Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: goodroi
Google Inc. will begin storing the medical records of a few thousand people as it tests a long-awaited health service that's likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader.
The pilot project to be announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google's new service, which won't be open to the general public.
Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that's also required to use other Google services such as e-mail and personalized search tools.
Just think how helpful this could be to insurance companies! ;)
I wouldn't care either WHO did it. It is bad in either case.
This information will be sold as data or as reports to insurance and drug companies, DO NOT DOUBT THAT IN A SECOND. Selling health data is a big serious business. Ugly too, because most of that data is used to figure out not how to cure diseases, but how to put people on drugs (i.e. continuous "treatment").
will be protected by a password that's also required to use other Google services such as e-mail and personalized search tools.
What are they thinking?
Of course, there is - at least currently - a way around this.
I have a half-dozen Google accounts. I'll bet there are some here with 10-20.
I like to keep this stuff in separate boxes.
Google doesn't encourage it. They don't encourage obvious, prudent separation of data with differing security requirements.
In fact, they encourage the opposite.
"who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google's new service, which won't be open to the general public."
This is an opt-in...not opt-out. Google's not going to add yours without your permission. Google may be trying to do new things here but getting sued into bankruptcy isn't one of them. Also, unless a senior executive overseeing this project decides to voluntarily release the information for whatever reason, I can't possibly imagine the personal data being obtained by a hacker or a group of them. Google's network is so incredibly powerful, it's ridiculous.
Rather than have hundreds or thousands of proprietary systems that don't talk to each other very well, it makes much more sense to have a standardized system (or one central system) that will allow doctors to access all medical information for patients under their care. And if it's going to be centralized, I would MUCH prefer a company like Google that has a more proven track record of maintaining privacy than any of the dozens of supposedly "secure" companies that have allowed hundreds of thousands of credit card numbers into the wild.
Personally, if I'm sitting in a hospital in critical condition, I would not be thrilled to have my doctor tell me I may not live because his hospital's system doesn't talk to my doctor's system and he can't find anyone at my doctor's offices to fax hard copies of my records to his office.
[edited by: LifeinAsia at 8:17 pm (utc) on Feb. 21, 2008]
I can't possibly imagine the personal data being obtained by a hacker or a group of them.
I can. Very easy. They just have to phish the user's Gmail password. How hard can that be?
It's a very simple problem to solve - use a separate Google account for this. But Google actively encourages people NOT to do that.
All they have to say is "we recommend that you set-up a separate Google account with a separate password, to help insure your privacy.
But they won't do that.
Instead, they encourage you to use the same account for medical record, Gmail, search, GoogleBar, Adwords, etc. etc. etc.
BTW, I see that PayPal offers hardware security keys for $5. Maybe they have been doing this for some time, but I just noticed. These are the portable devices you can put on your keyring where you enter a challenge and it displays a response that you must enter to a web page for access. It's appropriate technology for this kind of data.
But you won't see Google doing that. Would scare too many people off. It would make them think about the sensitivity of the data. Don't want that.
Um, how exactly is this any different from the dozens (if not hundreds or thousands) of other companies that store medical records information?
Because, apparently, HIPAA protections do not apply to this data, because Google is not a medical provider or insurer.
Rather than have hundreds or thousands of proprietary systems that don't talk to each other very well, it makes much more sense to have a standardized system (or one central system) that will allow doctors to access all medical information for patients under their care.
But that, apparently, isn't what this system does. The article is sketchy, but it appears that this is only for the patients themselves to access. (Along with the specific clinic that was selected for the trial.)
What happens if you go to another doctor? Do you give your doctor the password? Well, then, ou've just given your doctor the password for your email, browsing history, Adsense income....
See the problem?
This topic was of interest to me because I was approached by a medical group to build such a system. After I told them Google is working on something similar, they changed their mind :)
I was surprised that no one thought about the benefit. I've had a fair share of doctors over the years. Officially I'm supposed to be allowed to have access to my medical records. In reality, I've barely ever been given a thing. Doctors can be elitist sometimes. Thinking we don't need to see data that is actually very important to us. We like to do our own research even if it means asking inconvenient questions..
Having health records online gives power to the consumer.
I'm not thrilled to have Google behind it. They know way too much already.... It would be nice if there was a system to randomize usernames so that you have better protection.
But I was expecting a more balanced discussion of the pros and cons...which I thought would be possible when Google's name was removed from the equation.
There's a lot of smart folks here. Any way to tackle this so the patient can access all his records from the many doctor's he's had and still maintain a fair level of privacy? Be it Google or some other company?
Any way to tackle this so the patient can access all his records from the many doctor's he's had and still maintain a fair level of privacy?
A hardware device. Something like a Medic Alert bracelet with non-volatile memory, a keypad, and display. Integrates a challenge/response security device. Probably with a USB interface built-in. So, in the form of a USB key.
It could be read and updated at your doctor's office with prior approval. They'd be given a revocable key which would allow them to access the device without a password. Or, you could enter your PIN and then you or your doctor could enter the challenge/response. (That is, without prior approval.)
You could hand in your key when you check-in, and get it back when you check-out. Or do it yourself on a kiosk in the waiting room. (You might not get a complete record on the same visit, but in most cases today, this gets recorded on a computer while you are in the office. Might miss Doctor's comments that they may add during "desk time", but you'll get that on the next visit or through an online update.)
Emergency rooms might have special override keys. Of course, the use of such a key would be recorded in the device.
The device could sync-up to one or more online medical records systems over the Internet. Of course, with proper security - which means more than a simple user ID/password.
You would have control over which online systems it syncs up with, and what kind of data it exchanges.
Of course, there would be a way to backup your data securely, and you could have duplicate devices.
Google just wants the data. YOUR data.
It belongs in your pocket, not on Google's servers.
For the vast majority of us having immediate access to all medical records immediately isn't that important. There are some things that would be cool to know before a patient comes rolling into the ER. Things that should transcend privacy.
Been outside the country lately?
Been around someone with TB or the flu?
It takes forever for new techniques to make there way from one part of the country to where it becomes common knowledge. Bill Everet would be paralyzed now if he played for the Chiefs.
Someone with good ears in a hospital cafeteria
could learn a lot more about your medical records than trying to hack a google database.
Can you imagine TurboTax or TaxCut doing anything like that?
They don't do it using the same user ID/password that you use for your email.
Many people treat email security casually. Even more so, some of the other Google services. (logging-in to search, for example). Most people have these passwords set-up for automatic filling in their browser.
Anything financial, I do not let the browser save the password. I have to enter it manually. (Actually, I use Password Safe, but there are still some clicks.)
Now, what is the typical user going to do in this scenario? Most won't think to open a separate Google account, because Google discourages it - doesn't even suggest it as a good security measure.
So, pick one:
- Don't let your browser store your Google password. What a pain to access email.
- Let your browser store your Google password. Anyone with physical access to your machine can access your medical records.
A Hobson's choice.
I don't have a problem with Google being a service provider for medical records. I do have a problem with their casual treatment of passwords and accounts, and encouraging the use of a single account for multiple roles.
I also have a problem if they are ducking HIPPA requirements through some technicality. That needs to be stopped through legislation, immediately.
Privacy group sounds alarms over personal health records systems.
Mediical data stored online may fall outside of HIPAA's privacy protections, report claims
There are several problems that could result from the lack of privacy protections, Dixon said. For starters, she claimed, health records could lose their privileged status if a patient authorizes a doctor to send a copy of the information to a PHR system that isn't covered by the HIPAA mandates.
"Many consumers have this deeply held belief that their health information, no matter where it travels, is protected in the same way as when you have a doctor/patient relationship," Dixon said. In reality, consenting to have data transmitted to a noncovered system likely would be viewed as an indication that you had waived your privacy privilege, she added.
Computer World article [computerworld.com]
[edited by: tedster at 6:07 am (utc) on Feb. 22, 2008]
[edit reason] fix side scroll [/edit]