Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
News Your Rights Online

Your Medical Records Online 73

Posted by jamie from the get-me-a-browser-stat dept.
um... Lucas writes "Apparently, Intel's teaming with the AMA to help post patient records online. It's way too early to tell what they're thinking, but I want to know if I can opt-out now." This could be a good thing if it's done right ... or a privacy disaster if it's done wrong.
This discussion has been archived. No new comments can be posted.

Your Medical Records Online More

Your Medical Records Online

Comments Filter:
  • One of the advantages to a national repository is that researchers or programs can flag correlations that might otherwise get unnoticed. For instance, if people on a certain drug all develop arthritis, perhaps a clinical trial is called for. If a certain city has a much higher incidence of cancer, perhaps there's a contaminant in the water. This is especially useful for bizzarre combinations which aren't tested in drug trials. For instance, everyone who's on 5 unrelated drugs, might get symptoms that normal test subjects won't.
  • "If you're buying a book online, it's not critical that I know your ID," said Mariah Scott, manager for Intel's authentication services unit. "If you're talking about accessing your health records online, you really need to know that this is a physician," Scott said.

    I hope they live up to that. If not, I may just have to find me a country doctor who don't know diddly about computers.

    "Well, Mr. Smith, I see you have an impressive resume, but our records indicate you have heart problems and that makes you an unacceptable risk. And you would push up our health insurance premiums."

    I don't like this new world, can I have the old one back?

  • This right after the story about AOL's password problem. With so many members of the general public being stupid enough to run any .exe that shows up in their mailbox imagine what could happen here.

    "Excellent, that bastard next door is diabetic. I'll teach him to let his tree grow into my yard!"

    Sigh.

  • I've had a very interesting medical history (think cancer x2) and I know that I don't want my medical records on-line.

    Now if this stuff gets out in the public sector with insurance companies and employeers getting ahold of this it could become hard to find a job, especially if the economy dips and the job market flip-flops so that employeers have the upper hand.

    Although I would love to have a copy of my Mayo Clinic records just to page through...I don't want this information on a vulnerable network...and you know when this stuff is put online it will prbly be sitting on NT boxes.
  • Think AIDS. So you'r HIV positive? Good! Everybody will know about it.

    Not to do some US bashing AGAIN, but in France, Doctors are'nt even allowed to give personal medical information to other doctors (without the patient's assentment, of course).
  • In the cases you mentioned would a clinical trial be the most appropriate action? Seems like if you were to deduce this type of information from the actual population taking the drug rather than the sample you would have to use in the clinical trial your results are unlikely to be in the correct direction. Besides drugs already go through extensive tests, and numerous trials.....this is real world application, rather than tests, if the affects are bad in the real world, why go back to testing the same thing, seems like that should be enough proof that something needs to be changed, then go through testing, then back to the real world application. Problem with this of course is that it takes time, money, and is quite tedious.......but if it leads to better and safer drugs/procedures then maybe it needs to be explored.............

  • Be Afraid. (Score:4)

    by Anonymous Coward on Tuesday October 12, 1999 @04:32AM (#1621480)
    A hospital I used to work for was implementing a system to allow patients to access their medical records via the internet. The idea was that you could access your medical records, send emails to your Doctor's office, etc. They were doing this in conjunction with a vendor.

    This was all very well and good, except that this hospital, like most hospitals, took technical incompetence to a level that I have never seen anywhere else. I am not exaggerating in the slightest -- most of the "IS Staff" were nurses who had been promoted into IS!

    You can imagine what security looked like. Literally, all the passwords in the NT domain were "password" or null. Likewise for Netware passwords. Passwords for system accounts were things like "nascar" (the nurse who ran that system was a fan -- but that password had been changed when I left). In fact, I don't think I ever saw anyone but myself set a password that could not be broken by crack in 30 seconds flat.

    On top of that, this organization would try to run on the least technical staff possible. That's good as far as it goes, but when you have a $500,000 UNIX system that you are trying to run with a mail clerk! I'm not exaggerating in the slightest: this organization spent upwards of $3 million on software, $500,000 on the database server, and tried to run it with an employee making less that $10/hour. On this particular system, mos accounts had a password of their user name. After all, anything else was too hard to remember. The root password (until I came on and straightened them out) was "superman".

    And, you guessed it, all those wide open accounts were accessible from the dial-in rack. Any fool with a war dialer could get in at any time. I tried to inform them of this, and they ignored me. On the other hand, they were genuinely paranoid about Internet access. So paranoid that they refused to allow access to just about anything without begging, cajoling and everything else, but not so paranoid that they would hire someone technically competent to manage it.

    Their biggest problem was that they had no respect for or desire to have around technical competence. I was isolated from day one because I did not pander to their sloppy practices. They didn't want a nerd, they wanted a "manager".

    At any rate: do you think that this bunch could keep your data secure? Get real.

  • rural medicine (Score:4)

    by cogitatio ( 94574 ) on Tuesday October 12, 1999 @04:35AM (#1621481)
    Having health records online would be a huge boon to rural medical practice, especially given the already surging growth in telemedicine. By having medical records already available online, practitioners in areas with limited medical resources (such as Alaska's bush communities) could greatly increase the speed of treatment for difficult medical and trauma patients. By already having the records online, the temporal gap between presentation in the primary care clinic and a second opinion by a specialist would be greatly shorted, in many cases increasing the chances of a successful recovery. Having medical records online wouldn't just help "one or two patients" as someone else commented, it would be of great advantage to many....IF they can get the encryption software to work properly. As a future rural physician, I know I would appreciate having my patients' records online. Knowing what I do about encryption and the privacy issues involved in an issue like this, I'm just not so sure I'd want MY records online. Hopefully they'll work it out, because this could be a huge advantage to the medical community, as well as to they patients they treat.
  • I've worked in the information systems branch of the medical industry for the past four years now. I've seen time and again how badly patient records are protected electronically in clinic, hospital, and corporate office.

    Where possible, I've always taken steps as the chief technology employee to protect the patient's records and rights to privacy. I've tightened security systems, making workflow in the clinic a little more attentive to computer usage, so that our patients could rest with the knowledge that all steps had been taken to protect their privacy.

    This development scares me. Certainly there is the possiblity to use this information to detect patterns otherwise unseen, but largely such patterns are detected from abstract databases already maintained at the state or inter-state level. For example, cancer clinics maintain tumor information at the state level not only for statistical reporting usage, but also for usage as a pattern detector. But the patients are ultimately proctected from becoming anything more than a number.

    A nationwide system with full medical records runs dangerously close to causing mroe harm than good. The patients are no longer a statistical element whose anonymity is fairly well protected by abstraction from their medical chart. Instead, their medical chart is now a part of this database? I am indeed most concerned as to where this development will lead.

    Obviously it could be a Good Thing for both patients and their physicians to have quick and ready access to a patient's medical record and history. However, the rush of technology must be tempered with a careful evaluation of necessity. Is it absolutely necessary for this sytem to be available to both the public and physicians. Would it not instead be better served as a carefully controlled, non internet, system available only through licensed professionals?

    I would say the patients should express any concerns they have to the proper branch of the AMA. They can try to protect this information all they want. The ultimate question is whether or not the information needs to be made available in such a venue in the first place.


    ta,
    Jason
    # Jason A. Dour
  • Maybe everyone should know about it.....Little thing happened here in america a while back.....little disease called TB wiped out a whole lot of the population and would have done more damage. Back then all the people with it were locked in a cave, until either they sadly died, or they got better. Its called a quarantine (sp?), and despite the fact that it is cold hearted, maybe it is time for one infected part of the population to suck it up and realize that maybe for the good of humanity (if there is such a thing) a similar resolution ought to be made. It sucks yes, and know one wants to have to use it, but it is still the best and only means of fighting something that is not good either.....making a big quilt isn't helping all that much...............flame away, but before you do realize the consequences.......
  • This is a case where the people who are being exposed have a clear right to inspect the software they are entrusting their records to. We should demand they open source the system in the public interest. At the least this will slow things down while the bugs are fixed.

    Even if the software were completely secure, I still have doubts about this. Just how hard is it to find a licensed physician with a need for money that would be willing to broker requests? Blackmail? Besides the obvious problems with insurance companies and employers having access, if you have ever answered "yes" to a doctor's question about drug use, you may not want the government to have access either. You really think they won't?

    Yes, this could do a lot of good for statistical studies. So we might consider a system where all individual identification data was stripped from the records prior to storage, and placed somewhere isolated from the internet with a warrant required for access. Difficult though, since you'd need to store hereditary relationships and approximate patient location to distinguish genetic from environmental disorders.
  • The article actually seems to be focusing on the digital identity verification rather than the distribution of patient records. I'm not really qualified to judge the state of digital certificates but I'm thinking they could pick a worse method for verifying identity.

    My major concern is that the article doesn't mention any effort to restrict medical information to doctors who actually have you as a patient. If all licensed doctors have access to this information then all a company has to do to gain access is to employ a real doctor or contract the services of a research company that does.

    I can see some possible abuses. Companies trying to get a deal on insurance rates by screening potential employees for health problems is the first thing that comes to mind.

  • Anyone under the impression that your medical records are safe and private are seriously mistaken.Everytime you visit the doctor or the hospital a electronic record it generated. It is called a recepit. The insurance companies get on your doctors office gets one.Heck, even you get one. So how safe are the hospital, doctors offices, and insurance company networks? I've worked with many doctors and let me tell you... a lot of the time all you need is the modem number to access the entire network of a doctor's office. Security is lacking because the doctors don't think to hire real sys-admins. Again, this is only in my experiance.But I don't believe any of my medical records are safe

  • how much of it can be done online?

    from the article - Health care has the potential to be a huge online industry,

    I'd much rather see a doctor in person (regardless of how long I'd have to wait in line), but maybe I'm misinterpreting the article. Is anybody on /. working in the 'health care' industry? Could you clue me in?

  • Physician identification (Score:1)

    by Anonymous Coward
    Physician identification is needed. We are developing a web page with clinical information that must be viewable only by physicians (FDA requirement as it tends to work out in practice for various reasons). The rub is that not all physicians worldwide are part of the AMA. Having the AMA be part of this is probably an appropriate starting place. Also, this is not new. I believe there is already an existing program. What is new is the patient record issue and Intel getting involved. I expect there will be a hardware component to this solution when all is said and done.
  • If there was one point that was made repeatedly at Defcon this year, it was that no matter how well you protect one layer, the other layers are vulnerable. Okay, so Intel is getting some of their wiz kids together to whip up a digital certificate. Swell. Now some 16 year old is going to set up a machine on the edge of some doctor's network and get their digital id (and it doesn't have to be a hospitol's network either, how many doctors do you think have cable modems or DSL - all of them; Okay, now how many do you think know anything about computer security... yeah, that's what I thought). Wonder who wants to buy a digital id of a doctor, with carte blanch to look at the national database.

    Medical records are important. They can be used as a tool to extend not just one person's life, but the lives of many. However, what is the quality of that life if someone who is motivated enough can get to that information.

    The solution? Keep the data of the person, on the person. I'd much rather prefer a little implant that contains the information. It's pretty secure, if someone is trying to get the information, you probably know about it (and if they are that close to you, getting that information out of the chip is probably the least of your concerns).

    As far as the statistical value of collective records.... there are many ways to collect the data and still preserve the integrety of the privacy of the individual.
  • When I was going to a client involved in credit card processing, I was subjected to a full scale, government grade, background check. My client involved in telemedecine, with thousands of personal medical records stored on their systems, barely knows who I am.

    As others have pointed out, the fact is that telemedecine is crucially important in some parts of the world and could even help domestic patients, particularly when you get into the more obscure, difficult to diagnose problems. However, until attitudes change in the medical industry (starting at the insurance companies) we are at grave risk of being persecuted for our medical histories.

    I'm no fan of legislative fixes. It think what is needed is for other type of government control. The Fed is very adept at arm twisting and coercing an industry when it wants something changed. Something must be done about the current state of information security in the medical industry. The insurance cartels are too powerful to be motivated by their customers. We need an infosec lobby whose first issue is the security of medical records.

  • I really don't know how to take this. I work for a software company that among other things, does online software for clinics. I can tell you that this kind of thing is actually in use. It has medical records, lists of services used (OB, Dietician, etc). Pretty much everything you don't really want online, especially on port 80.

    So, from my perspective, this information is already out there for some clinics. All this annoucement means is that they are going to come up with some authentication stuff to (hopefully) make it more secure than it is already.

    But then there is another problem: the fact that this is not widespread. It is probably true that most people's records are not online. And it is probably true that few people know about our services and where to go to get the goods. It seems that the future is big websites, with everyone's records online, advertising on eBay, and practicaly begging for breakins. There is a lot of money to be made in blackmail.

    But let's face it, the medical industry want this info online. They are begging for it to be online. They want it flying around in XML bewteen hospitals so that an ER doctor can intantly know that the guy whose rolling in is on such and such medication and has this blood type and thse know reactivity problems and these biohazard warnings. And with good reason: this information can and will save lives.

    So it is good that a major player is backing the security side of things. Let's just hope that everything is up for public review for holes, etc, and that enough people work to make this thing secure.

    Perhaps they can set up a dummy system that has fake information on it and give rewards for cracking it (and telling them the crack). I have faith that there are more people who want to help than people who want to profit.

    Maybe I'm just fooling myself into feeling better about it.

  • The same policy applies in the US. My new doctor can not legally get my file from the old one without me signing a consent form. The real problem is that when most people sign up for insurance the sign off on the same consent to allow the insurance company to share medical information "as necessary." The problem then is, what is everyone's definition of necessary and whose definition is correct?

  • Some posts have hinted at how future employers, insurance companies or angry neighbors could do you harm based on your medical records. Insurance companies already look at your medical record, especially for pre-existing conditions. I would surmise that they are already adjusting your premium based on your health history. In regards to employers, the United States has an American with Disabilities Act that "prohibits discrimination on the basis of disability in employment, programs and services provided by state and local governments, goods and services provided by private companies, and in commercial facilities." (taken from the Department of Justice Web site on the ADA, found here [usdoj.gov].) The question is what counts as a "disability," but in my department at a previous job (a law firm) disabilities included both physical and mental conditions, such as access disabilities, bipolar disorder, and fatal reactions to peanut oil. In the case of the peanut oil, the person used the ADA as a cudgel to curtail the use of peanut oil in the cafeteria, which got into the air system and into her lungs, etc. While the ADA is focused primarily @ people with access challenges, it has been used to cover other cases as well.

    As far as neighbors getting the information and using it for e-vil, any misuse of medical information is just begging for a civil liability suit and possibly jail time. Just like someone using your social security number to get information about you, the use of your "identity" to access medical records under false pretense would probably be punishible by fine, imprisonment, or both.

    My hangup with the whole system is, as someone has already said, the implementation of the whole thing -- the technical details more so than the social ones. While the medical system would (hopefully) be more secure than other online systems (read today's story about AOL, etc), it would be a high profile target for meddlers. The deletion or alteration of records by people posing as doctors would be disasterous. Beyond the "hacker" bugaboo, the potential for social engineering is pretty high. Most of the patients who will use this system to access their records are probably not going to be too computer savvy or (flashback to ISP tech support days) are going to forget that their password is their name spelled backwards with all the digits of their kids' birthdays tacked on @ the end. In order to make the system usable by the general populace, the methods for password and username retrieval are going to have to be pretty lax, ala your favorite Web-based email system. Blech.

  • HIPAA - You need to know this (Score:5)

    by the red pen ( 3138 ) on Tuesday October 12, 1999 @05:06AM (#1621495)
    Healthcare Information Portability and Accountability Act. It's not just a good idea, it's the law (in the USA). Within the next two years, agencies dealing in personalized medical records will be forced to submit to HIPPA regulation. This includes hospitals, "health web sites," pharmaceutical companies and so forth. If they have your medical data, they must conform to HIPPA.

    What does that mean?

    • Medical data must be stored in a secure manner. Yes, there is no perfect security, but let's just say that Windows NT is about to suffer greatly in the medical marketplace...
    • Medical data must be protected in transit. That means RC4-128bit or 3DES. Even on a hospital LAN. That's right: sanity at last.
    • There must be published and audited policies and procedures governing storage, transit and disclosure of electronic medical records. That may sound like a drag to Slashdotter's who work in chaotic, fast-paced tech companies, but this bureucratic overhead means clear liability concerning your personal data.
    • Included in the auditability guidelines is non-repudiation. This means digital signatures and X.509 certificates. This is an excellent technology which has been resisted due to cost and complexity. Not anymore.
    Bottom line: nobody is going to be putting your medical records on a public website.
  • don't know how it is elsewhere, but here in the Netherlands, doctors are not allowed to divulge someone's medical history without the patient's approval. this includes spouses,children and even parents. There was this case about a guy who didn't want to tell his wife he was HIV positive, and the doctor wasn't allowed to tell her. Ofcourse this is not something that happens every day, but doctors do take it quite seriously, and almost all agreed with the doctor in question when he didn't tell the wife.

    //rdj
  • Without getting into a critique of facist politics, I think the simplest argument against this is the difference in transmission. It is possible to prevent the transmission of HIV. It is much more difficult to prevent the transmission of airborne viruses. Quarantine isn't necessary, education is.
  • Hmmm .... having a family member who's part of the medical fraternity could be dangerous to your faith in the hospital system. People sometimes conveniently ignore the fact that the point of a health system is public reassurance, ie to avoid the suggestion of public rorting and keep psychos/mortalities off the front page. Hence you may be surprised at the ratio of managers, biostatisticians, procurement specialists, ethical reviewers, etc to actual medical staff. Adding an unstable IT system to the mix sounds like a recipe for disaster. If you think your medical bills are expensive, wait until you add the cost of a multimillion dollar system (+ ongoing maintenance/replacement) and another layer of staff onto the bill. Also, if trends are any indication, management will take this opportunity to replace highly trained auxiliary medical staff with less skilled button-pushers. It's bad enough having bank tellers believing the printout as gospel truth when you know there has been a screwup but with a medical system, who bears the utimate risk of mistakes/errors? I'd like the see the end-user-license for this one! Plus with more detailed records being permanently kept, expect litigation to go up.

    The whole point of a hospital system should be to keep people out as much as possible, ie focus on preventive health rather than fixing up the mistakes where the costs are so much more significant. Ie more time on the design rather than final quality control to the afterlife. This is where I see IT making more of an impact in the long-term like mobile devices that make periodic medical checks. Also giving people more information about the efficiency (and thus cost) of their insurance coverage allows them to make more informed choices. Given the advances in basic health, most medical problems nowadays are life-style related (obesety, alcohol-related liver damage, lung cancer, mental health, etc). With better information, expect to see more carefully targeted insurance plans. By tying costs back to the source, it will hopefully create a dampening feedback cycle.

    Sure the medical system will change but don't expect it to happen overnight.

    LL
  • If there was one point that was made repeatedly at Defcon this year... now some 16 year old is going to set up a machine on the edge of some doctor's network and get their digital id

    You went to Defcon? You must be so K3WL! You forgot another point at Defcon, however: the one on the top of your head.

    Not only do you show a woeful lack of understanding of public-key cryptography, but you are also unaware that HIPAA regulations address physical security concerns.

    Go find my note on HIPAA.

  • I'm an MD who works in the medical IT industry.

    Having access to records on-line benefits a variety of parties:

    1) Clinician
    If there was a universal repository for records that the clinician could query, care could be delivered more efficiently. You wouldn't need to repeat your in-depth medical history every time you visit a new doc. 90% of medical diagnoses can be made from history alone, so having an accurate, ubiquitous record benefits both the patient and clinician.

    This is especially true in situations where the patient cannot communicate. [think of someone coming into the ER comatose, without any records.]

    2) Insurance Companies
    Obviously,having this info in a universal repository provides the payer with more accurate information about your past medical history. This may not always be in the patient's best interest [consider: if you thought you had HIV or suffer from a psychiatric disorder, would the availability of your record online deter you from seeing a doc? It might. Not good.]

    3) Pharmaceutical Companies
    Recruiting people for clinical trials is a big business. The more efficiently you can enroll people in trials, the faster your drug can get approbed. A compound can take 10-15 years to reach market after it is discovered. Shaving off a couple of months of development time can mean hundreds of millions of dollars in increased revenue.

    I agree that caution needs to be taken WRT the development of a universal system to get the records online. Serious thought has to be given over access methodologies.
    Ultimately, _you_ own your medical record, and _you_ have the right to determine who uses it. Any system that is developed should reflect this reality. [That said, I won't hold my breath :( ]

    docwolf

  • I think this is a really bad idea. Health records are personal information and property. You carry them around with you. When the doctor wants to see them you show them to him. The medical establishment shouldn't own these things any more than educational institutions should own academic information (they don't usually, you can have them "locked" or made "private" so they can't give out any info). I think this is really intrusive. There are just so many bad things this could cause. What's the big deal with keeping records anyway...are people so stupid they can't even file something away? What about their social security card or birth record...who owns those?

  • From the other end (Score:1)

    by Anonymous Coward
    I may not be albe to see your medical records that says that you have a heart condition but I can log onto a big insuracne company web site like GHP or Aetna, enter in a password, and see that you have been to the ER 5 times in one year for chest pains, and that you have scheduled heart surgey coming up and a host of other things relating to your medical condition.

    The info on these web sites is not quite as clear as having someones meidcal record in front of you, but most people could figure out the info after only a few minutes.

  • Large med. databases? (Score:3)

    by Anonymous Coward on Tuesday October 12, 1999 @05:34AM (#1621503)
    It's been done, and is still being done, and we are taking lots of security precautions.

    The company I work for develops and sells a patient records and practice management software package. Our security requirements are downright freaky. FULL DISCLOSURE: Yes, it runs on NT, but, when done right, you can secure an NT network.

    1) No outside connections unless they come through our firewall. Period. We do not have a dial-in system, and our ISDN links to doctor offices are password protected three times (router, VPN authentication, user password). Yes, we have Internet access, but only certain people have access to it, and it is logged as well.

    2) If you are not using our machines with our software, no network link for you. We have two doctors who have a home link. They come in, using NT systems configured separately from their home machine, owned by us, through a VPN tunneling link using 128-bit encryption. Slow as hell, but its secure.

    3) Every action is logged, right down to checking a patient in or out. Our logging database takes up its own 12G hard drive, and is backed up to tape every night, along with the rest of the system.

    4) Database security: Every user has specific access rights which cannot be changed by anyone but our administrators (duh). They are finely grained, down to controlling which functions in what applications can be performed.

    5) No FDD access at all, nor data dumps, from user applications. It is not possible to get a raw data dump from our system without us knowing it (and doing it). This is analogous to the credit reporting agencies' systems. You may can get one or two patients before someone notices you're not supposed to be at another person's machine, but you won't get them all. Oh, and this also prevents installing any software but ours (no CD-ROMs, either, and network-based installs are only accessible to administrators).

    6) Network based anti-virus protections: You will run our anti-virus software (as well as remote control software using AT&T's open source VNC [att.com] program) with virus definitions updated nightly.

    See? Life's not so bad, as long as its done right.

  • I used to work for a company that ran hospitals and clinics. The commercial software package that we used to run the hospitals had the crappiest security you've ever seen. It pretty much required shared accounts to use some of the components. The developers at the vendor had no clue about how to write secure applications or even how to properly use the OS's (VMS) security. For those of you that have used VMS, how would you like to see applications running on the system that required that the user account have BYPASS privileges and to have this enabled by default? When we were getting fed up with the vendor's unwillingness to fix the software, as well as their general incompetance, we found that other vendors were no better.

    IMHO, healthcare providers are going to have enough trouble avoiding problems with compliance with the Federal confidentiality regulations covering patient information on their non-Internet-connected systems let alone anything that's connected to the entire world. For example, a hospital could be in legal hot water if a nurse even looks at a patient's records without the patient's physician's express permission. A hospital was successfuly sued when something like this happened and information about their medical history was leaked. That's one reason we were looking for alternate vendors since our software could only log changes to online patient data and could not track accesses. Tracking access to online data is something that's going to soon be a requirement for hospitals (they already do it with the paper records), especially if they want to keep their accreditation and be able to treat any Medicare/Medicaid patients (which is, BTW, a huge source of income for hospitals).

    Personally, I will be looking for a new doctor if I find that he or his partners decide to make any of their patient's information available via the Internet.

    Also, let's not get into the argument that says ``If you've got nothing to hide... don't worry.'' Some employers do try to get a hold of a potential employee's medical history to see if they're going to hurt the company's insurance premiums. (My wife has a friend that's been through this scenario.)

  • What you're talking about is better known as correlational studies. This is how they first deduced that smoking causes lung cancer. Doctors in the (50's? 60's?) noticed that most of their lung cancer patients were also long-term smokers. The CDC picked this up, and ran a *huge* correlational study on lung cancer patients all over the country, and yep, on the questionaire, more than 90% of the patients smoked, and have been smoking for a long time.

    Scientists by and large are wary of correlational studies, but in cases like smoking where the risks are too high to do a clinical, controlled study, and where said study would take more than 20 years, there's no other way.

    Studies like you mention are in no way clinical. A clinical trial is *controlled* infering that there is a control group taking a placebo, and also they are usually double blind studies.

    BTW. Such correlational data is also how they found out that Viagra can cause heart failure in patients with high blood pressure. That was caught pretty fast. Hospitals across the country are already doing a lot of correlational research to ensure we catch any problems not caught in basic, clinical trials. However, you are quite correct in supposing that a central database like this could present a great way to gather correlational data *so long as said data is gathered anonymously or with patient consent*

  • Oh, I'm sorry, we needed heating engineer Tuttle, not Buttle! It's too late though, your husband is dead.

    WHAT DID YOU DO WITH HIS BODY?

    Get your morning tea, Wohali....

  • Is a right we all have when it comes to our medical records. I work at a pharmaceutical company, and we are constantly scrutinized to make sure we are retaining the confidentiality of our patients. I can't even begin to see the possible infractions of privacy that would result from having confidential and personal medical records housed on the internet. We might all find out that *gasp* Bob Dole really DOES use viagra...

    Deitheres


    --
    Child: Mommy, where do .sig files go when they die?
    Mother: HELL! Straight to hell!
    I've never been the same since.

  • I think that a medical records database is a great idea. To think that with a few keystrokes an emergency ward can see anyone's complete medical history will undoubtedly save lives, and improve the quality of life for many that are served by this.

    I have two concerns, and they seem different from anything that I've read.

    1) They aren't thinking big enough. Medical histories must include geneologies. Imagine being able to research how treatment of an individual affects children and grandchildren. Or how a recessive gene affects every other generation but only in the oldest child, etc.

    Not "carefully controlled studies", but reality.

    And not by spending millions of dollars to assemble a 10 years study that yields puzzling results contrary to what was expected.

    Real answers in Real Time.

    2) DNA. Concerns so far seem to be limited to finding out who has AIDS, who has been treated for drugs and/or alcohol, or other "today" problems.

    The real problem is how this is used in the future.

    Think about it -- combine the technology of everybody's medical records (including their DNA) in one place with the predisposition of science and politics to meddle.

    While this combination of information could lead to tremendous advances in medicine, this is also where the greatest abuse will occur.


    I'm going to hear it for this, but if it's going to happen, (and it is), entrust the Mormon Church to keep the data along with all their geneology data.


  • I understand legitimate privacy concerns. But there ARE times when people actually DO have a right to access certain information. For instance, someone in a nearby small town who tested HIV+ and had reported over 100 sexual partners (MANY of them underage girls). In a case where something is a legitimate public health hazard, there needs to be a way for the appropriate authorities to get the necessary information.


    Nobody was EVER talking about putting medical records on a public website. I used to work for a medical school, and I know that the doctors would never allow that. However, being able to transfer treatment records more quickly to other medical professionals is enough of a benefit that with decent security in place it FAR outweighs the risks IMHO.

  • Some medical records are already online.

    For example, I'm the sysadmin for a project called PCASSO (Patient-Centered Access to Secure Systems Online), which is led by Dixie Baker at SAIC and Dan Masys at UCSD. The basic idea is secure access for providers and patients over the net. We're currently at the end of a three-year grant, and are in the middle of a field test with a few hundred providers and a few dozen patients at a local university medical group.

    And the whole focus of the project was security. It was designed from the ground up with HIPAA in mind. A little bit of detail is available at our website [ucsd.edu], but the basics are:

    • Server runs B2-class DG/UX and Trusted Oracle 7, and MAC labels are implemented both in the database and in the OS.
    • The client is a Java applet, so it can't damage the client env. No plaintext identifiers exist in the client env, and input is done using a graphical keyboard so the keypresses can't be captured.
    • Multi-factor auth: username and password, plus challenge-response, plus digital cert. And, our SSL is not the usual anonymous kind, so both the client and the server have to prove who they are.
    • Role-based access controls, so patients can't see patient-deniable data, and providers can see only their own patients' records (with provisions for emergencies, of course).

    There was an article in SysAdmin magazine [samag.com] (no fulltext online, unfortunately :( ) last month where the previous sysadmin and I discussed some of our experiences with the system and with the users' reactions. Basically, doing things right is a pain, and some users (mostly the providers who are used to easy and unlimited access) hate the multi-factor auth. We'll have a better idea of what the patients think once we've gotten a critical mass and done some surveys.

  • For immediate release...Redmond, WA. (12-Oct-1999)
    Microsoft has joined the race to provide "digital credentials" for use with medical related information. Built as an add-on to their recently released Passport [slashdot.org] service, Microsoft is said to be interested in taking a percentage of each user's health to sustain BG into the next millenium.
  • Hello?

    Privacy is a joke. There is no privacy. Stop fooling yourselves.

    "THEY KNOW WHO YOU ARE. (repeat ad endless naseum)" -Powerman 5000, Tonight The Stars Revolt
  • In general, I think that the requirements of the HIPAA are a Good Thing(TM). As someone who has worked in Medical IT for three years, I understand the need for high levels of security in order to insure patient confidentiality. However, I also see the benefits to a universal, centralized database of patient clinical data - most of which Dr. Wolf mentions below.

    Given the state of the law and the technology, however, and given the threat to patient confidentiality posed by such a centralized database (can you be refused a job or health insurance because of your prior medical record?), I think it is extremely important that further legislation be passed in order to make such uses of patient data illegal. Such legislation must be very specific in terms of what constitutes abuse and what the consequences of said abuse will be. Only with such a legal framework in place will the technological be able to move ahead while offering patients some level of comfort regarding the confidentiality of their data.

    And as for the techology, it must have, at a minimum, the following features (IMO):
    • HIPAA compliance, perhaps through an XML data exchange format.
    • Security to ensure Patient Confidentiality: minimum 1024-bit PK encryption and triple-DES private-key encryption.
    • Access authentication, so that it is clear who accesses a record, every time it it accessed. Permission should be given to healthcare professionals and patients.

    David
  • HIPAA is great, but you forgot HCFA (Health Care Financing Administration -- www.hcfa.gov, bunch of standards there). These rules went into effect 24 Nov 1998. Everything my company thinks of doing over the Internet has to take it into account. Less comprehensive than HIPAA but it requires that anyone that wants to send (provide on a web site, whatever) patient identifiable data over the Internet has to encrypt and go through an audit by HCFA. This attemtps to make sure that you don't have a bunch of security idiots running the hospital IS dept.
    • HIPAA already provides (section 1177) for fines and/or prison terms (up to 1, 5, or 10 years depending on circumstances) "for a knowing misuse of unique health identifiers and individually identifiable health information". The up to 10 year sentence is applied if misuse is "with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. (source: HIPAA NRPM, Federal Register Vol 63, No. 155 Aug 12 1998).
    • In your "access authentication" bullet, you really mean auditability. HIPAA also requires auditability. Every access to a record must be audited, who, when and where kind of thing.

    PPPHHHLLLBBBTTT to all you who said us Americans don't really care about healthcare privacy. :) I think we're doing ok. IANAL, but the corporate legal dept. tells me all this crap.

  • HIPAA mandates an EDI standard that is not based on XML.
  • This is a case where the people who are being exposed have a clear right to inspect the software they are entrusting their records to. We should demand they open source the system in the public interest. At the least this will slow things down while the bugs are fixed.

    Given some of the horror stories on this topic, it seems that Open Source is only one aspect of the problem. Linux is open source, but if users ignore basic security issues (like obvious passwords) the source distribution model will be irrelevant.

    Even if the software were completely secure, I still have doubts about this. Just how hard is it to find a licensed physician with a need for money that would be willing to broker requests? Blackmail?

    I'm not sure this is a new problem. Doctors in the US can already do this. Audit trails exist for paper systems, so why not for electronic ones?

    Difficult though, since you'd need to store hereditary relationships and approximate patient location to distinguish genetic from environmental disorders.

    Interesting question...given a family tree structure with location information and medical histories attached, how easy is it to reverse engineer someone's true identity? The problem is that you need a real tree to match against. Maybe you could do that for some individuals, but the data you match against would be necessarily limited (if you had all the medical data you wouldn't need to dig it out of the system) and might provide enough anonymity. Then again it might not. Research grant anyone?
  • I'm pretty healthy but my fiancee has lupus. (It's Lupus awareness month.) I don't want any doctor to be able to access my records without my express permission. So, would that mean a 2-key system where myself and a physician would have to "log in"? That'd give him/her permission to read my charts anytime in the future. That'd be okay with me.

    What I don't want is ANY doctor (say at a drug or insurance company) being able to get my or my fiancees records. I also want the database run by a non-profit organization supported by taxes or standardized fees.
    Imagine NSI with your medical records!


    _damnit_

  • For instance, someone in a nearby small town who tested HIV+ and had reported over 100 sexual partners (MANY of them underage girls). In a case where something is a legitimate public health hazard, there needs to be a way for the appropriate authorities to get the necessary information.

    Maybe I'm just not thinking clearly on this one. I definitely don't have any experience in medicine. How exactly would an internet-based system help in the example you gave? Basically, the guy would have to know who the girls were and give their names at least to be able to contact them. I don't see how the system helps in that case. It would, of course, be noted on his record that he is HIV+, but unless the girls were forthcoming about their involvement with him, the doctors would not have reason to investigate. Even if the girls did tell their doctor they had had sexual contact with the man, would the doctor have the right to check his record? I'm actually rather curious about how this would work.

  • As horrific as that sounds, I have to wonder if security in places like the one you described is already so inadequate that having medical records online couldn't possible make it worse.

    If there's a gummint mandate requiring medical records to be available online, there will probably be a corresponding government mandate requiring some minimal level of security.

    At any rate: do you think that this bunch could keep your data secure? Get real.

    Exactly. "This bunch" isn't keeping medical data secure now. What with office gossip, file folders being left on countertops where anyone can see them, and raised voices discussing prescriptions within earshot of packed waiting rooms. It's not just the computer security; it's overall general security that's woefully lacking.
  • I work at the NASA Commercial Space center for Medical Informatics & Technology Applications, a research group at the Medical College of Virginia.

    Yes, health care will be a huge online industry, but not because you have to wait in lines too long. You live in the US, presumably in a heavily populated area (at least populated enough to have a decent hospital nearby).

    The vast majority of the humans alive today are not so fortunate -- they live in rural areas, or in countries where graduating medical school requires little more than being born to an influential or wealthy family. There are places on earth where you would rather have a limb amputated than have a so-called "doctor" try to save it. There are places on earth where "going to the hospital" means you're going to die.

    Strangely enough, most places on earth have access to the internet! It may be expensive, it may be crappy connections, and in all likelyhood it's not available to the average person, but if you have a cell phone, or a land line, or at the very least can see a satellite, you can get online.

    So what happens when you get a rare form of cancer, but you live in the second/third world (where believe me, you don't want to see a "doctor")? if you're rich, you'll simply fly to the USA and get treated for it while you stay at the Four Seasons. But if you're poor, you die, or at best get some second-rate medicine that might relieve the pain for a while.

    If you're lucky, and your physician or hospital can get online, you can consult with a specialist in the US who actually knows what he's talking about. The proper medicines can be administered, and the tests can be done in a way that results are broadcast real-time (or delayed for review) to the consulting physician. better procedures can be followed, and knowledge is no longer something you have to TRAVEL somewhere to benefit from.

    this is grossly oversimplified, and a whole lot of reasoning and process is left out, but it should give you an idea of the real uses of telemedicine.

    Also realize that in the future for wealthy countries like the US, your health will not be something attended to only when you're ill. You'll wear shoes that sense when you're putting too much stress on your joints (great for the elderly), and you'll have an undershirt that monitors your heart condition after you have a heart attack. You'll wear eyeglasses that sense when your eyes strain too much to focus, and update your prescription accordingly.

    I know what everyone's thinking, and quite frankly you're right -- patient privacy is shot to hell currently (believe me, if you've never worked in a hospital, you would never believe the access janitors and other idiots have to patient data), and it's only going to get worse.
  • Thanks for the clarification. This is good to know. If the wording is as strong and specific as you say, then it becomes a mere question of technology and implemtation. So, who do we trust to do it?

    David
  • Being chief tech person at a medical group practice and having grown up with and around doctors, I can assure you that things are both much better and much worse than you say.

    The worse:

    Doctors, as a group, of any age, know jack about anything other than medicine (I'd even question that for many of them.) They certainly don't know computers, and they demonstrate their leech-using ancestry every time they are expected to use something more complex than a microscope. Your password point is dead on. I've got some 30-ish high school grad staffers who can remember mixed case, alphanumeric passwords. Compare that to the 28 yo doc who has trouble remembering a six digit number for a password.

    Security is a joke. We are enduring two companies (one for med records, the other for billing) who don't know much of anything either. The first wholeheartedly endorses the M$ "security through obfuscation" scheme. As well as anything M$ related. I think the DB frontend is written in (very buggy) M$VB. Yes, before I started working there, EVERY user used the same username/password. Except for the admin, whose password was 'sa'. They use PC Anywhere for remote admin (cringe. I couldn't convince the PTB here to disable that one). I raise these questions at group meetings, and am shouted down by the idiots who want to hurry up with the meeting so that they can play golf. The docs who want to play are the supposed techie types. 10% of the attendees are true techie types, and we compared ulcers at last year's meeting. We attempted to trade stories about how to get the techno-neanderthals to work a very simple system.

    We've been attempting to implement a CBPR to improve our quality of services. Hopefully, we can pinpoint where diagnostic errors and excesses are being made, and take steps to eliminate them. Computers should also be helpful in assuring compliance with formularies from various managed care organizations. Works great with one practitioner, a few insurance companies, hospital reimbursement rates, and specialty practices. Now, look at what happens when you have 10 practitioners of three primary care specialties dealing with PCP reimbursement from 20 different companies. No products out there scale.

    So, rest assured:

    The current state of computer medical records sucks. It's not going to get better any time soon. There is a total lack of standardization or quality from any of the leading vendors. Therefore, it's of little use. Therefore, your doc won't put your weekly penicillin shot for various 'social diseases' here on slashdot.

    This should be better, but I have to go help one of our docs find the 'any' key.

    -George
    ghowell@@familyhealthcarepa.cnospamom
  • I studied statistics at university, and that kind of large-scale correlative study that you described was touched upon.

    However, this kind of thing - online medical records - does not lead directly to large-scale longitudinal studies. If anything, the restrictions on use of data will render such studies impossible. Likewise, reporting standards are likely to be variable at best. The data, if you can get it, will be only mildly usable. Big correlations and interrelations will be visible; subtler ones will not.

    IMHO, of course; I'd like to have that much data at my disposal, too. But it's much more likely to happen through big (and, yes, expensive, but good data is always expensive) longitudinal studies, not through electronic record keeping.

    --
  • Don't be silly. Everything is a matter of risk.

    The example of quarantine (which I suspect you don't know much about) is a fine example. People with TB, even today in some cases, are quarantined until they get sufficiently better so that releasing them is a good risk.

    Of course, it wasn't the existence of quarantine laws that stopped widespread tb; it was the existence of effective antibiotics. People who were badly enough off to go to a tb sanatorium were by and large already bedridden.

    HIV's spread isn't going to be confined by quarantine; we know that people can be asymptomatic for years, decades even. Those whom we have the most to fear from are people who carry HIV but haven't yet developed AIDS, who haven't been tested (most people aren't, unless they're blood donors), and who thus haven't adopted safer sex practises.

    They wouldn't be caught by a medical dragnet through online records. They wouldn't be caught by quarantine laws. They would be caught by better sex education, which would both keep them from getting it in the first place and from transmitting it in the second.

    Having online and fully accessible medical records strikes me as so much expensive but trendy claptrap. Compare the huge effort of putting records for 300 million people securely online to the relatively tiny cost of adequate and universal public health. Of course, adequate and universal public health won't make headlines and won't make millionaires - so it's neglected.




    --
  • Of all the comments on here, there was only one other that questioned why privacy is needed here.
    Sorry? Since when is it necessary to justify privacy?

    I don't see why privacy is "needed" about who you sleep with, how often, and what positions you employ. There's no legal way for anyone to exploit it, so please post this information on the web for all to see.

    Choosing what information we divulge about ourselves is a basic right.

  • *Assuming* that this (and other medical databases) are done securely (So that only authorized users can access them, which is important and should be discussed)There's another problem here: Who should have access to medical records?

    The article above specifically says

    > Digital credentials like those developed by
    > Intel help ensure that only authorized > physicians, insurers, and consumers can
    > access a patient's medical transcripts or
    > other health records.

    And I would argue that the person who *most* needs to be able to access a given patient record is the patient themself. Look at credit records -- you do, as a consumer, have a right to look at your record and notate it, as well as challenge any spurious or wrong entries. To my knowledge you don't currently have the option to notate or challenge your medical records. I don't know (and I don't know if anyone knows) how common mistakes in records are, but considering the number of clearly wrong diagnoses I've heard (from an eight year old with Borderline Personality Disorder, to three friends of mine [one pregnant] who were told they had cervical cancer on the strength of one bad PAP smear [further testing showed that none of them did] etc) I'd be willing to guess that mistakes aren't unheard of, at the very least.

    *Especially* if insurers also get the ability to read your medical record.

    What makes me nervous is that nowhere in the rest of the article is the right of the patient's access to their own records mentioned, even though physicians are.

    The other question is that will physicians who don't have your permission be allowed to access full records -- I'm not sure there would be problems with being able to pull demographic information (i.e. how many patients with AIDS/Cancer/Birth defects/etc do we have in this area) but do we really want any physician at all to be able to pull 'Who has AIDS/Cancer/etc?'

    Anyway, sorry to make this so long, but no one seemed willing to bring that up.
  • One item I've not seen raised here is a vital one, which so far as I know is not addressed in the HIPAA/Kassebaum-Kennedy legislation. (Although I have not studied it, and I could be wrong.)

    In order to prevent abuses of patient data it is *absolutely essential* that it be made completely clear and unambiguous in the law that *any* data about a patient's health is the *property* of that person. If this is not done, then all the other "security" assurances are meaningless. Information should be released to providers or payers *only* with the permission of the patient, on a transaction-by-transaction basis. That means that even your own doc should not be able to go pawing through your record without your consent, unless he is willing to certify that an emergency situation exists and you are incapacitated. Even then, an non-repudiatable entry should be made in the audit log to show that access.

    Not only is this not clear in the federal legislation so far as I know, but few states have any sort of law stating that patients own thier information, either. It's easier to get your medical records in many places than your credit report, and we all know that's not too difficult.

    BTW: Think not only of how information on you might be misused against you, but also how it could be misused against your offspring, since it will all be available on some big server somewhere. There's really no reason to expect that your records won't still be around long after you're gone, but they could be dangerous for quite a while: Hmm, his great-grandfather had cancer, eh? "I'm sorry, we don't have any positions that are a good fit for you at this time, but we'll keep your resume (and family health history) on file."

    If the patient *doesn't* own their own data, then who does? It's likely some presently powerful entity that stands to benefit greatly from the serindipitous discoveries that doubtless lay waiting to be discovered in all that data. The data *is* quite valuable, and that's the problem - it's unlikely that the insurance companies, HMOS, pharma companies, etc. would let the patient own this data, they all want to control it themselves. The new federal directions on ownership of databaases make this even scarier.

    At the same time, an ideal setup would allow anonymous searching across populations, but it's notoriously hard to prevent information about a single patient from being retrieved by data mining tools. (Show me the abstracted claim info for all female VPs at XYZ Corp that live in Yuma. Oops, there's only one? Well, that abstracting didn't hide much, now did it?)

    Oh, and not to be alarmist, but as a former heatlhcare IT consultant, I can say that although most hospitals and docs are sincere in their intent to provoide privacy, in reality there is nearly none. The most secure systems you'll find in a hospital are the ones based on paper, and a big hospital loses thousands of charts and x-rays every year. Not like it really matters since all the most damaging info gets shuffled directly to the HMOs or insurance companies in already coded and classified form where it can *really* get misused behind closed doors. In my mind, the payers pose a far greater risk than the providers.

    ************************************************ *
    Patients must own patient data, and the providers and payers must realize they have a
    fiduciary responsibility to maintain the privacy
    of that data.
    ************************************************ *
  • Having online and fully accessible medical records strikes me as so much expensive but trendy claptrap.

    It would actually save a lot of money and bring healthcare into step with the rest of the modern world. I can't tell you how frustrating it is to look for a patient's chart in the medical records department only to find that it has been checked out by someone else, misplaced, or simply lost. Sometimes it is in the "long term storage" facility and has to be manually retrieved and delivered, etc. Other times, parts of the chart are missing or illegible. It would be riduculous for any major company to keep records this way, yet this is how it is done in hospitals.

    A lot of money is spent paying people to constantly organize and retrieve/maintain paper records. When a referral to another physician is made, someone has to manually stand there and xerox each page, put it in an envelope and send it in the mail or fax it. Sending an xml document would take a fraction of the time and cost next to nothing. The storage requirements and cost of maintanence would be much lower than the current "medical record warehouse" approach. Many hospitals, such as your friendly neighborhood VA, are already moving to electronic records to save time and money. Your medical information already is and will increasingly be stored in databases which are inevitably going to be networked in some fashion, just as most corporate information is/will be.

    Now the issue of access is a legitimate concern. I do believe that the information should largely be kept in private networks and sent from office to office as xml files on a "need to know" basis, much like the way paper charts are copied and faxed today. There should also be a unified online master database that stores information about you that would be useful in an emergency situation, such as your drug allergies, blood type, wishes with respect to life support (e.g., living will information), names and phone numbers of your physicians and next of kin. The nature of this information should be something that you are allowed to control by logging in and editing it, or by delegating this to your primary care physician. Believe me, if you arrive unconcious at the trauma center with serious injuries, you will want the doctors there to be able to quickly ascertain that you are a hemophiliac, have had a lung transplant, are allergic to penicillin, are on blood thinning medications, etc. You could keep all this information on a card in your wallet, on a bracelet, or in an online database. If you don't want your sex change operation in the "online" database, then you should be able to have a say about this.

    Healthcare info will be in networked databases like every other type of information. It will be vulnerable to cracking like everything else. Some crackers may use spend time finding out about a classmate's HIV status or which antihypertensive drug he's taking, while others would rather work on cracking their classmate's online bank account. Furthermore, it is not like your medical information was in a vault before databases were used. At many hospitals, one can simply walk into the medical records area unnoticed and start looking at charts when the clerk is out to lunch or in the basement looking for an old chart. If someone is really determined to get the medical facts about you, they could probably do it more quickly through old fashioned means than by having to resort to cracking an online database.

  • Doctors, as a group, of any age, know jack about anything other than medicine (I'd even question that for many of them.) They certainly don't know computers, and they demonstrate their leech-using ancestry every time they are expected to use something more complex than a microscope.

    There may be a grain of truth here for the old docs, but as one of those "young" docs, I can assure you that the basic computer skills are there. For starters, almost every young doc I know is facile with and completely dependent upon either a palm pilot or psion series 5. I've been programming as a hobby since the Vic 20 first arrived on the scene,and have a good working knowledge of C/C++/Perl/Java/Pascal/FORTRAN/SQL/etc. I admin a highly customized departmental Linux server (Apache/mod_perl/SQL/qmail) and develop software as a hobby. I may not be in the same league as you in the computer world, but I bet I could get a decent job programming or as an admin if I decided to quit medicine today. One doc aquaintance of mine started a successful medical informatics company after one of his side programming projects took off. He does this full time now and it is a multimillion dollar company. Another doc friend of mine is personally developing custom DSP hardware in his spare time and will be doing a startup with this soon while still practicing. Three other doc friends of mine dabble in Linux as interested newbies. Another one plays with VB. I have yet to meet a young doctor who can't cope with an alphanumeric password. After all, it is really no different than memorizing the alphanumerics of drugs and their doses. These are just some of the docs I know personally - there a lot of other geek docs out there that I don't know.

    Although I don't know him personally and don't think he actively practices medicine at this point in time (he took a detour into genomic research), I do know that Lincoln Stein is an M.D, and somehow his medical degree did not prevent him from developing some nice perl modules and contributing to The Perl Journal and some O'Reilly books. How is it, you ask, that there are geek doctors out there? Well, there are a lot of docs with engineering and natural sciences degrees other than biology (physics/math for me) who have picked up some decent computer skills along the way. IMHO, I don't believe your stereotype fits the younger generation of docs well, although there are some people in every profession that simply don't care for computers.

    The current state of computer medical records sucks. It's not going to get better any time soon. There is a total lack of standardization or quality from any of the leading vendors. Therefore, it's of little use. Therefore, your doc won't put your weekly penicillin shot for various 'social diseases' here on slashdot.

    Once healtheon, or some other relatively large force in the medical informatics industry, is able to get an open standard set of XML DTD's together, then you will be able to send the sordid details of your weekly shots to slashdot as

    <treatment>
    <drug>penicillin</drug>
    <dose>1 million units</dose>
    <route>In the but</route>
    <frequency>weekly</frequency>
    <condition>syphillis</condition>
    </treatment> etc.

    I do agree with you that there is a lot of inertia in medicine that makes it hard to implement systems that any reasonable business would have adopted decades ago. But I submit that this is mainly the "old guard" that is resistant to change. I'm sorry that you haven't met any geek docs yet, but I can assure you that they are out there in force.

    This should be better, but I have to go help one of our docs find the 'any' key.

    I had to explain the concept of "domain name server" to one of our hospital IT staff the other day when I wanted to add a machine to the network!

  • I work in the IS dept. of a medium sized hospital and I find this downright scary. Aside from a firewall there is little security here, and plenty of dial up lines. PCAnywhere is a popular tool. There are 5 unix servers and I (a sysop making In short it's a real mess, and if other hospitals are similiar, this is a security nightmare.
  • ack! Forgot to preview, sorry. I work in the IS dept. of a medium sized hospital and I find this downright scary. Aside from a firewall there is little security here, and plenty of dial up lines. PCAnywhere is a popular tool. There are 5 unix servers and I (a sysop making < $10 / hour) am the only one who knows a thing about unix. Most of them are misconfigured and there are many legacy scripts that ftp as root and other such nonsense (like running every possible network service for no reason). We have an old Netware 3.1 PC network being "upgraded" to NT :P. Most of the technical staff are nurses who are "trained" in the management software. User passwords are generally "USER_NAME" + "BIRTHDATE".

    In short it's a real mess, and if other hospitals are similiar, this is a security nightmare.

  • Unfortunately, I have not yet met any of these geek docs. I'm sure they exist. If we could plan for the inevitable drop in reimbursement rates following the 'patients' bill of rights', I'd like to hire one.

    But to don a different managerial hat for a moment... Young docs are also slow. You don't need to send out 57 different tests to diagnose a URI. You don't need to spend 25 minutes talking with a patient who has the flu. The idea is to get those patients in, and get 'em out quick, so that you can spend the time on the strange and unusual problems.

    Last point on docs: of the seven docs (and one PA) in the practice, the most capable of using our CBPR system is also the oldest doc in the practice, at 56 yo. He also sees the highest number of patients with the fewest problems 'revisited' due to an incorrect or incomplete earlier dx. If I had another six like him...

    Hospital IT admins... Sounds like the ones around here must have gone to the same school as your guy. One hospital here spent somewhere in the mid to upper six figures to get a new system (from HBO??) Eight months later, they have *almost* gotten a return to functionality of the old system. Let's not even talk about the loss of legacy data.

    BTW, I'd bet you can code better than I can. I'm in business by training (BS Economics, MBA) but got shuffled into IT because someone found out I knew what I was doing. (Did some C coding back when I was in chemistry undergrad. Learned what I needed by flipping through the ANSI C book.)
  • But to don a different managerial hat for a moment... Young docs are also slow. You don't need to send out 57 different tests to diagnose a URI. You don't need to spend 25 minutes talking with a patient who has the flu

    I agree with that completely. That is what we have nurse practitioners and physician assistants (PA) for! As for speed, that comes with repetition and experience. As for the overutilization of tests - that's part of the prevailing CYA mentality that largely stems from the hyperlitigious environment we live in these days. Prosecutor to doctor on the witness stand: "Is it fair to say that if you had ordered test X that the tumor would have been detected earlier and thus possibly cured?". "Uh, I guess so...". At this point the doc may as well just sign a blank check. Of course, this is a bigger problem in some parts of the country than others.....

  • I may not be albe to see your medical records that says that you have a heart condition but I can log onto a big insuracne company web site like GHP or Aetna, enter in a password, and see that you have been to the ER 5 times in one year for chest pains, and that you have scheduled heart surgey coming up and a host of other things relating to your medical condition.

    Sure, with the correct access you can look these things up, but not from outside of the company right now. Your employer (the guys footing the bill) most probably know who are the largest claim utilizers - but most insurance co's specifically eliminate the social security number so that they cannot tell which individual it is.

    The other thing is, can you hack SSL yet? I don't know, but I do know that all confidential information that could be sent on the Web is done so within SSL.

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close