One of the more widely praised ideas coming out of the 2020 summit was “Healthbook”, something that was genuinely novel, large in scope, and with real potential to make a difference. As the interim report put it:
Create a “Healthbook” (like Facebook) for Australians to take greater ownership of their health information and electronically share it with people they trust – for example their doctor, nurse or family members. Users could control their health “friends” and their level of access, share data as desired, and ask for real time advice on health issues. By 2020, this might include sharing your own genetic data with your doctor
or family. This would put the individual squarely at the centre of the health system.
Well, lo and behold, Google Health appears in the news, which offers pretty much the kind of services - for American patients - proposed for “Healthbook”. Joshua Gans is impressed.
There are obviously big potential gains from centralized electronic medical records systems like this. As somebody who’s had the odd diagnostic test over the years for the odd ailment, this stuff gets lost - I have no idea where the back X-rays I had done once went. And, on a population-wide level, there’s obviously enormous scope for doing anonymized statistical research on this data. But would I want my medical records on Google Health, or something like it? No way in hell.
The trouble with centralizing medical records - even if Google is better at managing computer security than Australian health departments are - is that a centralized medical database represents an inherently attractive target - both for attackers and for governments - that a distributed collection of records scattered over thousands of hospitals and doctors don’t.
By centralizing such a collection of data, I’m putting my trust in the system administrators and their political masters never to make a security mistake, and never to abuse that data, for the rest of our lives. That strikes me as much more of a punt than I’d be prepared to make.
Robert,
Many governments are looking to do this in any case - the NHS is one example - and without our consent or even ability to gain access to it. Personally, I would be much happier with a private company (that I could sue) having this data than with governments that have a proven record of losing it and no accountability when they do.
This is, and must be, a balancing act - with individuals deciding the balance for themselves. A private, optional solution is a good way to go, IMHO.
Helping a clinician get the best information from inside the health service to provide the best health outcome (e.g. COAS, outlined in the post of mine you link to) is NOT the same as the “HealthBook” high concept. The first is technically challenging for our discipline-challenged agencies, but provides a huge payoff, whereas the second is of little real benefit (if only because it will be very poorly structured) as far as I can see.
Another recent example of the failure of agencies to understand cybersecurity is detailed here. Now consider the results if a hacker scrambled path results and diagnostic records so that people got completely inappropriate treatments!
The security of our computerised health information is already attrocious. One of the leading medical records software packages in Australia allows anyone able to access the computer network of the doctors surgery (including remotely) full access to all patients medical records! Given these standards, I’d hate to see this information centralised.
What I don’t think people are appreciating is just how valuable this data is to attackers because of its centralization and consistent formatting.
If I were the Chinese foreign intelligence service and I was looking for people to blackmail, getting access to this database and being able to data mine it would be enormously attractive. You wouldn’t have to know a specific target; you’d just do a cross-matching between everyone who’s been treated for an STD and your list of targets of interest (say, everyone who works at an Australian embassy around the world).
One of the advantages I can see from centralisation is that it is a great opportunity and there will be strong incentives to set standards around the security. Rather than the current situation where its probably not that hard for people to access bits of personal information but harder to get all of it because its so dispersed.
I think I broadly agree because there is always a conflict where a government has to regulate and enforce regulations on itself (and its much easier to cover problems up).
I’d suggest that we also need much stronger laws on the allowed use and possession of private information. So even if there is a leak it would be illegal, with strong penalties, for third parties to use or even hold that information.
I think there is a workaround to the main drawback Robert mentioned. ( an unencrypted centralized point-of-weakness) It involves ramping up investment in large remailers of encrypted P2P traffic. The sort thats being throttled back in some sectors like Canada. Then a translucent, distributed database is created in the ‘ Data cloud’ or netspace. This vital information is kept in constant remailer motion and reproduced in many places or freenet nodes but is only available with the owners permission.
A similar system could apply to peoples criminal records with the over-ride only possible by a sort of jury system operating with probable cause.
This idea came up during discussions on the Cypherpunk list many years ago and was shot down as a kind of ‘Brinworld’. But with todays powerful computers and storage that point is now moot. The only people who should live in Brinworlds now are cops and politicians. Let Freenet reign.
Chris: but the centralization inherently makes the attack easier,.even if the decentralized nodes have woeful security.
Say, for some reason, you want my health records for nefarious purposes. Would you have any idea where to go get them?
It would also be terrific having your medical records stored outside the jurisdiction of Australian privacy and medical law. Even better when they offshore them to a data centre in India. Go Google you clever thing.
And by the way, Robert is right. Huge amounts of ostensibly secure data are already vulnerable. It’s a cost benefit trade-off. Not looking at any big Australian banks here.
Also, systematised medical records are not a new idea. Australia has been running a project for a few years. There are complicated issues including disciplinary and insitutional jealousies.
Because Google Health probably won’t comply with these emerging guidelines, it probably won’t be certified for use by the medical infrastructure in Australia, and thus will simply be a private data repository. It’s hard to say how popular it will be in that restricted role. The reference material will be useful, but Google doesn’t have a monopoly on that.
Further to the privacy angle, imagine what would happen if Google’s stock price slumped further, prompting more energetic efforts to “monetise” its data. Insurance firms and employers would pay a fortune to access medical histories of customers and employees, for screening and marketing purposes.
I don’t think a centralised system makes it necessarily easier or harder. I’m assuming a reasonable investigator would find it difficult to work out who is your GP for example who probably has very poor physical let alone network security. Also from what I’ve seen medical centres seem reasonably happy to fax records from one doctor to another with just a request over the phone with little or no authentication so its probably not that hard to fake if you want to. With information leaks now the victims probably never even finds out about it.
With a centralised system direct attacks on the information are going to be much more difficult (assuming a reasonable level of competence). But as you point out everyone knows where to get the information and everything is there so there’s a big payoff if you comprise the system. On the other hand you should be able to at least have audit trail so people know exactly when their medical records have been accessed,
what information has been accessed and by whom.
Its all tradeoff - things could get much better or much worse - depends on how well you think the government could regulate and implement a system
of course I meant to say they wouldn’t find it difficult
Robert, I agree in principle with what you’re saying. I don’t think the Google is the way to go here, but what about completely anonymous govvie e-health data repository? Some sort of terribly clever public/private keypair signing thingo that meant only you could find out the actual database key for retrieving said data.
Even if some perp got their hands on the data it would be (hopefully) anonymous and so mostly harmless.
Hopefully you’d have a list of ids you could then generate database ids from and give those to the next quack you see. If you lose the ability to regenerate the database key .. no worries, you’ve got the good old system to fall back on.
Whaddya reckon?
NEHTA
Re: NEHTA
Bastards pinched my idea EVEN BEFORE I HAD THOUGHT OF IT.
The cheek.
Although thats fine for GP/specialist visits, there would still need to be a mechanism for people to be able to access your information in emergencies without your active co-operation - eg you arrive unconcious at hospital and the groovy chip on your enhanced medicare card is broken in half. Its these situations where you are unable to tell medical people about pre-existing conditions where centralized records are the most valuable.
Chris (a different one) … I think I’ll buck the habit of a lifetime and not comment anymore about stuff I clearly know very little about and leave it to the experts …
Chris: sure, if somebody wants to find out about me, and they’re prepared to do some detective work and break the law, it’s gettable. But probably at an expenditure of several hundred dollars for the basics, and thousands for the lot. And then you’d have to read it to look for any juicy bits.
If it’s centralized, doing a break-in might cost you tens or hundreds of thousands of dollars, but it gets you everybody’s medical data in a conveniently searchable form.
To appreciate the difference in utiility, how would you find every time Bob Hawke was mentioned in the National Library of Australia? Compare that with searching for “Bob Hawke” on Google Books…
Yea, I think I appreciate that there are much greater downsides with centralisation for privacy. Though I think it should be possible to secure against large chunks of the database being stolen all at once through remote access that you’d see at medical centres or hospitals. If someone walks out with a bunch of backup tapes you obviously have issues, but government and industry does have quite a bit of experience with maintaining large secure databases.
However I think we also need to take into account the very large benefits too - not just for individuals in better direct care, but it would also be an extremely valuable resource for medical research and probably good for fraud detection too.
Personally, I think these schemes have little chance of success.
The UK has been trying to centralize medical records for about 10 years (non-web based) and it has been an utter disaster.
There are two problems. The first is “common format”. It is very hard to get a data representation that suits the needs of all medicos that need it, but the harder problem is the security problem. Who sees what, and who updates what. Privacy is small beer compared to this one.
My doctor should see all data but only about his own patients, my nurse should see all data relevant to the current condition - but not previous, or unrelated conditions - of all her patients, the pharmacist should see all medications for all his customers - but little about their actual test results; and so on.
Each of these are limited datasets for different groups of people as the doctor, nurse and pharmacist have different data requirements for different sets of “clients”.
Once you get past the “who can read this stuff” problem you get to the “who can update what” problem which is even worse.
From the UK experience - and also from Jim Clark’s Healtheon debacle back around 2000 - I think we can safely stick with the current decentralized model.
A product concept that I have for years been attempting to get floated is a product dubbed the “medical wand”. This is a multi sensor hand device that is primarily a lighted magnifyer similar in function to the gizmo that the doctor looks into your ear with. The difference is that the wand has a much larger viewing area and a compound ccd built in. Other built-in sensors are for sound, pressure, movement/orientation, and micro electrical measurement. In its simplest use the wand is used for cleaning wounds, extracting splinters, and looking into ears, eyes and throats. The ccd allows the same to be performed in places where an individual cannot normally see or reach, when the unit is connected to a computer. When USB or wifi connected to a computer things such as moles, growths, wounds, etc can be viewed, evaluated and image stored for later or remote diagnosis. The compound ccd is able to view infrared patterns and temperature, chromatographical measurement of litmus type strips for urine and other measurements as well. The sound and pressure sensors are used as a compound storage stethoscope for breathing, heart, and blood pressure observation. The supporting pc sofware is intended to be a diagnostic tool with a family medical history storing database, as well as a general purpose health, internet supported, information centre.
The purpose of the medical wand concept is to obtain a degree of personal medical independence, and when help is sought, far better supporting information can be provided to the physician. That physician need not be local. We are seeing a disinterest from medical practitioners to serve in remote (non-economic) areas.
Unfortunately such a product concept requires a lrge cross-diciplinary development team. And that is very difficult to pull together.
There are many pointers indicating that this is a future direction for personal health/medical support. Google health provides an essential medical health history backup system providing history stability where primary information is stored in more volatile locations such as home pc’s.
Difficult, expensive, and complex. But not insurmountable, and in any case, no worse than the completely absent controls we have now.
Any such system would need to separate identity from records, and have MAC-level security at the very least.
“There are obviously big potential gains from centralized electronic medical records systems like this. “
Really? We take it for granted that new technology offers benefits over old paper and hard copy systems. I’m not convinced. And the lessons from the US are that electronic medical records are hugely expensive, don’t save time and cause a whole host of new problems.
The other problem is that most sick people are elderly and/or infirm and just not capable of “Googling” their health records to anyone.
Jacques: “Difficult, expensive, and complex. But not insurmountable”
10 years effort, 100’s of millions of pounds and absolutely nothing working. I’d count that as insurmountable. I also reccommend you google “jim clark healtheon”. Complete debacle.
“no worse than the completely absent controls we have now.”
No, we have plenty of controls right now. My doctor and pharmicist have a completely different set of records and store only what they need in the format that suits their requirements. Merging them is hard. In this domain, the distributed systems we already have are much easier. Integration occurs via the medicare number and everyone is sweet. While there are gains from a centralized system, the expense is prohibitive (IMHO).
“Any such system would need to separate identity from records”
Which makes it good for statistical analysis only. My doctor needs to identify my records.
“… and have MAC-level security at the very least.”
Ahhh we’re talking about something several orders of magnitude larger than a laptop here. And while I’ll enthusiastically cheer your support of Mac’s, what I’m talking about is security at the level of the application data, not the operating system. Completely different beast.
There is a lot to be said for distributed information. There is a trend, though, from some service providers to send home such things as xrays. These could be scanned and sent to google as an option.
JM;
By MAC I mean Mandatory Access Control.
I agree that any such system will be expensive and difficult. In the long run I think that the benefits of having a massive mine of neutral health data will be incredibly valuable for research purposes.
I am also interested in the applications for medical oversight — an expert system mining symptoms and diagnoses across the country might have noticed Dr Patel before he killed too many people.