Privacy and Data Management on Mobile Devices

See this link for the entire survey of 1,954 cell phone users (see excerpt below): http://pewinternet.org/~/media//Files/Reports/2012/PIP_MobilePrivacyManagement.pdf

When the public learns about hidden data use and collection on cell phones,  significant numbers of people TURN them OFF:

  • -“57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place”

What will the public do when they realize they CANNOT turn off:

  • -hundreds of software ‘applications’ at hospitals that collect, use, and sell their health information
  • -thousands of EHRs and other health information technologies that collect, use, and sell their health information
  • -health-related websites that collect, use, and sell their health information

Survey uncovers lax attitudes toward BYOD security

To view the full article by Eric Wicklund in mHIMSS, please visit Survey uncovers lax attitudes toward BYOD security.

Ask your doctor about his/her smart phone or iPad: does he/she use it for work, is your data encrypted, can the data on the device be wiped if its lost or stolen?

The number of people who work in healthcare using personal devices like smart phones and Apple products is exploding—but many mobile devices lack the strong data security protections required for health data-like encryption. So if the device is lost or stolen, so is the sensitive information about your mind and body.

Key quotes from the story:

* 51% say their companies don’t have the capability of remotely wiping data from a device if it is stolen or lost

* Less than half had (data security) controls in place for mobile devices

* 84%  of individuals stated they use the same smartphone for personal and work issues.

* 47% reported they have no passcode on their mobile phone.

Senator Al Franken is pressing Congress and the Department of Health and Human Services (HHS) to specifically require health data to be protected on portable media. The government is pouring billions into build an electronic healthcare system but failing to require or enforce effective rules to protect our sensitive health information, from prescription records to DNA to diagnoses. Electronic health records are far easier to steal, sell, or lose than paper records because hundreds or thousands of people who work at hospitals and health plans can access our health data.

It’s crazy that health data is not protected by ironclad security protections at all times, no matter where its being used. You’d think even without government regulations for data protection that anyone handling our most sensitive personal information would protect it, but many don’t.

Patient Trust in Confidentiality Affects Health Decisions

To view the full article by Pablo Valerio, please visit Enterprise Efficiency: Patient Trust in Confidentiality Affects Health Decisions

This article highlights a survey sponsored by FairWarning that looks at how “patient privacy considerations impact the actual delivery of healthcare” in the UK and US.

Key quotes from the story:

-”CIOs and healthcare providers need to ensure the best security, not only because it is the law, but because data breaches actually affect how honest a patient might be with a doctor and how quickly they will seek medical attention.”

-”It is not enough to comply with government regulations about data protection. If a data breach occurs patients are not going to check if the institution was following rules, they are going to blame their executives for allowing the breach to happen, regardless of the reasons.”

The survey, “UK: How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes; Trust in the confidentiality of medical records influences when, where, who and what kind of medical treatment is delivered to patients” cited in the article below compares attitudes about health information privacy in the UK and US.

Some key UK findings are:

-38.3 percent stated they have or would postpone seeking care for a sensitive medical condition due to privacy concerns

-More than half of patients stated that if they had a sensitive medical condition, they would withhold information from their care provider.

-Nearly 2 out of 5 stated they would postpone seeking care out of privacy concerns.

-45.1 percent would seek care outside of their community due to privacy concerns

-37 percent would travel… 30 miles or more, to avoid being treated at a hospital they did not trust

US vs UK patients:

-UK patients are almost twice as likely to withhold information from their care provider…if they had a poor record of protecting patient privacy.

-4 out of 10 UK patients versus nearly 3 out of 10 US patients … would put off seeking care … due to privacy concerns.

-97 percent of UK and US patients stated chief executives and healthcare providers have a legal and ethical responsibility to protect patients’ medical records from being breached.

Attackers Demand Ransom After Encrypting Medical Center’s Server

To view the full article by John E. Dunn, please visit CIO: Attackers Demand Ransom After Encrypting Medical Center’s Server

What happens to patients when their doctors can’t get their records because thieves encrypted them? Federal law has required strong health data security protections since 2002, but 80% of hospitals and practices don’t encrypt patient data. If The Surgeons of Lake County had been following the law and encrypted their records, this attack could not have happened.

EHRs and Patient Privacy- An Oxymoron? Psychiatric Times Cover Story

A recent article in the Psychiatric Times based on the 2nd International Summit on the Future of Health Privacy describes the major problems with EHRs and the consequences of the misuse of this technology. The article quotes both Dr. Peel and Dr. Scott Monteith as well as “Julie” when describing the flaws of EHRs and HIEs. The article is available by subscription only through Psychiatric Times, but here are some highlights and quotes from the article:

“The escalating use of electronic health records (EHRs) and health information exchanges (HIEs) is fraught with unintended and sometimes dire consequences—including medical coding errors and breaches of psychiatric patients’ privacy and confidentiality, according to [Dr. Peel and Dr. Monteith] who scrutinize the field”

“At the recent Second Annual International Summit on the Future of Health Privacy, psychiatrist Scott Monteith, MD, Clinical Assistant Professor in the Departments of Psychiatry and Family Medicine at Michigan State University and a medical informaticist, relayed the experience of a patient who discovered that her EHR erroneously reported a history of inhalant abuse. In reality, she had a history of  “caffeine intoxication.” After much investigation, the problem was identified. The DSM-IV-TR code (305.90) is used for 4 different diagnoses, including caffeine(Drug information on caffeine) intoxication and inhalant abuse, but the EHR’s printout only made the inhalant abuse diagnosis visible. Although the error was reported to the EHR vendor, the problem persists after almost 2 years.

“‘It is impossible for consumers to weigh the risks and benefits of using health IT and data exchanges when they have no idea where their data flows, who is using it or the purpose of its use,’ wrote Peel, a psychiatrist and psychoanalyst.”

“…Peel emphasized the importance of patients being able to control access to sensitive personal health information. The open source consent technologies, she explained, have been used for more than 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on some 4 million people in more than 8 states.”

“…’Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows,” she wrote. “Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.’”

If you wish to view the full article by Arline Kaplan and are a subscriber of Psychiatric Times, it can be found at Electronic Health Records and Patient Privacy- An Oxymoron?

Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox Survey

Xerox kindly shared all three years of their annual Electronic Health Records (EHR) online surveys by Harris Interactive. The media, industry and government unrelentingly promote health technology as the latest, greatest best stuff.  But the public ain’t buying it.  They want smart phones, but they don’t  want EHRs.

Clearly the public is not very excited about EHRs; 74% don’t want them. They don’t want them because they understand the problems with EHRs so well.

To view the article, please visit Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox survey

Not only do the surveys show a low percentage of Americans want electronic health records—but it’s remained low; this year at only 26%. Overall 85% of the public has “concerns” about EHRs this year. The surveys also asked about specific ‘concerns’. They found the public is concerned that health data security is poor, data can be lost or corrupted, records can be misused, and that outages or ‘computer problems’ can take records offline and compromise care.  See results below:

To the question do you want your medical records to be digital:

  • 26% said ‘yes’ in 2010
  • 28% said ‘yes’ in 2011
  • 26% said ‘yes’ in 2012

To the question do you have concerns about digital records:

  • 82% said ‘yes’ in 2010
  • 83% said ‘yes’ in 2011
  • 85% said ‘yes’ in 2012

To the question could your information be hacked:

  • 64%  said ‘yes’ in 2010
  • 65%  said ‘yes’ in 2011
  • 63%  said ‘yes’ in 2012

To the question could your digital medical records  be lost or corrupted:

  • 55% said ‘yes’ in 2010
  • 54% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

To the question could your personal information be misused:

  • 57% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 51% said ‘yes’ in 2012

To the question could a power outage or computer problem prevent doctors from accessing my information:

  • 52% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

Abercrombie signs Hawaii patient privacy protection law

To view the full article in Bizjournals.com by Vanessa Van Voorhis, please visit Abercrombie signs Hawaii patient privacy protection law.

The people of Hawaii just lost their rights to health privacy. The Hawaiian legislature replaced all its far stronger health privacy laws with HIPAA.

Like most of the public, Hawaiian lawmakers believe HIPAA protects privacy, but it doesn’t.  It hasn’t for 10 years. The key privacy protection in HIPAA  was eliminated in 2002. The media  has never reported this.

  • President Bush put HIPAA in place when he took office. At first, HIPAA required that others had to ask for consent before using or disclosing our health information for treatment, payment, or healthcare operations.

  • “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and healthcare operations.”  67 Fed. Reg. 53,183

That means millions of people who work at hospitals, doctors offices, labs, health plans, data clearinghouse, government agencies, pharmacies and other places that hold health records (“covered entities”) decide when to use and disclose them, not us.

This new law is a privacy disaster for Hawaiians. They will suffer:

  • loss of the privacy of sensitive information about their minds, bodies, and genes
  • generations of discrimination
  • embarrassment and loss of reputation
  • job, credit, and insurance discrimination
  • ID theft
  • medical ID theft (where others use their health insurance to pay for treatment or for insurance fraud)

The Changing Landscape – The Impact to Patients’ Privacy

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system.  Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

-Patients have no control over who sees or sells sensitive personal health information.

-Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.

-Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.

-Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.

-There is no “chain of custody” for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

-HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779

-HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777

-Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

-The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. “Invisible Wounds of War”, The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President’s Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system — starting with Principle #1:

“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Health Care Reform: Let’s Not Forget Privacy And Data Security

See the full article at Forbes.com: Health Care Reform: Let’s Not Forget Privacy And Data Security

The Affordable Care Act poses many new threats to patient privacy due to an already over loaded health care system. The influx of new consumers in this market will cause much stress on the already insufficient data privacy infrastructure. Bob Gregg, guest writer for Forbes.com, explains the strains and consequences caused by this new legislation.

“The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.”

Mr. Gregg looked to Patient Privacy Rights’ own founder, Dr. Deborah Peel, to explain what kind of ramifications this act will have for patients and their data privacy.

“My friend, Dr. Deborah Peel, founder of Patient Privacy Rights, tells me that “patients have no control over who sees or sells personal health information. Our health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.” Thousands of people, including researchers and government agencies, she says, have easy access to this information.”

The article goes on to list the four major issues this new burden on the health care system will cause and how it will affect consumers. The bottom line, he says, is “…The Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.”

For even more information on how you can help keep patient data private visit our International Summit on the Future of Health Privacy website.

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

See the full article at ProPublica.org: How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

Sobering.  Silicon Valley decides what privacy rights we have online, in clouds, in electronic health systems, in apps, on social media, and on mobile devices. Our fundamental Constitutional rights to privacy—to control personal information about our lives, minds, and bodies—is defended by lone grad students, European Data Commissioners, a few small privacy advocacy organizations, the FTC, and a handful of whistleblowers.

A PREDICTION: Selling intimate cyber-profiles will end when the public discovers that NOTHING about their minds and bodies is private.

The lack of control over sensitive health data will be the nation’s wake-up call to rein in Silicon Valley and restore the right to be ‘let alone’. See: Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis J., dissenting).

  • Cyber-profiles of our minds and bodies contain far more sensitive information than mothers, lovers, friends, Rorschach tests, or psychoanalysts could ever reveal.
  • “If you are not paying for it, you’re not the customer; you’re the product being sold”, see Andrew Lewis at: http://www.metafilter.com/user/15556.
  • 35-40% of us are “Health Privacy Intense”—-a very large minority; see Westin’s keynote slides from the 1st International Summit on the Future of Health Privacy:http://tiny.cc/9alvgw

THE TIPPING POINT will be when the public discovers that electronic health systems facilitate cyber-theft, data mining, data sales, ‘research’ without consent, and allow thousands of strangers to snoop in millions of patient records (think George Clooney and more: http://www.foxnews.com/story/0,2933,348988,00.html).

Health data is the most sensitive personal information on Earth. Everything from prescription records to DNA to diagnoses are HOT BUTTONS.

Instead of enabling patients to decide which physicians or researchers they want to see their health records, corporate and government data holders decide who can use and sell Americans’ sensitive health data—-upending centuries of law and ethics based on the Hippocratic Oath, which requires physicians to ask consent before disclosing any information.