Accessing Medical Files Over P2P Networks 137
Gov IT writes with this excerpt from NextGov:
"Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems. ... The basic technology that runs peer-to-peer networks inadvertently exposed the files probably without the computer user's knowledge, Johnson said. A health care worker might have loaded patient files onto a laptop, for example, and taken it home where a son or daughter could have downloaded a peer-to-peer client onto the laptop to share music."
P2P?! Oh no! (Score:5, Insightful)
Sorry but what does one have to do with another?
Currently Doctors are using word documents with every patient's name as the title in some locations. While others are using VB apps with a Acess Database type solution.
Putting real money into a real electronic system with access controls and a audit trail is a GOOD thing and will stop things like records spreading onto P2P networks.
It is good for patients, it is good for doctors, and it is good for the general quality of healthcare.
I grant that it is expensive though. I also grant that governments are bad at large IT projects and always give it to the lowest bidder.
Re: (Score:2, Interesting)
I also grant that governments... always give it to the lowest bidder.
This is a problem within a lie. Governments outsource to whomever civil servants or politicians are friends with, where friendship in politics is all about the kick-backs. This is true whether we're talking about a multi-billion dollar IT project or who gets chosen to clean the office. It's more obvious in the latter case, where there's always that mysterious 100% agency mark-up over simply hiring an employee directly. In the former case, it's about tailoring requirements so that precisely one bidder will b
Re: (Score:3, Insightful)
>>>will stop things like records spreading onto P2P networks.
Right because the government has never, ever accidentally let private information leak out ("Congressional worker has laptop stolen)." They government has never, ever let anyone have access to my social security number ("State website published millions of SS numbers online"). We can trust the government to keep our stuff secure ("Our records show you were unemployed in 2003." "How do you know that?" "We just called the IRS; they repo
Re: (Score:2)
The security models for medical data which allow your doctor to find out everything he needs to know to treat you without allowing world and dog to find out everything they need to know to discriminate against you have been around for years. I remember them being covered in lectures when I studied CS a decade ago.
Re: (Score:2, Insightful)
When Big Brother collects information about us, the potential for harm far out-weighs the good. I think only I should decide who has access to my medical records. Not some secretary who gets charmed by an insurance company rep or bribed by a scam artist wanting to take advantage of my medical condition.
And billions of dollars! The President and Congress have no concept of how hard we work to get that money.
Re: (Score:1)
yeah the potential harm, if they are out to get you, outweighs the benifit of you not dying.
Re: (Score:2, Informative)
yeah the potential harm, if they are out to get you, outweighs the benifit of you not dying.
Where there is money to be made (or for that matter, power to be gained) they are out to get you.
Explain the part about dying.
Re: (Score:1)
1) You get hit by a car or are otherwise rushed to A&E unconscious.
2) You have a rare medical condition/allergy.
3) The Doctor doesn't have time to make the phone calls to get your medical records.
4) He treats you with the generic cure (that reacts badly with your condition/allergy).
5) Death
I much prefer:
3) Doctor/nurse takes your wallet and gets your medical records
4) He treats you with the alternative treatment
5) Life
Re: (Score:1)
3) Doctor/nurse takes your wallet and finds your allergy card (could also get telephone numbers for your doctor, wife, neighbor, pharmacy, etc.)
Re: (Score:2)
This is all a moot point if you are currently unemployed, because no employer will hire you because you have a disease, which the employer discovered by looking-at your medical records.
Re: (Score:1, Informative)
Now they'll learn about my heart condition, and in order to reduce medical costs, decide to skip-over me and give the job to someone else.
See GINA [wikipedia.org]. But really the whole point of Health IT is that it's one step towards universal health care. In such a system there won't be discrimination against "pre-existing" conditions and your health history is not your employer's business.
I understand the privacy concerns and but again the goal is make such fears of discrimination moot.
Re:P2P?! Oh no! (Score:4, Insightful)
That makes no sense. Public health care has nothing to do with an advanced IT system; up here in Canada we didn't have anything that can even share files between doctors until relatively recently (less than a decade). The public health care system works without it.
The GP's point is that given this sort of system in a private health care environment, abuse is not only probable, but inevitable.
Re: (Score:3, Informative)
>>>your health history is not your employer's business.
It's not their business about my IRS or SS earnings either, and yet a potential employer (CarMax) still managed to recover my annual income levels for the last 10 years, and uncovered that I was unemployed for most of 2003 ("You're income levels were near-zero that year; what happened?"). You're naive if you think your information is secure.
Re:P2P?! Oh no! (Score:4, Insightful)
>>>will stop things like records spreading onto P2P networks.
Right because the government has never, ever accidentally let private information leak out ("Congressional worker has laptop stolen)." They government has never, ever let anyone have access to my social security number ("State website published millions of SS numbers online"). We can trust the government to keep our stuff secure ("Our records show you were unemployed in 2003." "How do you know that?" "We just called the IRS; they reported your income was near-zero.")
An inperfect but well designed system is miles better than the current system.
Go watch GATTACA if you believe having our medical records available to any doctor who asks is such a great idea. With public sharing of formerly-private data, companies can discriminate against unhealthy persons whenever they desire. Here's a link: http://isohunt.com/torrent_details/39287978/GATTACA?tab=summary [isohunt.com]
Go watch people die when a doctor doesn't have a full medical record when treating a patient.Wow a sci-fi film must obviously have taken a lot more time to do a cost benifit analysis of the situation, and come to a much better conclusion about what would really happen, than an actual analysis of the situation.
It's bad enough I have a credit score attached to my name, along with how much debt I owe, with which employers can decide to hire or not hire me. Now they'll learn about my heart condition, and in order to reduce medical costs, decide to skip-over me and give the job to someone else.
This idea is all kinds of bad.
Erm when did the medical records become public information? Having a system where a doctor (when authorized), can access your medical records (when needed ( with proper punishment when its abused)), is very different from given everybody full access to your medical records.
Re: (Score:2)
Re: (Score:1)
GATTICA is fiction (Score:3, Interesting)
Federal law (Health Insurance Portability and Accountability Act - or HIPAA) levels serious legal liability on "any doctor who asks" (or any other person in a health-care organization who looks at a medical record outside of their job responsibilities. By definition, this, then is not "public sharing of information." XYZ company is not entitled to look at your health information.
Do errors occur? Hell, yes, they do. Laptops get stolen, people scr
Re: (Score:2, Insightful)
Re: (Score:2)
Please someone mod this insightful, intelligent or otherwise freakin' brilliant! There have been discussions of the VA's medical database in the not-too-distant past on Slashdot (too lazy to try to track the links down right now), and they've (rightly) concentrated on the antiquity of the current database management system.
And, in my opinion, oversight is the problem. If you have enough oversight to keep a$$hats from taking advantage of the system, it becomes virtually impossible to get anything done. Th
Re: (Score:2, Insightful)
why does it need to be accessible from the latest and greatest system?
Re: (Score:2)
Well, it doesn't have to be accessible from the absolute latest and greatest system. However, we're talking about a DBMS old enough that it is still hierarchal instead of relational. None of the common commercial tools available for other relational systems really work with the VA's system. Then, it makes it very difficult to get qualified people to work on (and audit) your systems when they're so old that all the experts are pretty much homegrown.
Re: (Score:2)
I grant that it is expensive though. I also grant that governments are bad at large IT projects and always give it to the lowest bidder.
Not as expensive as you think. These real solutions not the cheesy hacks also handle the billing and reduce the need for expensive transcriptionist. Normally after they get a service they can save thousands per month. Even more if they get it threw a reputable SaaS who will intern keep proper backups and insure the data security.
Re: (Score:3, Insightful)
Spoken like an IT genius who doesn't understand a thing about non-technical business folk, especially non-technical government folk.
Would you care to estimate the percentage of end users who will copy&paste everything from this shiny new fully-encrypted fully-audited health records management system into their personal collection of word docs and excel sheets?
Re: (Score:2)
Would you care to estimate the percentage of end users who will copy&paste everything from this shiny new fully-encrypted fully-audited health records management system into their personal collection of word docs and excel sheets?
Probably about the same as those who do it now.
That is if the system is not done right. And yes it probably won't be. I've described secure systems to people before and it's rare to get past the "No removable drives or personal files allowed." part before they start campaigning to neuter it.
A real secure system would prevent this sort of thing but the odds that we'll ever actually develop the spine needed to implement such a system are close to zero.
Re: (Score:2)
Re: (Score:2)
It's not possible. If you display the data, it can be copied. This goes back to the old DRM arguments.
Re: (Score:2)
Re: (Score:3, Informative)
If the data is being displayed, then it is unencrypted in memory. The doctor doesn't have to do anything. An enterprising IT individual who understands the doctor's wishes to manage the data in their own way will write a tool -- perhaps even open source -- that will extract the data from memory and output to a comma separated file. Done.
Re: (Score:2)
> A real secure system would prevent this sort of thing
There is no such thing, unless you're going to allow no access at all to the data. The best you can hope for is to make it difficult enough that non-technical doctors won't know how or won't care to circumvent your road blocks.
Re: (Score:2)
There is no such thing, unless you're going to allow no access at all to the data. The best you can hope for is to make it difficult enough that non-technical doctors won't know how or won't care to circumvent your road blocks.
That would be good enough. Most security breaches come from convenience. Things like Flash drives walking out the door and such. When we have a system that's as secure as a good filing cabinet we can call it secure. As it is now we might as well just put the files in a public library in some cases.
Re: (Score:2)
No, sorry, that is not "good enough" for my medical information. You are comparing against a data breach that currently requires physical access and for which we have centuries of preventative and reactive security techniques. There is very little accountability for electronic data breaches. Everyone just sort of shrugs and says "these things happen." If someone breaks into a medical office, that is not at all the response.
Re: (Score:1, Troll)
Seems like you just tore down your own argument here...
The problem isn't the idea of an electronic system. The problem is the government being involved. Governments fuck things up, constantly. Obama seems to be a big government guy. This scares me.
Re: (Score:2)
Wrong issue (Score:5, Insightful)
The issue here aren't P2P networks. The issue is government employees either loading confidential data on non-approved environments, or unauthorized software being installed on supposedly restricted environments. Both these problems must be addressed with traditional security controls that are completely independent of P2P technologies.
Re:Wrong issue (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
Exactly which word is misspelled? Perhaps the punctuation could be a little different but no typo's that I see.
Re: (Score:2)
Unless you consider "they people" to be correct grammar.
Of course it isn't... every edumacated man knows he meant "them people."
Re: (Score:2)
"They people." is a perfectly grammatical sentence.
Re: (Score:2)
Exactly until they people handling the sensitive or classified material learn how to handle it with the care it needs we will keep seeing things like this. I mean how many times a week do we see something about a lost or stolen laptop or device that contained sensitive information. The issue (as per normal) is the USERS
While I fully agree that it is a user issue; i do not absolve p2p networks fully of any responsibility.
Proper system design can help avoid such issues without user intervention. For example, file sharing should require user intervention to select the type, location, and other attributes of files to be shared. Sharing should not be enabled by default.
While users can (and will) still do stupid things; proper systems design can help avoid problems. Having been involved with human factors design, I've seen p
Wrong download. (Score:2)
I don't either. Something illegal file sharers don't realize is the law of unintentional consequences applies to them. Did anyone involved in the creation of these tools ever realize that a program that's designed to make easier the sharing of the contents of whatever it's pointed to with the entire world was going to have consequences like this? Check mark in the column labeled," But I ain't hurting no one".
Still blame the User (Score:1)
Re: (Score:1)
Re: (Score:2)
20,000 violations * $25,000 per violation fine = $500,000,000.00 in totals fines; I don't see the problem! Seriously tell someone they owe a half a billion dollars in fines it's going to get the attention of the whole community.
Who will do one of two things:
Either they will leave the community, or enough of them will hire lobbyists to change the laws so that such fines will never happen again.
Re:Wrong issue (Score:5, Insightful)
Neither the story nor the summary mentioned anything about government employees. The private sector is just as capable of screwing up as the government is.
Re: (Score:1)
Oh I'm sorry, you're perfectly right.
I live in a country where most healthcare providers ARE government employees...
My mistake.
Re: (Score:2)
No worries! I'm a government employee involved with electronic medical records, and I tend to get a bit thin-skinned about such things. Sorry if I sounded grouchy! (Off in search of coffee.)
Re: (Score:2)
If Uncle Sam healthcare ever happens in the U.S., I think I'm going to be frequently sick. As long as I'm paying $10,000 a year in health taxes, I might as well get my money's worth:
"Doctor I ate too much pizza. Can you cure my heartburn?"
"Doctor I stubbed my toe. Can you X-ray it to make sure it's okay?"
"Doctor I have a papercut. Can you wrap my finger?"
Re: (Score:2)
There's an easy way to prevent you from doing this. They will have you sit in the waiting room for 48+ hours, and you won't have the right to leave it until seen by a doctor. You'll learn fast enough not to come back until you really need it ;)
Re: (Score:2)
There's an easy way to prevent you from doing this. They will have you sit in the waiting room for 48+ hours, and you won't have the right to leave it until seen by a doctor. You'll learn fast enough not to come back until you really need it ;)
It also is a great way to save costs, a fair number of people will die before they get to see the doctor so the government won't have to pay for their treatment. Win/win.
Re: (Score:2)
>>>a fair number of people will die before they get to see the doctor so the government won't have to pay
Ahhh. You've experienced either Canadian or UK governmentcare then? ;-)
Re: (Score:2)
>>>They will have you sit in the waiting room for 48+ hours
Good thing I enjoy reading. Whether I sit at home and read, or in a room and read, matters not to me. I paid ~$10,000 in healthcare and I'm going to get the service due to me. Government is supposed to be non-discriminatory, right?
Re: (Score:2)
Yeah, moral hazard. It exists in any insurance scheme, and it's a problem, but it's not likely to be as bad as you imagine. Almost everyone's time is worth more than the "value" of a frivolous doctor's visit. The question is always whether the moral hazard will outweigh the increased benefit of universal coverage. For example, pretty much everywhere in the developed world we've agreed that universal, free firefighting is a good thing, even though it slightly increases the moral hazard around fire safety (if
Re: (Score:2)
Um. Some of the U.S. might have free firefghting, but not the section where I live. We have to pay annual dues, or alternatively be billed afterwards.
Also I disagree with your idea that knowing a firefighter is available, makes people more careless. By the time the fire engine arrives, your whole house will be engulfed in flames. By the time the firefighters are done spraying water, there's almost nothing left, and nobody wants that to happen. People are just as careful to avoid fire as if the firefig
Re: (Score:2)
You know people already do these sorts of things right?
We already have what amounts to socialized medicine. It's too late to complain effectively about it now.
Re: (Score:2)
>>>We already have what amounts to socialized medicine. It's too late to complain effectively about it now.
Yeah but I'm not eligible for Medicare until I'm old. So I don't go to the doctor because there's no "freebie" service.
Re: (Score:1)
Re: (Score:2)
>>>do your research before making inane comments.
That's one solution. The other solution is to share my thoughts publicly, and then have foreigners (like you) tell me about the $25 Copay and correct me. It's the Socratic method.
Of course if I am paying ~$10,000 in healthcare tax, I'm still better off trying to get as much service out of the government as I can. For example right now I'm sick with a cold. Normally I'd just stay at home and wait for my body to cure itself, but if I can get free
Re: (Score:2)
I assume you currently hold a health insurance policy. What possible motivation do you have to not exploit this policy on a weekly basis for trivial conditions? There is no fiscal difference between paying a large sum to Aetna and paying a large sum to Uncle Sam. A quick perusal via google shows an example yearly cost of about $7000 for the average basement-dweller. Shouldn't you get your money's worth out of that?
Re:Wrong issue (Score:4, Interesting)
You would think a hospital with their own full time technical staff might rank better. A prominent Boston area hospital was building out a branch location in the suburbs. I visited to install an Oracle server, and noticed that because of constraints on network cabling at the time, they were using Linksys wireless through-out the office for connectivity, with no encryption. I raised this concern immediately with the director of the office, but was told not to worry, as this was only a "temporary" solution until they could get a cabling vendor in to run something more formal. My largest concern was that this office was still directly tied into the back-end of the main hospital data network, and thus, from the parking lot, it was trivial at best to get onto the hospital network.
I understand these are only two limited examples, but their still lacks any real capabilities to be able to keep medical records secure through-out the chain. Until something akin to PCI for medical records really takes place, complete with audit controls, etc, I don't see the situation changing all that much. PCI itself has flaws, but it is an attempt to actually place controls on credit card data from swipe to credit card company.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I dunno...
It's easier to sue a private entity than a government, esp since the government can pass legislation limiting damages it's liable for and even what it can be liable for.
I suppose they could do so as well for the private sector, but that would be considered tort reform and we can't have a government of lawyers limiting the fees their brethren can take in, now can we?
Re: (Score:2)
Re:Wrong issue (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Well, all of our systems are set up to store patient info only in the remote database: none of the systems store patient info locally. However, we distinctly do NOT use Google. I'm firmly in favor of Google as a search engine, but the concept of storing medical info and data in something like Google Docs just leaves me cold and clammy.
Re: (Score:2)
So what about spyware, key loggers, and other various malware? Customer data could still be exposed if it was assumed that it was safe just because it wasn't stored client side.
Re: (Score:2)
That assumption isn't made. They keep a pretty close eye on outbound traffic as well. But your point is well made. :)
Re: (Score:3, Funny)
but the concept of storing medical info and data in something like Google Docs just leaves me cold and clammy.
Considering that as well as the other symptoms I read on your chart that I downloaded from Limewire, I really think you should see your doctor!
Re: (Score:2)
Re: (Score:2)
I see nothing that doctors do that needs to be stored in the client side.
Medevac helicopters? Other work in remote locations? There could probably be less data client-side than now, but I doubt it could be completely eliminated.
Nothing can go wrong (Score:2)
This assumes that the doctor has access to the server.
That the link will hold whenever critical decisions have to be made about his patients.
Did some work for a pharmacy (Score:3, Interesting)
And part of what I needed to do was block myspace, etc., on the LAN. But the head pharmacist had some P2P running on his computer (its good to be the king). I remember thinking at the time how insecure to run P2P on a business machine with a lot of confidential information on it.
I don't think the customer data was stored locally, but that doesn't stop spyware, key loggers, etc., from still being an issue.
Free music or maintaining the integrity of customer data. That's a tough call.
transporter_ii
Re: (Score:2)
Ok. Allow them to work locally against encrypted files.
Re: (Score:2)
Re: (Score:2)
Congrats. I think the point, though, is that security vulnerabilities exposing the worker's pictures to their trip to Cancun are a little less of an issue as if that same security vulnerability exposes my medical information. Your comment is analogous to saying: the problem isn't that your storing gold in the unlocked room; the problem is that it's unlocked. Yes, you're right; but it is still stupid to put gold in the room until it's lockable.
Wouldn't a better headline be... (Score:2, Insightful)
"Clueless docs store patient data on wide-open PCs?"
Re: (Score:1, Redundant)
Re: (Score:2)
a new system + goverment funding = bad idea (Score:1)
able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions
This is a disaster waiting to happen.
Comment removed (Score:3, Interesting)
Re: (Score:2)
They already standardized the electronic file for just about everything else involving the medical industry. And did a good job of it, IMO.
The real problem here... (Score:3, Insightful)
If a doctor kept medical records on paper in a filing cabinet at home, would they let anybody else touch that cabinet?
The real problem here is that doctors take patient information home on a laptop, then allow somebody else to access that laptop. It's easiest to just get another laptop for the kids and not let them near your work computer.
Re: (Score:1)
If a doctor kept medical records on paper in a filing cabinet at home, would they let anybody else touch that cabinet?
Well because of HIPPA laws, technically a doctor cannot take any records home or it is in violation to that patients privacy because then that doctors wife, kids or friends may see them laying on the kitchen table. This posses problems when a doctor is on call at a hospital and needs to send copy patient info down to be recorded later on in their own EMR system.
Re: (Score:2)
HIPAA
Re: (Score:1)
If a doctor kept medical records on paper in a filing cabinet at home, would they let anybody else touch that cabinet?
Maybe. I know I can barely keep my pets out of places I don't want them to go. I can imagine children and guests could be worse.
Re: (Score:2)
Maybe. I know I can barely keep my pets out of places I don't want them to go. I can imagine children and guests could be worse.
Perhaps it's not such a bright idea to bring home any patient info at all, then?
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
RIAA/MPAA FUD Tactics? (Score:1, Interesting)
This is the second story this week I've heard villainising P2P beyond basic piracy.
The first, from the Today show I think, was about somebody having their identity stolen because somebody accidentally shared some financial records. The reason a FUD campaign came to mind was the way my wife reacted to the story. Some comment about how dangerous P2P applications were.
Anybody else think these stories could an organized effort to create paranoia in the less technical crowd?
Seriously? (Score:1)
Or the son or daughter could have emailed the patient files. Or printed them out. Or uploaded them to googledocs. Come on, what has this to do with p2p? And how about not giving your child access to your patient files? Hm?
Its an idiot user problem (Score:4, Interesting)
I have a friend who runs an insurance investigation business. A lot of his data includes claimants' medical, criminal, income, and other assorted records. He has several investigators working in his office, each with a PC (fortunately, no laptops) and all behind a secure(?) firewall. From time to time, I've helped him configure or repair his network and/or desktop systems. In doing so, I've noted that every system has their C: drive shared out on the LAN with read/write privileges granted to everyone else in the office. In spite of the problems with security or system corruption (why anyone would need to share out all their system .DLLs with write permission is beyond me), he insists that everyone in the office 'needs' complete access to everyone else's files. A disaster waiting to happen, IMO.
People just don't understand, or give a sh*t about the consequences of lax data security. P2P networks, or the mis-configuration of file sharing s/w is just one symptom of this.
Confidential files on p2p networks, nothing new! (Score:1)
how about no medical records? (Score:1)
Another good reason ... (Score:2)
to keep cutting and off shoring IT services and departments.
You've gotta have geeks on-site
Re: (Score:3, Funny)
There are several things to check. 1. Do you get a receipt? 2. Do they say thank you? 3. Do you have an opportunity to fill out a customer service questionnaire? 4. Do they have a toll free number to call if you have questions about your payment?
If you cannot answer 'Yes' to all of these q
Re: (Score:1)
When the government "gives" or "spends" it has got to come from somewhere. And that somewhere is your and my wallets. Government spending will result in either higher taxes or increased inflation.
Re: (Score:1)