President Obama has indicated that health information technology (HIT) is an important component of his administration’s health care goals. Politicians on both sides of the aisle have lauded the potential for HIT to reduce costs and improve care. In this post, I’ll give some basics about what HIT is, what work is underway, and how the government can get more security experts involved.
We can coarsely break HIT into three technical areas. The first area is the transition from paper to electronic records, which involves surprisingly many subtle technical issues like interoperability. Second, development of health information networks will allow sharing of patient data between medical facilities and with other appropriate parties. Third, as a recent National Research Council report discusses, digital records can enable research in new areas, such as cognitive support for physicians.
HIT was not created on the 2008 campaign trail. The Department of Veterans Affairs (VA) has done work in this area for decades, including its widely praised VistA system, which provides electronic patient records and more. Notably, VistA source code and documentation can be freely downloaded. Many other large medical centers also already use electronic patient records.
In 2004, then-President Bush pushed for deployment of a Nationwide Health Information Network (NHIN) and universal adoption of electronic patient records by 2014. The NHIN is essentially a nationwide network for sharing relevant patient data (e.g., if you arrive at an emergency room in Oregon, the doctor can obtain needed records from your regular doctor in Kansas). The Department of Health and Human Services (HHS) funded four consortia to develop smaller, localized networks, partially as a learning exercise to prepare for the NHIN. HHS has held a number of forums where members of these consortia, the government, and the public can meet and discuss timely issues.
The agendas for these forums show some positive signs. Sessions cover a number of tricky issues. For example, participants in one session considered the risk that searches for a patient’s records in the NHIN could yield records for patients with similar attributes, posing privacy concerns. Provided that meaningful conversations occurred, HHS appears to be making a concerted effort to ensure that issues are identified and discussed before settling on solutions.
Unfortunately, the academic information security community seems divorced from these discussions. Whether before or after various proposed systems are widely deployed, members of the community are eventually likely to analyze them. This analysis would be preferable earlier. In spite of the positive signs mentioned, past experience shows that even skilled developers can produce insecure systems. Any major flaws uncovered may be embarrassing, but weaknesses found now would be cheaper and easier to fix than ones found in 2014.
A great way to draw constructive scrutiny is to ensure transparency in federally funded HIT work. Limited project details are often available online, but both high- and low-level details can be hard to find. Presumably, members of the NHIN consortia (for example) developed detailed internal documents containing use cases, perceived risks/threats, specifications, and architectural illustrations.
To the extent legally feasible, the government should make documents like these available online. Access to them would make the projects easier to analyze, particularly for those of us less familiar with HIT. In addition, a typical vendor response to reported vulnerabilities is that the attack scenario is unrealistic (this is a standard response of e-voting vendors). Researchers can use these documents to ensure that they consider only realistic attacks.
The federal agenda for HIT is ambitious and will likely prove challenging and expensive. To avoid massive, costly mistakes, the government should seek to get as many eyes as possible on the work that it funds.
I go to private doctors, I don’t buy health insurance (it’s got las vegas odds), I don’t tell my docs or labs things they don’t need to know (like my SSN, employer, birth date, etc). I pay for all my own health care, thank you, just like my food and my booze and my car. I’m one of the “uninsured” but I have plenty of good medical care (every media report seems to conflate “uninsured” with “uncared-for”, probably because they’re pushing Single-Monopoly Health Care). I always decline to sign the HIPAA “waiver” that every health provider “demands” — because I read it and it deliberately negates by contract most of the privacy protections that the law provides, and it turns out you don’t HAVE to sign away those rights; they treat you anyway.
I don’t trust a “medical records in the sky” solution no matter how many experts you throw at it. I had to call and schedule a physical meeting of my dentist, orthodontist and oral surgeon because it became clear that none of them had ever TALKED to each other about my case, despite referring me to each other and passing records around. I had to “check out” and take home the physical copies of my MRI’s because my doctor told me that the hospital throws them out after two years, but he’ll want them for later comparison. *I* am keeping them. If some doc needs to see them, I’ll bring them. My dentist took a fancy digital photo of me when I first came to his practice in the MSDOS days; he’s lost them all. I have most of the medical records needed to take care of me — and I know exactly where the paper & film is. But no cops, no private investigators, no insurance agents, and no “researchers” will go trolling through my records without bothering to ask (or even tell) me. If there’s something the ER needs to know, I’ll wear a Medic Alert bracelet.
Is your grand design in the Brave New Obama World making any room for people like me? Responsible people who take care of themselves, rather than expecting McDaddy to take care of them?