Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Saturday, August 26, 2006

Is Australian E-Health Facing a Perfect Storm?

Reference to Wikipedia describes a “Perfect Storm” as follows:

“The phrase perfect storm refers to a simultaneous occurrence of events which, taken individually, would be far less powerful than the result of their chance combination. Such occurrences are, by their very nature, rare, and so even a slight change in any one event contributing to a ‘perfect storm’ would be sufficient to lessen the overall power of the final event.”

In this short article I am suggesting that the future of e-Health may be facing just such a storm. Why? Because it seems there are a number of forces and events coalescing to greatly damage the progress of the implementation of e-Health nationally.

Firstly we have the revelations that following a two year investigation (one wonders why it took that long) some six hundred Centrelink staff have been found browsing Centrelink client records inappropriately – despite there being clear warnings to all stuff that such activity will be dealt with very harshly (over 100 apparently no longer work for the organisation).

It seems this is not the first incidence of such behaviour among public servants – with a major breach, rather worryingly, having occurred at the Commonwealth Child Support Agency a year or so back.

Secondly we have all sorts of incidents being reported from all over the world where patient details are being accidentally provided to third parties through everything from stolen laptops to web-based accidental patient information publication.

The most recent was reported a few days ago.

Laptop computer with home-care patient data stolen in Michigan

Beaumont Home Care on Tuesday asked the public to help it recover a laptop computer filled with three years worth of personal patient information that was stolen with an employee's car.

Beaumont said the information was encrypted and password-protected and is related only to home-health patients. Beaumont Hospital inpatients’ or outpatients' information was not included and centralized registration and medical records of Beaumont are not at risk. But the laptop belonged to a new employee who had stored the ID access code and password with the computer.

Home-care staff use laptop computers to document patient care. The stolen information included patients' names, addresses, birth dates and Social Security numbers. Medical- insurance and personal-health information was also included. Home-care patients have been apprised of the theft and Beaumont is arranging enrollment in a credit-reporting service as well, the Royal Oak, Mich.-based system said in a news release.

"We are taking aggressive measures to protect their personal and health information and to lessen the impact of the computer theft on them," said Chris Hengstebeck, security director at Beaumont in Troy, Mich. The hospital system is offering a reward for the recovery of the Dell Latitude D-400 laptop, serial No. 5MZ1F61, WBH Tag No. 218242.

Crain's Detroit Business”

Note that this problem would simply not have arisen without the records being computerised.

Third we have Minister Hockey, the minister for Centrelink, claiming the information held for the proposed Commonwealth Services Access SmartCard will be handled differently. How much credibility can such a claim have in the public’s mind?

Fourth we have NEHTA suggesting that the basis of its privacy approach is to be technologically agnostic. As I wrote a few months ago,

“talk of privacy neutrality is naïve. It is critically necessary to distinguish between conceptual privacy neutrality and practical (or privacy as it is actually implemented) neutrality. Preserving the privacy of a patient’s written record is a very different thing from preserving the privacy of a patient’s record when stored, typically with hundreds of others, in a computer system. The threats from leakage and exposure are different as are the methods of auditing access and use. These differences must be clearly recognised and effectively addressed. An example is the ease with which 10,000 records can be stolen on a USB key compared with the same ‘truck-requiring’ effort with paper records.”

The essence of my concern in all this is that unless public trust is manifestly justified, through leaks of sensitive personal information being made extraordinarily rare or non-existent, implementation of e-health technology and solutions will be effectively blocked by security and privacy concerns before it can even get underway.

It is up to those working, not only in health, but those handling all sorts of personally identifiable information (e.g. banks, insurance companies, diagnostic laboratories, police etc) to understand clearly that while mistakes will always happen, it requires a computer to really make a massive series of mistakes. In the wrong hands computer data-bases can disclose vast amounts of sensitive information far more quickly and efficiently than any paper based system can!

The key message is simple. To prevent there being great difficulty with the adoption of e-health technology and solutions, great care has to be taken to address, not only the technical, but also the cultural, human and organisational issues that permit un-authorised disclosure of private information. It is a problem for all of us!

David.

No comments: