DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The security and privacy arguments about healthcare IT

Posted on December 10, 2008October 24, 2024 by Dissent

Over on ZDnet HealthCare, Dana Blankenhorn disagrees with the position of PatientPrivacyRights.org. I, too, disagree with PPR on some issues, but I also disagree with Dana’s proposed “solution” because it does not even begin to address the concerns I have.

For the record, I am a mental health professional. Deborah Peel of PPR is a psychiatrist (not a psychologist as Dana indicates). She and I both are highly sensitized to the importance of confidentiality and security of patient records precisely because we are both in the field of mental health and know that people will neither seek nor obtain treatment if they run the risk of job loss, insurance loss, or social stigma due to a mental health problem.

Speaking of PPR, Dana writes:

They just want informed consent for every release of records.

This sounds fine until you’re faced with your first HIPAA form. You can’t get service without signing the form. So what good is the form?

That’s not true. You certainly can get care. And signing the form does not indicate consent. It merely indicates that you’ve been informed about HIPAA, which does not require your informed consent for sharing your records. In that respect, I think the older system was better. If I wanted to share records with anyone concerning a patient, I sought and obtained a specific release/consent to do so. Despite HIPAA, I continue to do so and tell my patients why.

Far more important than releasing the information is assuring that it’s not misused. But PPA even opposes the use of anonymous data, like Google’s work tracking the flu.

Sadly, Dana seems to be accepting Google’s assertion that the data are anonymous. As I pointed out here, we really do not know that.

[…]

As Peel wrote to The New York Times this week, the bogeyman is the misuse of data in order to limit access to “jobs, credit and opportunities in life.”

And on that point, I disagree with PPR. The bogeyman is that what should be confidential patient information is being shared too broadly and not being adequately secured. Could it be misused to limit jobs, credit, and opportunities in life? Sure. But even if it wasn’t, who among us wants to see our personal health or mental health records smeared all over the internet for the world to read?

Isn’t the real enemy, then, health insurance underwriting, which pushes employers to get around privacy in order to limit risks and costs? Then look at PPA’s board and who do you find — a former Blue Cross lobbyist, Charles E. “Ed” Baxter!

If health coverage is guaranteed, and patient health is not an issue in making employment decisions, then the incentive to get private data on patients is greatly reduced.

Maybe it is, but that wouldn’t stop disgruntled employees or extortionists from threatening to expose deeply personal health records all over the web for the world to see.

Then, too, companies that might want to market to patients would also still have an incentive to collect and use patient data. I wonder if Dana has ever gotten a call from a total stranger saying, “Hi, I know that you have (insert one of your medical conditions here). I want to tell you about….” How many of us feel totally violated by that type of call or communication?

This does get right back into the question of health IT. Because, as Express Scripts has proven, there is no such thing as “ironclad security.”

What an odd statement. It seems to assume that Express Scripts had excellent security and despite everything, experienced a breach. We don’t know the facts about Express Scripts or the reported breach. Was it a disgruntled employee who downloaded the data before leaving? Did an employee accidentally leak the data by having a P2P application on a computer? Was there an attack that might have been prevented by timely patching and updating? Maybe Express Scripts did have good security, I don’t know. I do know that they used social security numbers in their records, which makes absolutely no sense to me in this day and age.

Deal with the underwriting issue and the value of most thefts like that at Express Scripts drops to near zero.

Not at all. Many companies would still pay the extortion demands rather than to publicly admit that they’ve had a breach — as other sources have pointed out for the banking industry.

And as long as such records contain social security numbers that could be used for ID theft purposes, there will continue to be value to them.

Sure, there will be blackmailers, and lawsuits, and incentives for individual people to go after your personal “secrets,” like the fact you were a psychological patient of, say, Dr. Deborah Peel.

But law enforcement can deal with that threat.

No, law enforcement generally cannot deal with that threat in a way that prevents the exposure of millions of medical records. Dealing with something after the cybercrime has occurred does not prevent the exposure of health records.

Security people can deal with most hackers seeking single records.

And where is the evidence to support that? How many hacks go totally undetected or are not discovered until months or even years later?

It can’t deal with the more systemic threat of employers or insurers seeking risk reduction by denying coverage or claims.

Actually, they seem to do a better job with that, as recent fines against some health insurers suggest. That said, I still think that universal health coverage is the way to go as long as we recognize that universal coverage does not deal with the issue that health records are to be kept confidential and secured and electronic records pose a risk of much greater exposure than paper records.

Thus are the problems of health care reform and health IT reform linked tightly together, by politics.

It’s not politics for me. It’s the privacy and confidentiality of health records, which you cannot protect without adequate security and without adequate informed consent.

Category: Health Data

Post navigation

← States Wired for Health Information Technology
UK: Leeds child psychologist's laptop missing →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.