A Start to Securing PHI?

Sometimes press releases for new products tell us far more about the risk of identity theft in electronic health systems than the mainstream press or trade journals.

Check out this zinger quote: “Most organizations don’t even know where their PHI is.” Why doesn’t the mainstream press tell the public that the health care organizations (like hospitals) have no idea where all their sensitive personal health data resides?

How about this: “The software (Identity Finder) automatically finds PHI such as social security numbers, medical record numbers, dates of birth, driver licenses, personal addresses, and other private data within files, e-mails, databases, websites, and system areas. Once found, the software makes it simple for users or administrators to permanently shred, scrub, or secure the information.” Emails? Who sends drivers license numbers, SS#s, and Dates of Birth in emails? Clearly lots of healthcare organizations do.

We can only hope products like this sell.

See full article at:

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/05-05-2009/0005019328&EDATE

Can Peter Orszag keep the President’s political goals economically viable?

Orszag can match Lawrence Summers in policy expertise, and has proved to be a subtle and persistent political player.

…The deficit spectre has loomed over every major debate. The most contentious issue has been health care. The Administration was divided into three camps. According to White House officials, a group including Vice-President Biden and David Axelrod, a senior adviser, and led by Summers was hesitant to make a major push on health care this year, especially given the fact that a full plan would cost roughly a trillion dollars over ten years. Then, there was Tom Daschle, the former South Dakota senator who was Obama’s original choice to lead the health-care-reform team, and his staff at the White House and at the Department of Health and Human Services. In January, Daschle became alarmed that health care would be either absent from the Obama budget or not given the emphasis that Obama had promised. (When Daschle went to see Rahm Emanuel to register these concerns, the President, who had been quiet during the early health-care meetings, stopped by and reassured Daschle of his commitment.) Orszag came to the debate with a third option, which combined Summers’s concern about deficits and Daschle’s insistence that Obama tackle health care this year. He argued that health-care reform is deficit reduction.

Orszag is convinced that rising federal health-care costs are the most important cause of long-term deficits. As a fellow at the Brookings Institution, he became obsessed with the findings of a research team at Dartmouth showing that some regions of the country spend far more money on health care than others but that patients in those high-spending areas don’t have better outcomes than those in regions that spend less money. If spending more on health care has no correlation with making people healthier, then there must be enormous savings that a smart government, by determining precisely which medical procedures are worth financing and which are not, could wring out of the system. “I spent several months in very intense study,” Orszag told me. “The reason that I wanted to go to C.B.O. was I thought that was one of the key bodies that could really delve into what we could do about it.”

More than just google

In response to the Consumer Watch article: “U.S. Senate Records Reveal Google Inc. Lobbying Campaign On Personal Medical Records Law Despite Internet Giant’s Denials

This story is of interest because the public has no idea which corporations lobbied against their privacy rights in the stimulus bill or how much was spent overall to try to eliminate health privacy.

The focus on Google alone is misleading and actually distracts from the real work of informing the public about the major health-related industries that have long opposed Americans’ privacy rights. The real question is which other industry giants that are not household names lobbied against privacy?

The total lobbying money spent by the massive secret health data mining industry, insurers, hospitals, and big Pharma to oppose Americans’ rights to privacy far exceeds Google’s lobbying expenses.

If we don’t know who all the culprits are, we can’t stop them and restore privacy.

The most dangerous enemies of privacy are the ones we don’t know about.

RealAge sets new low…

RealAge sets a new low for unscrupulous behavioral targeting to sell drugs.

Is the RealAge quiz an unfair and deceptive trade practice? Where is informed consent?

Do the 27 million who took the test to find out if they are younger or older than their “biological age” really know that they are giving detailed information so RealAge can market drugs to them?

RealAge illustrates a critical problem with almost all health-related websites: people are actually going there for help – they appear to offer services, so people expect that health websites follow medical ethics and protect their privacy. But they don’t. Health websites are not altruistic and don’t adhere to medical ethics or privacy rights. Health-related websites offering rating scales, searchers, or information about diseases and treatments are typically just as deceptive: they also are designed primarily to collect personal information for personally-targeted marketing or worse.

View the New York Times article Online Age Quiz Is a Window for Drug Makers.

From Sharing Music to Sharing Medical Records

Scientific American gets it. Do you? View story here.

Dr. Eric Johnson’s latest study is out. Our job is to inform the public and Congress, who are continually being falsely reassured that health IT systems are secure and private by spinmeisters for the insurance, hospital, drug, Health IT, and health data mining industries.

Industry’s blatant false promises of security and privacy are something we have been urging FTC to investigate (as false and deceptive trade practices) and the new Administration should understand to ensure that the stimulus funds are not spent on primitive health technologies with abysmal security and no consumer control over PHI. We need ‘smart’ health IT, ‘smart’ human processes, and we need the health care industry to step up and use them, so we have trusted electronic systems and don’t waste the stimulus billions.

See Dr. Johnson’s paper here.

The research examined samples of health-care data disclosures and search activity in peer-to-peer file sharing networks of the top 10 publicly traded health care firms (using Fortune Magazine’s list) over a two-week period. More than 500 hospitals were represented in the 10 organizations. 3,328 files were collected for the study.

•”data losses in the healthcare sector continue at a dizzying pace”
•”Far worse than losing a laptop or storage device with patient data (Robenstein 2008), inadvertent disclosures on P2P networks allow many criminals access to the information, each with different levels of sophistication and ability to exploit the information.”
•”Many of the documents were leaked by patients themselves. For example we found several patient-generated spreadsheets containing details of medical treatments and costs–likely for tax purposes.”
•”we found a hospital-generated spreadsheet of personally identifiable information on recently-hired employees including social security numbers, contact information, job category, etc”
•”For a hospital system, we found two spreadsheet data bases that contained detailed information on over 20,000 patients including socials security numbers, contact information, and insurance information.”
•”For a mental health center, we found patient psychiatric evaluations.”

Where is the mainstream and trade journal reporting on this???

Identity Theft Through Your Health Records

This post reflects on the article in the Denver Post: Uncovering the Identity Trade Business.

This story details identity theft by a Denver hospital employee. It is a single instance, but it shows how easy it is for any hospital employee, anywhere to steal patients’ identities.

Hospitals will become a major source for identity theft because today’s primitive, poorly designed health IT systems allow thousands of employees access to all patient information–including what’s needed to steal identities. Not only can thousands of hospital employees see every patient’s medical records (think George Clooney and Farah Fawcett–whose records were sold to the Enquirer), they can see and steal the demographic and financial information too.

For whatever reasons, the media has primarily reported on how wonderful electronic health systems are without explaining the severe risks they pose to privacy and the new problems they can create (errors, downtime, work flow obstacles, data sales, lack of interoperability, etc).

The health IT stimulus bill with $20B for HIT needs very strong consumer protections to ensure that the current ‘norm’ for hospital electronic health systems, ie badly designed, open access systems, is replaced by systems that only allow access to the few staff members the patient has given permission to see and use his/her electronic records. The current HIT bill does not require the use of consent management technologies to restore patient control over PHI.

HIT experts warn about EHR investment in open letter to Obama

Two healthcare information technology experts have penned an open letter to President Obama, warning him against investing too many federal dollars in existing electronic health records systems.

Existing EHR systems are too expensive, difficult to implement, disruptive to practice workflows, not proven to improve patient care, and don’t do a good job of sharing information with each other, wrote David Kibbe, MD, a technology adviser to the American Academy of Family Physicians, and Brian Klepper, PhD, founder of consulting firm Health 2.0 Advisors.

“If America’s physician practices suddenly rushed to install the systems of their choice, it would only dramatically intensify the Babel that already exists,” Kibbe and Klepper wrote.

Read their letter

The true problems in HIT

The experts quoted are correct that cost, interoperability, difficulty of use, work-flow disruption, and lack of proof of safety/effectivenss are good reasons not to spend $20 billion in HIT stimulus money on bad products (the equivalent of buying SUVs instead of hybrids and electric cars).

But Kibbe and Klepper should look beyond their own perspectives to consider the wider context and the real make-or-break issue: what must EHR systems have to ensure the public’s trust and willingness to use them?

Of course, doctors must be able to afford, easily use, and know that EHR systems actually work and are effective, but systemic failure is inevitable unless patients trust electronic systems. Today’s health IT systems and products are not even close to meeting the public’s expectations for control over personal data and and ironclad security.

From the consumer perspective, the worst defects in today’s EHR systems are:

1) Patients have no control over the use or disclosure of their personal health information in these systems.

2) Doctors, hospitals, labs, pharmacies, PBMs, insurers, data miners, data aggregators, etc, etc, and software vendors control the disclosure, use, and sale of the nation’s personal health information.

3) Most of today’s EHR technology is extremely primitive (20-30 years old) and does not comply with patients’ longstanding legal and ethical privacy rights:
•most EHRs do not have the functional capacity to segment sensitive records
•human-readable audit trails of disclosures are not required, so patients have no way to know who snooped in their records or where their personal health information has been sent or sold
•the security measures are abysmal. CIO magazine story from 2006 reported that all 850 EHR systems examined could easily be hacked: http://searchcio.techtarget.com/originalContent/0,289142,sid182_gci1273006,00.html

The most important reason not to buy $20 billion dollars worth of dinosaur EHR technology is that consumers will NEVER trust electronic health systems unless they control sensitive personal data and unless the systems have state-of-the-art security to prevent the frequent breaches, losses, and thefts of millions health records.

Until the American public has PROOF electronic systems can be trusted, failure is inevitable. Why not build EHRs and the electronic health system right from the start, rather than spending billions later to rebuild?

Must we repeat the mistakes made in the UK? The NHS system was built without patient control over data. Billions of dollars and many years were wasted before the government realized that forcing patients into an electronic health system that shares data without consent doesn’t work.

View the full story referenced

Treasury Moves to Restrict Lobbyists From Influencing Bailout Program

Will we see the same kind of problems the Treasury Dept has had when HHS allocates the 20 Billion in funds for HIT? Will HHS limit the massive health industry’s lobbyists influence over how HIT funds are spent? Will HHS turn to real consumer coalitions like the Coalition for Patient Privacy for guidance instead of faux consumer, industry-funded trade organizations?

The dominant HIT industry lobby wants to ensure that Americans get primitive, legacy HIT products and systems, instead of innovative privacy-protective technologies.

If the stimulus dollars are used to purchase existing health IT products that don’t restore consumers’ rights to control the use and sale of personal health information, corporations will continue to “lock down” and own our personal health information. See Peter Neupert’s comments:

• Peter Neupert of Microsoft recently wrote in a TechNet blog about the health IT industry: “The thing is, nobody can make good decisions without good data,” Neupert wrote. “Unfortunately, too many in our industry use data ‘lock-in’ as a tactic to keep their customers captive. Policy makers’ myopic focus on standards and certification does little but provide good air cover for this status quo. Our fundamental first step has to be to ensure data liquidity—making it easy for the data to move around and do some good for us all.”

• The health IT industry’s ‘customers’ are the large hospital chains, health plans, labs, pharmacies, PBMs, and other health-related corporations that collect, store, handle and sell Americans’ personal health information from prescription records to DNA. They do not serve the public or have much regard for our legal and ethical rights to control personal health information.

The people who can’t make good decisions without the data are patients and doctors! We have almost no access to our own electronic health information. That’s our personal health data Neupert and Kibbe wrote about—and they make it clear that industry believes it owns our data.

The last thing Americans need is for the HIT stimulus funds be used to buy outdated, primitive technologies without meaningful or comprehensive privacy protections. That’s a prescription for waste and failure. Will the initial consumer privacy protections in the stimulus be nullified by purchases of inferior, privacy-destructive technologies?

View the Washington Post Article: Treasury Moves to Restrict Lobbyists From Influencing Bailout Program