Re: SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft

See article for reference from NextGov, “SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft,” by Bob Brewin.

We can expect to see many more lawsuits over breaches because most US health systems have abysmal data security and by design allow thousands of employees to access the sensitive health information of millions of patients. This immense scale of damage was simply impossible with paper systems.

Ironclad security is very difficult technically (think WikiLeaks) because health systems were architected to enable ‘open access’ by hundreds or thousands of employees to millions of sensitive health records.

Today, the only ‘barrier’ to health data access in the US are ‘pop-up’ screens that ask, “Do you have a right to access this patient’s information?’ This is hardly effective. Yes, of course, after-the-fact audit trails of access can be used to identify those who should not have seen a record. It is a very weak kind of data protection; in fact, today patients identify the majority of data breaches, not health IT systems.

When will the US get serious about building privacy-enhancing architectures where ONLY clinical staff or others who are directly involved in a patient’s care can access the patient’s data with informed consent. Systems that prevent access by MOST employees could prevent the vast majorities of data breaches and data thefts.

Using and building systems designed for privacy would be a FAR better use of the stimulus billions than how they are currently being spent: to buy and promote the use of HIT systems that cannot possibly protect health data from misuse and theft, and in fact is designed to spread health information to many unseen and unknown secondary corporate and government users.

HIStalk Interviews Deborah Peel MD, Founder, Patient Privacy Rights

Give me some brief background about yourself and about Patient Privacy Rights.

I never expected to be leading this organization or ever even thought about that. In my younger days, I practiced full time as a psychiatrist and Freudian analyst for a very long time, until it became clear that things were happening in DC that would make effective mental healthcare impossible. Namely, that there were lots of different ideas being floated; for example, the Clinton healthcare initiative. There was a part of it that was going to require everyone’s data from every physician encounter be recorded in federal database.

Fast-forward to the HIPAA privacy rule. That’s what really convinced me of the need for a voice for consumers, because there really wasn’t any. What I’m talking about there is, of course, the change in 2002 that happened under everyone’s radar except for – and this is the is the laugh line – when the 3,000 Freudian psychoanalysts in the nation noticed that consent was eliminated.

In 2004, I started Patient Privacy Rights because there was no effective representation for the expectations and rights that the majority of Americans have for how the healthcare system is going to work. Namely, that people don’t get to see their information without consent. Since founding PPR in 2004, we’ve still been the national leading watchdog on the issues of patient control over information and even internationally. Our power has come because when we came to DC, the other people that were working on privacy, human rights, and civil rights recognized that because of my unique position as a physician and deep understanding of how data flows, that I knew what I was talking about.

We very quickly got a pretty amazing bipartisan coalition of over 50 organizations. That enabled us to put these issues and problems on the map.

We had some incredible successes in HITECH. Virtually all of the new consumer protections came from our group, including the ban on the sale of PHI, the accounting of disclosures, segmentation, the new requirement that if you pay out of pocket for treatment you should be able to block the flow of that data to health plans and health insurers. We were the ones that worked with Congressman Ed Markey on getting encryption, required stronger security protections, and worked with Senator Snow to get meaningful breach notice into the rules.

All of this work lead to the first-ever summit on the future of health privacy this past summer in DC. The videos and the entire meeting can be seen or streamed online at www.healthprivacysummit.org.

If somebody said you had to choose between accepting healthcare IT as it is today or going back to purely paper-based systems, which would you choose?

We’ve never been in favor of going back to paper…

Open-Source Health Care Software

It’s a great read and critical viewpoint. To view the full article, please visit Open-Source Healthcare Software.

Key Quotes:

  • -“Unlike devices and services, most medical software is not regulated, placing the burden of safe and effective use on the physician.”
  • -“Despite the obvious benefits, open-source software is still rare in medical practice because, as with music and other information-based products, it is easy to copy.”
  • -“As medical software begins to offer decision support, risk management, performance rating, and analytic features, physicians should not accept black boxes and secret formulas that constrain sharing and intimately affect patient care and remuneration.”
  • -“Software creators will not switch to producing open-source products voluntarily because they stand to lose money by doing so. Only physicians can drive this change, and this paper describes the reasons why doing so is important to our profession and our patients.”
  • -“The Direct Project hosted by the Department of Health and Human Services is open-source software for secure e-mail to replace the fax as the primary means of communication between practices and even with patients. Direct Project has many unique features as a result of its noncommercial open-source design, including universal addressing that is not tied to a particular vendor or institution. Universal addressing, like modern e-mail, does not restrict communications to members of a particular exchange.”
  • -“Open-source software offers the same benefits in medicine as it does in other fields. These include ethical advantages, access, innovation, cost, interoperability, integration, and safety.”
  • -“As physician income becomes increasingly tied to patient outcomes and dependent on coordination of care, lack of interoperability, integration, and standardization has begun to impact clinical practice. It is hardly surprising that interoperability and integration costs related to proprietary health care software are extremely high and that the true value of health care services is difficult to measure and compare.”
  • -“The broad ability of users to adopt and improve software creates diverse, global communities on the Internet with significant incentive to help each other.”
  • -“Proprietary software puts the physician at the mercy of the vendor, who is often more interested in acquiring new customers than serving locked-in customers”

The road to electronic health records is lined with data thieves

The following is a guest post by Reuters contributor Constance Gustke. The opinions expressed are her own. See the full article at http://blogs.reuters.com/reuters-money/2011/08/05/the-road-to-electronic-health-records-is-lined-with-data-thieves/

“The future of your personal health information involves gigantic Internet-driven databases that connect you to doctors, health information and services no matter where you are and what time it is.

With a big push from President Obama, who wants secure electronic health records for every American by 2014, many health insurance companies, hospitals, private practices and pharmacies are already delivering some patient portals using these records as a backbone.

It’s the future of medicine, says Dr. Raymond Casciari, chief medical officer at St. Joseph Hospital in Orange, California, but for now, he adds, “We’re still in the dark ages.”

The portal approach is intended to be beneficial, letting you share key medical data instantly with your family and consult with specialists on another continent. It’s supposed to lower healthcare costs and provide better services. But the data being stored is sensitive and so far it isn’t very secure, say experts. So it’s important to know how your medical information is being shared and managed, especially as access explodes.

Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights, is dubious about patient medical privacy on portals. She believes that data breaches can have harmful effects, including medical discrimination. “Today, we can’t see who uses our electronic records,” she warns. “And they can be back-door mined.”…”

Baby’s death spotlights safety risks linked to computerized systems

Check out this very relavant story from the Chicago Tribune Health section, “Baby’s death spotlights safety risks linked to computerized systems,” written by Judith Graham and Cynthia Dizikes.

As a topic discussed a lot in Session 3.2 of the Health Privacy Summit, “Control of patient information – Health Information Exchanges,” this subject is the tip of the iceberg on the many risks of electronic health records that must be addressed as billions of stimulus dollars go into creating a health IT infrastructure.

Baby’s death spotlights safety risks linked to computerized systems, Chicago Tribune, by Judith Graham and Cynthia Dizikes, June 27, 2011

Hospitals Wary of Hackers Seek Insurance from AIG

Bloomberg News aired a segment on the rising threat of electronic health information systems to patient privacy and tapped Jim Pyles, an expert from the first health privacy summit to speak.  He pointed out that the lack of adequate health data security, the ability to breach thousands or millions of records simultaneously, and the value of health data on black market as key causes of the growing number of reported health data breaches.

View the video here.

Synopsis: Doctors and hospitals adopting electronic patient records under a U.S. government program are exploring insurance policies to help cover the costs of medical-data breaches. Data breaches cost U.S. hospitals $12 billion over the past two years, according to a study by the Poneman Institute. Bloomberg’s Megan Hughes reports on “InBusiness with Margaret Brennan.”

Re: They’ve got an app for that

In response to Modern Healthcare’s article: They’ve got an app for that

On Feb 15th and 16th , the President’s Council on Science and Technology (PCAST) report was discussed in DC by the national HIT Policy PCAST Worgroup. A key PCAST recommendation was that data be meta-tagged for many uses—one key use is so patients can add tags that say: “do not disclose this sensitive data unless I say so”. Patient Privacy Rights and the Coalition for Patient Privacy have LONG argued that all health IT systems and data exchanges MUST restore patient control over the most sensitive personal information that exists: electronic health data.

We are glad to see privacy-enhancing technologies being demonstrated and used in the nation’s largest electronic health system: the military health system covering 9 million lives.

This story shows how the VA is actually ALREADY using data meta-tags so patients can control who sees what health data—see the video that goes along with the story below at: http://www.modernhealthcare.com/article/20110224/VIDEO/302249949/-1

Re: “Web’s Hot New Commodity: Privacy”

In response to the WSJ article: Web’s Hot New Commodity: Privacy

Finally the market for digital privacy is being built! This reflects GROWING public awareness of data theft and misuse.

Yes, PPR will continue to call it “theft”. Data mining corporations are like squatters who sneak onto property and then claim it because the owners didn’t know what they were doing. Data miners are thieves because they know VERY well how hard it is for people to discover what they are doing, and further, they know that there is no way anyone can stop them from stealing personal information. Watch — as ways to protect personal data are developed and laws are proposed to prohibit what they do, they will try to make sure their illegal and unethical practices are “grandfathered in.” These practices must be outlawed in the Digital Age if Americans are to retain the most precious right in a Democracy: the right of law-abiding citizens to be “let alone.”

We must fight back and press Congress to outlaw all data theft and corporate contracts that require giving up control of personal information. We must press Congress to ENFORCE the ban on the sale of health data without consent.

It is now clear to entrepreneurs that people are starting to view personal information as an EXTREMELY valuable asset that many want to have treated as personal property. The fact that the nation’s prescription records were being sold without consent is why Congress banned the sale of protected health information (PHI)—-OUR sensitive electronic health information—without consent in the stimulus bill.

There are many who fear that patients cannot meaningfully give consent to sell their health data; that they will easily sell it for next to nothing and not realize the consequences—such as job loss and generations of job and credit discrimination.

But the current situation is far worse and must be addressed: the huge health data mining industry operates in the shadows. AND we have NO WAY of identifying or preventing data mining corporations from stealing and selling our most sensitive data—from prescriptions to DNA. This secret industry is a behemoth, generating tens to hundreds of billions of dollars in annual revenue.

Letting secret, shadowy corporations continue to make billions/year selling the sensitive personal health data of every person in the U.S. is NOT a fair or sustainable solution to corporate and government data hunger. Why allow any industry built on theft? I can’t think of another legal industry built on theft.

Individuals should control PHI; morally and practically it is the only solution. But we need clear laws and boundaries in addition to individual control (consent), so that there are boundaries around exactly what data can be sold or used.

In Europe most uses of health data are flatly prohibited; in Germany there is no consent, but instead only a handful of uses of health data are permitted—the uses are tightly bounded. This is a very different approach than the US.

We ALSO need a framework of tightly bounded privacy protections for health data (in addition to informed electronic consents) that provides interactive education about consent decisions and sets defaults at the most privacy-protective level.

Poll shows: We trust our doctors, not their systems

This computer world article by Lucas Mearian discusses a new survey from CDW, showing patients trust their doctors but not electronic health records. And Many respondents don’t even trust themselves with their own records!

See the full article: U.S. patients trust docs, but not e-health records, survey shows

Sadly, patients should not trust their doctors unless they know their doctors’ electronic health records systems do not sell their personal health information.

The public has no idea that many electronic health systems sell their data. Even doctors may not realize the EHR systems in their offices or in hospitals sell patient data. Many claim to sell “de-identified” data, but it is very easy to re-identify health data.

This practice of selling health data was banned in the stimulus bill but has not been implemented in federal regulations, so it continues unabated.

Worse, the proposed regulations are directed ONLY at the use of health data for marketing, NOT at the health data mining industry that sells real-time, sensitive, detailed patient data profiles to corporations, government, and anyone who can pay for it.

The point of the ban on sale of health data without consent was to end the daily sale of every American’s prescription records from all 54,000 pharmacies, to end the sale of health data from electronic health systems and data exchanges, and to end the sale of health data by all the other organizations that are part of the healthcare system food chain like: insurers, state governments, labs, data warehouses, data management companies, the data analytics industry, business associates, secondary and tertiary data users, etc., etc.

See a brief TV investigative story about one EHR vendor that gives the software to doctors for “free” because its business is selling the patient data: http://www.ktvu.com/news/24278317/detail.html

New Patient Privacy Poll

Should anyone other than you control your personal health information in electronic health systems? Across the board, Americans resoundingly say “NO.”

Patient Privacy Rights worked with Zogby International to conduct an online survey of over 2000 adults to identify their views on privacy, access to health information, and health information technology (health IT). The results were overwhelmingly in favor of individual choice and control over personal health information.

View the Privacy Poll Results
View the Press Release
Listen to the Press Teleconference here

News Coverage
Healthcare IT News: Poll: Huge majorities want control over health info
Forbes: Americans Want to Control Their Health Information
Fierce Health IT: Majority of Americans want personal control of health information
Modern Healthcare: Privacy desires ignored

Americans are not just concerned about corporations snooping in their medicine cabinets, but also about researchers, nosy employees, and people with malicious intent, such as an ex-spouse or abusive partner.

Over ninety percent of Americans want to be able to decide which individual people can see and use their health information. This reflects a strong desire for very specific, detailed control.

Note: A sampling of Zogby International’s online panel, which is representative of the adult population of the US, was invited to participate. Slight weights were added to region, party, age, race, religion, gender,
education to more accurately reflect the population. The margin of error is +/- 2.2 percentage points.