that Microsoft will actually implement this correctly and securely (I've seen far too many stupid bugs from them lately), but at least they're saying the right things. Not vague promises that it will be "very secure", but an actual description of the security controls they are planning to provide. Moreover, those security controls seem to actually provide the security one would want in such a system.

Please fill out and sign these forms.

[Valdrax]

That sounds good. You actually get full say in who is allowed to do what, and "give permission" sounds like the permissions are secure by default.

Prepare to see a new waiver in the stack of crap you have to sign when going to a new doctor's office requiring you to give permission for full access to your records for any purpose not prohibited by law.

This will happen because doctors will not want to spend time having you okay access to each locked off section of your records that they might need, and they sur

Except for the tinfoil hat crowd...not a bad idea

[notaprguy]

Putting paranoia aside, managing healthcare information is a major pain in the butt. I see this as a way for ME to control how my information is shared rather than my Dr. or my insurance provider. If this idea matures I can see how insurance providers and health providers would need to ask for the patients permission to exchange information rather than just doing it...which is what happens today. If you're worried about the CIA looking into your health information this isn't going to make the problem any worse. Perhaps a little medication might alleviate your stress on that...

Re:

[xanthines-R-yummy]

Pffft! "...rather than just doing it"? I dont' know where you get your healthcare from, but around here I order thousands of dollars of rather unnecessary tests and scans on patients because I can't seee what the hospital across town found. There's just too much bureaucrcy to cut through. Even IF I manage to get a patient to get in touch with the other hospital and give consent, it doesn't always appear: oops, it was faxed to the wrong number; someone forgot to send those; who are you again?;

The more likel

Re:Except for the tinfoil hat crowd...not a bad id

[jedidiah]

I have a far better idea...

Make the doctors give it to YOU.

You want to control how information is shared? Then do the sharing yourself. Keep the data yourself and determine what you will share and what you wont.

This needs to be a desktop app with a defined format, not some Orwellian data mining operation.

Keep your own medical records.

Re:

[inKubus]

That's what this is for, an online tool to manage your own health records. And it interfaces with some popular home medical devices such as blood pressure and blood sugar monitoring, which means you don't have to worry about recording it in a journal (which most people are too lazy to do). If you've ever had to fill the same damn personal history form out again and again, you know why this might be useful. Also, you can edit it to show whatever you want. It's getting to the point where we are going to h

Re:Except for the tinfoil hat crowd...not a bad id

[Deadplant]

Paranoia? tin-foil hats?
when an agency does something a few times you consider it paranoia to suspect that they might do it again?

Anonymous?

[DoofusOfDeath]

The HealthVault searches are conducted anonymously

What does this mean? I hope it doesn't mean that there's no record of who it was that peaked into your medical records.

Next Doctors visit might go something like...

[EvilSpudBoy]

Doctor: I've examined you, and reviewed your MSMedicalHistory(tm) and it looks like you are in fine health, though I see your blood pressure is slightly higher than last time.

Patient: Well, work has been a bit stressful, should I worry?

Doctor: Not at all. It is still good for your age. Have you tried Halo 3?

Patient: huh?

Doctor: Video games are a great stress reliever. If you don't have an Xbox 360 with Halo3, I can put in an order for one for you. Have you had any other problems?

Patient: Sometimes I get a headache from staring at the computer too long.

Doctor: Hold on -- there, I've adjusted your screen resolution and font size on your home and work computers.

Patient: Umm.....

It's about time

[businessnerd]

I've been wishing for a system like this, but on a much more mandatory basis for some time now. It is one reason I am in favor of a universal health care system, where all hospitals, clinics, doctors, etc. have access to a single health care information system. Anyone who's been to an emergency room can see the benefits of such a system. Instead of playing 20 questions with the emergency room docs and hoping you don't leave out anything important, they can instantly download your file. They don't' have

I *really* hate to break the news to you

[overshoot]

Of course, there are some downsides, but they are mostly the tin-foil-hat-wearing kind. A central database of your health records could be infiltrated, thus compromising your privacy. There are a lot of people who would want to know how healthy you are, but it's really none of their business. This could be potential employers, political competitors, etc. Security would have to be a number one priority of such a system.

What security? If it's going to be available to the ER when they wheel you in with a

A fifty year old "innovation".

[AJWM]

If you want that service for yourself, fine -- sign up with MedicAlert [medicalert.org] who have been doing that sort of thing for 50-plus years, and emergency responders are all trained to look for the MedicAlert tag. They're also a non-profit, which I'm inclined to think makes them more trustworthy than Microsoft.

There are some other outfits that have similar services -- Divers Alert Network (DAN) [diversalertnetwork.org] comes to mind, also a non-profit, they're specialized for divers and offer a number of related services (training, etc - th

Great! A service I can trust!

[Eggplant62]

Given Microsoft's track record in the last 20 years for security flaws, I don't think I'll be participating with this one. I'd rather my personal and medical data be safer locked in a nice, strong FILE CABINET, thank you very much.

Microsoft has repeatedly shown that

[gillbates]

It understands neither security, nor the enterprise market. The thought that they could be responsible for securing my health history is particularly troubling.

Yes, I understand that a lot of healthcare providers use MS products internally. However, gaining access to that information requires a concerted attack against a particular target, rather than just "listening" on a wire for healthcare info... The difference is that attempting the first is a crime, while even succeeding in the latter is not.

You're easily troubled

[overshoot]

The thought that they could be responsible for securing my health history is particularly troubling.

If that bothers you, how do you feel about the fact that they're right, and you don't get any say in the matter?

MS has the marketing, economic, and political clout to get themselves the contract for keeping the health records for everyone in the USA. Washington is already salivating over the prospect of:

• Saving hundreds of billions on health care costs, and
• All of the money that companies will make fro

Sued to death

[Joebert]

Microsoft better not botch the security on this one, there's alot of people whom don't look at medical records as numbers that can just be reset in a database & make things all better.

interoperability?

[Cajun Hell]

Why do I have a feeling that no one will ever be able to implement a medical records application, which is simultaneously able to interoperate with HealthVault, and also not run on MS Windows?

As a customer, you have to be fucking crazy (and downright hostile to your stockholders), to want more MS lock-in. Auditors, if any of your people don't look terrified by this, start looking for kickbacks. By trying to start a new monopoly, Microsoft is actually doing a wonderful thing: showing you exactly which emp

This WOULD HAVE BEEN a first post, but...

[darkonc]

I spent too much time ROTFL at the concept of a secure Microsoft product -- especially a first-release.

Oh -- and it uses your Windows Live ID All of your medical, financial and communications information under one Microsoft password (if MS has their way).
It's enough to give me a heart attack.

Typical

[FranTaylor]

Pure vapor. Again, Microsoft sees other people making money, gets mad, issues a vaporware press release. This one sounds like it may have taken an hour or so to write. If there ever is a finished product, you just know that it won't even resemble what they are talking about here. Go back and read old Microsoft press releases if you doubt me.

The summary quote seems contradictory...

[Overzeetop]

quoteth the summary:

Its privacy controls are set entirely by the individual, including what information goes in and who gets to see it.

Pretty simple, I get to say that nobody sees it.

The HealthVault searches are conducted anonymously and will not be linked to any personal information in a HealthVault personal health record.

Whoa, there, I thought that the individual set the permissions, but there can be anonymous access to the data therein? So which is it?

Re:

[Larry Lightbulb]

You decide who can see your information and know it's yours; the anonymous part means they don't know it's yours, which could be useful in large studies rather than indivudual treatment.

Google has a similar effort

[lseltzer]

See this NYT article on both services [nytimes.com]

Google is more secure than MicroSoft Vault

[peter303]

Get my point?

VA (not MS!) VISTA?

[xanthines-R-yummy]

As someone in the healthcare field, I've found that the VA has the best electronic record keeping system. It's logical, complete, reliable, and relatively easy to use. Why can't the government just lease that out? Or does it violate some kind of law regarding competition? Does anyone know how MS Vault is going to compare? I guess the VA system probably has weaker encryption, but I don't know that for sure. Here's the home site if you don't know what I'm talking about:

http://www1.va.gov/CPRSdemo/ [va.gov]

Re:

[inKubus]

Dude, it's not an EHR, it's a PHR. PERSONAL health record. Basically it's a spot where you can put the information you WANT to share. Gradually, the industry will realize that people don't want independent records kept (almost like the credit report system, but not as accessible). I have a kid, and when you see all the crap you have to keep yourself, like immunization records, certificates of this and that for school/daycare, etc etc. having a central point to share them would be rather nice. Imagine s

itsatrap - Requires Windows Live ID

[VP]

In order for the consumer to authorize a physician to see some of the data in the vault, both sides need to have a Windows Live ID.

It makes sense to me

[dave562]

I'm probably going to get modded down for this, but here goes. It makes sense for Microsoft, or some other major vendor to do an initative like this. There are so many governmental regulations regarding the storage of patient medical records that keeping up with those regulations is a major burden on doctors offices, hospitals and clinics. The system is geared towards a centralized model. Put the burden on a vendor to keep up with the regulations and security of patient records and let the clinic staff

A dababase somewhat skewed

[frovingslosh]

Well, if there is one name that I both hold trustworthy enough to guard my private medical data and also associate with a proven history of excelence in computer security, it's Microsoft. But isn't there a danger that the data will be rather skewed towards insanity based on those who choose to opt in?

Hey, I read that book

[JazzLad]

The Truth Machine [ha.com] or The First Immortal [ha.com] anyone?

I seem to recall one went into the database/vault/whatever you wanna call it in more detail than the other (I think it was the first one), any other Halperin fans out there?

PS: If you haven't read either / both, both are available for download & IMHO well worth the time.
Sorry to get your site slashdotted, James :)

secure?

[Deadplant]

I am assuming that since it is a Microsoft system that it will be hosted in the USA.
It therefore cannot lawfully be made secure.

Any information in any computer system operated by an american company must be made available (secretly, MS will not be allowed to notify you) upon request from an american government agency like homeland security or the CIA.

This is a total non-starter for citizens of other nations like for example Canada.
In fact, I doubt this service would even be compliant with Canadian or Europe

count the health care panaceas

[nido]

Electronic health records [wikipedia.org] [EHR], such as this new system offered by Microsoft, is the latest placebo promoted as a fix for the American system of health care.

From the fine article:

"It's going to be a long journey," Mr. Neupert said. "To make a difference in health care, it is doing to take time and scale. And Microsoft has both."

The advantages of the EHR is that all the doctors a patient sees have instant access to all the patient's medical history. This includes the results of diagnostic tests (X-Rays, MRIs, CT-Scans, Endoscopy, Colonoscopy, allergies, etc). The theory is that we'd get better results from the healthcare system if only practitioners had

accessible vs secure

[deadline]

online accessible but highly secure service

When given such statement it is important to remember that you can pick one and only one option. Everything else is wishful thinking.

Ask British Columbia how good that is ...

[davecb]

They are implementing quite a different system, which will actually pass the BC privacy standards... which aren't as strong as they could be. See http://www.oipcbc.org/publications/speeches_presentations/speech_04.html [oipcbc.org] for an idea of just how hard this is for personal medical records.

--dave (who has worked on personally identifying health information in the past) c-b

Sweet Baby Jesus

[turgid]

Should I just get a MySpace page and post my medical records on it?

Sounds exactly like my old Company NDMA

[Benjamin Shniper]

This will probably crush a couple of small startups - like my previous job here:

www.ndma.us
(National Digital Medical Archive)
NDMA never did get all the bugs out. It was a little slow and lacked some key xml protocol sharing features. Security and never losing a file are a legitimately difficult task, in itself, and that was addressed. Maybe Microsoft will come up with better ideas than NDMA did. The protocol for the application there was terribly slow, but the website to access the information eventually came through.

Selling anonymous data is, unfortunately, a necessary evil. It's already happening, all Hospitals require you to sign things on joining that will give them rights to sell your data, with your name and ID numbers removed. Doctors do truly need that information, especially for disease outbreaks and drug treatment information. This system by Microsoft just makes it more practical.

With Microsoft entering, it probably means Oracle, IBM, and maybe Sun will as well. There's tens of billions of dollars to be made.

-Ben

Mod parent funny or obvious

[reidconti]

... since they lose money on virtually everything they do, short of Windows and Office. I bet they make money on keyboards and mice, too.

Re:

[blcamp]

Actually, I would have said "Let the CHAIR Throwing Begin!"

Re:Free medical records on the web?

[mpapet]

The actual HIPAA regs appear quite stringent, but you'll find that they don't make the data more secure.

For example, Use is well-defined in many cases, but actual security mechanisms are not. This kind of programming is right up Microsoft's alley. Not only is the security model pretty weak, there's limited interoperability requirements.

Please, read the standard. It's not fun reading, but the average /.'er will probably discover it addresses some basic stuff, but leaves the door wide open for familiar and massive compromises.

http://www.hhs.gov/ocr/hipaa/ [hhs.gov]

Re:

[korbin_dallas]

HIPAA doesn't protect 'you' or 'your data', HIPAA protects the Feds and the Medical Industry from lawsuits due to data theft.

That is all.

Heres an idea...give me all those medical documents, I'll keep them at home (or the Bank of Chiba) myself.

Bank of Chiba...
"We keep your money safe by^H^Hfrom prying eyes."

Re:

[_anomaly_]

But your information is stored in a vault!

Er, you're right, I'm not comfortable with that either.

Now, if it was stored in a lock box, that'd be a different story...

Re:

[psbrogna]

Sssh! They might here you.