Over on PogoWasRight.org, I’ve covered some of last week’s revelations about domestic surveillance activities by the NSA. The first revelation, that of a secret FISC order compelling Verizon to turn over its business call records on a daily basis to the NSA, alarmed me. Although government officials – including President Obama – were quick to try to minimize the significance of metadata, those of us who are concerned about privacy know that metadata of calls (information about the calls, but not including the content) can tell you a lot. Metadata might tell us even more than most privacy advocates realize.
As most people know, when I’m not blogging pseudo-anonymously online, I’m a licensed mental health professional and the author of a few books on certain neuropsychiatric disorders. Approximately 20 years ago, I noticed certain cyclicity in my patients’ symptoms – a cyclicity that had not been reported in any of the published clinical literature on the disorder in question. Reaching out to other professionals specializing in the same disorder, I inquired as to whether they, too, had noted what appeared to me to be a fairly predictable pattern of symptom worsening. Somewhat to my surprise, they hadn’t.
And so I made a suggestion to one of the leading experts in the psychiatric treatment of patients with this disorder: “Just check your call records,” I suggested. “Do a simple frequency count of the number of phone calls you get each day from patients and plot the data. I bet you’ll see the pattern.”
She did. And the patterns/cyclicity turned out to be extremely useful clinically in helping us help patients understand the variability in their symptoms and in helping school personnel predict and understand the variability in students’ symptoms and functioning.
Fast forward to last week and the announcement that Verizon had been ordered to turn over its call records to the NSA. I started thinking about what those records and metadata could reveal. Because my phone is used mainly for calls to and from patients and clients, can the NSA figure out who my patients are? And could they, with just a query or bit of analysis, figure out when my patients were going into crisis or periods of symptom worsening? I suspect that they can. And because I am nationally and internationally known as an expert on a particular disorder, could the government also deduce the diagnosis or diagnoses of my patients or their family members? Probably.
Of course, the government will argue that there are stringent controls on querying and analyzing the data they’ve scooped up, and in all likelihood, they probably don’t give a damn about most of my patients or clients – or callers. But what about the ones who might be famous, politically connected, or even a member of a royal house? Would they feel as free to seek therapy or help if the government could figure this out? As psychiatrist Dr. Deborah Peel of Patient Privacy Rights and I have often discussed, mental health patients concerned about stigma or repercussions often avoid submitting their bills to insurance so that there’s no record of their diagnoses. But while they can avoid insurance companies, how can they avoid the NSA?
As a healthcare professional and HIPAA-covered entity, I try hard to protect my patients’ privacy and confidentiality. I am dismayed to learn that the government has in its huge databases data that could compromise both.
There are calls for Congress to look at the entire situation with a Church-type commission. There are calls for the executive branch to be more forthcoming about domestic surveillance. Those are reasonable requests and a good start. But when all is said and done, those of us with additional duties of confidentiality – such as doctors and lawyers – need to advocate for our patients’ and clients’ confidentiality by seeking limits on the government’s use of dragnet surveillance.
In the meantime, I’ve reached out to a number of tech-savvy people to ask – no, beg – them to come up with some point-and-click instructions for doctors and lawyers to use to protect our calls and e-mails better so that the identity of those calling or e-mailing us has better protection.
Here’s a listing of software that can be used to “opt out” of the PRISM program
http://prism-break.org/
Thank you! I had never even heard of some of them, but will start checking into some of them.
I do hope the revelation of Prism will help push our culture more towards privacy-enabled options. One of my biggest struggles trying to help mental health clinicians with security and privacy has been how difficult it is to get both clinicians and clients to use secure communication options simply because they aren’t the norm. If the average person feels compelled to use secure communications and does do, we’ll all be better off (and HIPAA compliance will become much easier!)
Traffic analysis is one of the easier problems to address from an end user’s standpoint. The Tor Browser Bundle is easy to use. Download, double-click, and it does the rest. Patients would be able to visit your site without their ISP knowing, and you would not see their IP addresses in your logs.
Other technology is just as easy to use, or relatively easy to use, but without education users are going to make mistakes. It only takes one time logging in to your pseudonymous account without a proxy for an observer to find out your legal name. Tactical Tech has good educational materials: https://www.tacticaltech.org/#privacy-and-expression
I would be interested in having a discussion about healthcare information privacy. People who make privacy-enhacing technology cite records of searches for medication side effects and support groups as something ordinary citizens should be concerned about, but we could benefit from having a discussion with healthcare professionals about next steps. Maybe we need to modify or bundle free software for providers.
Thanks so much, Karen. And I would love to talk with you more about this. I’ll shoot you an email this week and maybe we can set up a phone call to start discussing some of these issues more. Or maybe you’d like to write a guest blog post that we can use to start a discussion where others can contribute, too.
In the meantime, I’ve reached out to a number of tech-savvy people to ask – no, beg – them to come up with some point-and-click instructions for doctors and lawyers to use to protect our calls and e-mails better so that the identity of those calling or e-mailing us has better protection.
Hi, Dissent. I’m a licensed mental health clinician, and, by way of my previous career, a computer security professional.
There isn’t anything you can do. More precisely, there isn’t anything you can do unilaterally to conceal from third parties that it is you contacting your patients by phone or by email.
ALL forms of secure communications require that BOTH ends — that would be both your system on your end, and the patient’s system on theirs — be hardened. This means that the patient would have to utilize special secure tools to communicate with you.
For instance, to be able to make phone calls that the NSA can’t track the metadata of, the SilentCircle product may be sufficient (I’m not sure, having not looked into it in detail). However:
1) It’s a commercial product+service that both you and the patient would each acquire. The patient would (as would you) have to have an account with SilentCircle.
2) It only runs on iPhones and Android phones. Those of us with not-to-smart phones, Blackberries, etc are entirely out of luck. So your patients would have to be willing to fork over for a high end phone to even run the security software.
3) The software needs to be installed and, presumably, maintained. All security products periodically come out with improved versions to patch discovered flaws in their security. Who is going to handle these tech support tasks for your patients? Or are you just going to rely on them to update their software religiously?
4) As Karen explains about a different product — this issue is basically universal to security products — the patients then need to use this alternative calling method, religiously. They must never fail to use the security product, and call you directly from their phones. There have been a number of high profile computer criminal busts which were the product of brief, one-time failures to use security measures.
5) Patients must be willing to give up whatever utility and features they have with their present phone-call-making interface/application and use the one in the security product instead. They may not be willing to do that just to keep their PHI private.
I don’t know about you, but I have trouble getting many of my patients to remember their appointments reliably. The discipline in using a secure phone app? To say nothing of the fact I see Medicare/Medicaid patients, some of whom regularly go without food to make sure their kids get enough to eat and get their 250 minutes of phone coverage a month through Safelink. Do they get to have PHI privacy too? Or only people who can afford iPhones and subscriptions to encrypted phone services?
What I describe is a general principle. What Karen describes, the Tor Browser Bundle, is a package of tools your patients would install on their computers. It’s free, so if they are privileged to have a computer, they may well want to use it. However, all the other problems I mentioned above pertain. If they don’t control their computer (say if they are poor and are using the computer in their library, or at their job) and don’t have installation privileges; if they are not technically savvy enough to install it and maintain it; if they don’t have the (quite unreasonable to expect of humans) level of discipline to never make a mistake using it, then, yeah, they totally could have secure connections with you and your systems (and we haven’t even discussed what you would have to do on your end).
There are all sorts of security products and projects (many FOSS) of various levels of quality. But they all have the same thing in common: they require both parties to implement them. And that means your patients would have to do half the work. Which means it’s not practical for health professionals who work with the general public.
There isn’t anything we can do in the meantime. I’m sorry to be the bearer of bad news; I hope someone will have grounds to tell me I am wrong. In the meantime, we need to be spending our energy changing public policy. We need to get word out there how ones call logs can betray PHI, not just evidence of wrongdoing; we need to shift the public discourse away from “I’m not a terrorist, so why would I care if the government stores my call logs?”
As I’ve been talking with people, I’ve come to pretty much the same conclusion you have.
I agree with you that we need to get the word out about call logs betraying PHI. Everyone uses the example of someone calling an HIV clinic, but I wanted to expand the discussion to show other examples that might not be as obvious. Hence, this blog post, which I hope others will feel free to cite or link to.
But, as fellow mental health clinicians, I ask you: where are our professional organizations in terms of raising these concerns and lobbying for changes to protect confidentiality and PHI? I haven’t seen any statements from them, have you?
I haven’t. My professional organization has long been a study in inefficacy, so I’m not really surprised. I’m trying to figure out how to make the case that the organization needs to step up, on this issue and others. This blog post is getting tagged for future reference when I do.
Part of the — okay, now I’m being really demoralizing — problem is that a lot of clinicians are reacting to the internet, as a whole, really poorly. I see so much moral panic, technophobia, dismissive defensiveness when clinicians address “the internet” and anything to do with “computers”. Discussions of “how do we address social concerns online?” are derailed by a widespread neurotic agenda to discredit the internet. When one asks, “how might we address PHI security, cyberbullying, counseling via telepresence, etc” it is as if the response is “HA! SEE! The internet is evil and everyone should just not use it.” The idea that maybe we clinicians have a responsibility to make the internet a better, safer place for our patients and all people? Completely at odds with the mindset which is unconsciously bent on destroying it.
And if there’s nothing we can do to protect the confidentiality and security of communications from the NSA, then what? Does HIPAA excuse our lack of protecting security and privacy because, by golly, it’s the NSA plus hundreds of thousands of contractors who have access to the information?