In the story about the new Canadian health portal, mydoctor.ca, it says:
[…]
[Larry Mohr, president of Practice Solutions] was asked how the system could guarantee patients’ health information doesn’t end up in the public domain.
“The piece that people might get most nervous about would be the secure messaging where people would normally think messages are going out over the Internet.”
He said that won’t happen in this system.
A patient logs into the portal with a user I.D. and a password and sends a message to his or her doctor, he said.
“That message never leaves the portal. They are really posting that message with the doctor.”
The doctor gets an email saying there is a message from the patient and logs in with his own password and I.D.
“The message never leaves the confines of the server so there is nothing going out over the Internet.”
I read the above and thought, “Is he kidding?” The server itself is connected to the internet.
Why didn’t Mohr answer the question about privacy (and security) more fully by acknowledging that as long as a server containing PHI or PHR is connected to the internet, there is always a risk that the server can be hacked and that any information on the server could be accessed or acquired? That type of partial answer by the president of a commercial company looking to make money is precisely why consumers often mistrust these companies.
David Loukidelis, B.C. information and privacy commissioner, did go on to discuss security, but Mohr was asked a straight question and it is disturbing that he did not acknowledge the remaining risks.