Putting Data In The Cloud? Retain Control

At the beginning of Stanley Kubrick’s epic, “2001: A Space Odyssey,” apes benefit from the use of technology, in the form of a club. By the end of the movie, however, humans are threatened by the technology used to help them survive in the stars, the artificial intelligence HAL.

In some ways, this technological arc — from tool to master — is an apt allegory for companies entering the cloud, Davi Ottenheimer, president of security consultancy Flying Penguin, plans to argue in his presentation at the B-Sides Security conference in Las Vegas next week. Firms seeking greater efficiency and more features may rely on the technology of a cloud provider, leaving themselves vulnerable to a single security incident.

In his presentation, Ottenheimer plans to draw illustrate the need a more secure approach to clouds using the themes from “2001: A Space Odyssey.”

“The central question for companies is, ‘Do you have control?’” Ottenheimer says. “The fight between the humans and HAL in a nutshell is the fight between the customers and the cloud provider. Humans reliance on the tools to survive in space is almost their undoing, and reliance on cloud services can similarly be a firm’s undoing.”

All Videos from the 2011 Health Privacy Summit Now Available

FOR IMMEDIATE RELEASE:

All Videos from Health Privacy Summit Now Available

**Note**: Videos can now all be found at http://www.healthprivacysummit.org.

AUSTIN, Texas, July 21, 2011 – Organizers of the June 13th, D.C. Health Privacy Summit, “Getting IT Right: Protecting Patient Privacy in a Wired World”, today announced the release of all videos from the Summit.

Videos include all of the morning panel sessions, the keynote speakers, as well as the final session: “Looking Forward – The 2012 Health Privacy Agenda.” These panels include academics, advocates, government officials, health care providers, industry executives, and technology experts, who discussed the major technical, legal, and cultural issues and solutions to privacy and patient control over personal health information in electronic health systems and data exchanges.

Video Highlights:

  • *Jeff Rosen, Author and Professor of Law at George Washington University, interviewed Alan Westin, Author, Of Counsel and Senior Policy Advisor, Arnall Golden and Gregory, Atlanta and Washington DC, for the keynote session titled, “What do research and history tell us about privacy today?
  • *Anita Allen, Deputy Dean at the University of Pennsylvania Law School, moderated the first session titled: “Contrasting Beliefs about Privacy Protection in the Digital Era.” She utilized the diverse panel to spark the exciting discussions about health information privacy that continued throughout the day.
  • *The third of the case study panels featured a discussion of the Sorrell vs. IMS Health case. This panel titled, “Secondary uses of personal health information in health databases” included the Assistant Attorney General from the state of Vermont and the Chief Privacy Officer from IMS Health, along with consumer, government, academic, and international experts.

For the full agenda, more information on the panels, and links to each video, see: http://www.healthprivacysummit.org/agenda.

“Getting IT Right: Protecting Patient Privacy in a Wired World”, was jointly hosted by The Lyndon B. Johnson School of Public Affairs at The University of Texas at Austin and the Patient Privacy Rights Foundation.

The summit was interactive and audience members participated in work groups to identify urgent health privacy issues, along with identifying the immediate steps needed to deliver responsible and realistic solutions, a synopsis of which will be forthcoming.

For up-to-date health privacy information, Summit materials and resources, visit: http://www.healthprivacysummit.org

###

The Lyndon B. Johnson School of Public Affairs is a graduate component of The University of Texas at Austin. The School’s mission is to develop leaders and innovative ideas that will help our state, the nation and the international community address critical public policy challenges in an ever increasingly interconnected and interdependent world.

Patient Privacy Rights is the nation’s leading health privacy watchdog and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit: http://patientprivacyrights.org

Your Health Information Isn’t Secure But Don’t Blame EHRs

There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.

Your Doctor Isn’t the Only Person Who Knows Your Diagnosis

Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.

Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.

Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.

Resolution of Disapproval in Supreme Court Decision in Sorrell v. IMS Health Case

Lawmaker, author of health privacy protections in economic recovery act, declares privacy rights of doctors, patients should trump commercial interests

WASHINGTON, D.C. – On Friday July 8, 2011, Congressman Edward J. Markey (D-Mass.), co-chairman of the Congressional Bi-Partisan Privacy Caucus and senior member of the House Energy and Commerce Committee, introduced H.Res. 343, a resolution expressing disapproval of the recent Supreme Court decision in Sorrell v. IMS Health. In its decision, the Court struck down a Vermont state law that banned the sale of doctors’ drug prescriptions records if the records are used for commercial purposes without the doctors’ permission.

Rep. Markey’s resolution states that the Court erred in applying free speech protections to a Vermont law that lawfully regulated a purely commercial interest. Before the Vermont law was enacted, data-mining companies would purchase information about doctors’ prescription drug information from pharmacies and then resell the data to pharmaceutical companies. The pharmaceutical companies could use the information – without the doctors’ consent – for the commercial purpose of targeting their sales messages and marketing more expensive, brand-name drugs to physicians.

“In this case, the Supreme Court tipped the scales of justice in favor of big drug companies at the expense of patients and their doctors,” said Rep. Markey. “The privacy of the doctor-patient relationship should outweigh the ability of pharmaceutical companies to mine data simply so they can market expensive drugs to providers and reap huge profits. States should be able to regulate pharmaceutical companies in a way that protects the privacy of their residents and prevents pharmaceutical companies from having undue influence on doctors’ prescribing habits.”

Dissenting in the Supreme Court’s 6-3 decision, Justice Stephen Breyer wrote that the Vermont state law in question “adversely affects expression in one, and only one way. It deprives pharmaceutical and data-mining companies of data…that could help pharmaceutical companies create better sales messages.” The dissent, which was joined by Justices Ruth Bader Ginsburg and Elena Kagan, stated that the Vermont statute is a “lawful governmental effort to regulate a commercial enterprise…The far stricter, specially ‘heightened’ First Amendment standards that the majority would apply to this instance of commercial regulation are out of place here.”

Dr. Deborah Peel, a national health privacy expert and founder of the non-profit Patient Privacy Rights, praised the Markey resolution. “With a Supreme Court that stands up for the interests of pharmaceutical companies, it’s reassuring to know that Congressman Markey is looking out for patients and doctors who value the privacy of their prescription drug information.”

Text of the resolution can be found HERE.