Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Addressing Application Vulnerabilities With PCI DSS Log Management Compliance | Main | Improve Program Change Controls To Reduce Incidents »

Revisiting Online Medical Information Storage Houses Points To Consistent Need For *1* Federal Privacy Law

Last fall I blogged about Microsoft's HealthVault, "Why Would You Trust Microsoft To Store Your Sensitive Health Information?"

It didn't take long before Google got in on the game.

Today an interesting story ran in the New York Times, "Warning on Storage of Health Records" that also points out the concerns with having huge amounts of health information stored in some mega-multi-services-products types of monolith company. The issues are the same for any organization storing such information, though; but putting health information in the same corporate systems that contain the records of billions of people really open up quite a Pandora's box of privacy breach possibilities.

Here are some excerpts from the news story that make some good points...

"The authors say that consumer control of personal data under the new, unregulated Web systems could open the door to all kinds of marketing and false advertising from parties eager for valuable patient information."

Indeed. Combining huge numbers of health records with the billions of other customer information records Microsoft and Google hold creates quite a nice customer relationship management (CRM) possibility for them. Not to mention a whole new set of revenue paths that they may have from selling the information about the people storing health records on their systems to an unlimited number of other organizations.

"Peter Neupert, the vice president in charge of Microsoft's health group, said that he admired the authors and that they raised some important issues. But he resisted the suggestion of extending Hipaa to newcomers like Microsoft and Google.

"Philosophically and politically, I am skeptical of the concept of paternalism," Mr. Neupert said in an e-mail response to the article, which he was sent, and to the authors' comments. "It never turns out to be 'limited.' "

Designing a health records system that clearly informs consumers and requires their consent for data use is the better approach, Mr. Neupert said. "We have to earn the consumer's trust for our brand," he said. "So I can imagine a scenario where we have a third party verify that our system works the way we assert it does," much as an auditor reviews a company's financial reporting."


You bet; the "Trust me!" approach is much better than requiring organizations to follow data protection safeguards and approprite practices...NOT! It has not worked so far, why would it now?

Have you ever read the horrible notification communications from Microsoft and Google? Most individuals will "consent" to something that they have no idea was even described based upon poorly worded, or hard to find, notification.

We need one federal data protection (privacy) law, applicable to all organizations that handle personally identifiable information (PII), that addresses the entire scope of privacy issues related to PII.

Tags:                          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on April 17, 2008 7:41 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/705

Comments



April 18, 2008

I read with great interest your article on electronic personal health records and thought you would find MyMedicalRecords of interest. MMR has contracts with organizations covering more than 30 million lives to provide our services.

Contrasting MMR to other popular EMR products, MMR is delivering the most user-friendly, convenient and versatile web-based Personal Health Record available today. Using our proprietary patent pending technologies, complete patient information including actual lab test results, radiology reports and images, progress notes and all of a patient’s charts can be uploaded or faxed with annotated voice notes and comments directly into the user’s password-secured account. Users do not need to install any special software or use any special hardware to use our service.

MMR also has integrated other advanced features, such as multilingual translation, a drug interaction database of more than 20,000 medications, calendaring for prescription refills and doctor appointments, and private voicemail for a doctor’s message and other personal uses.

There also is a special “Emergency Log-In” feature that allows a doctor to access a user’s account to view their most important medical information in the event of a medical emergency. To ensure individual privacy, specific data, such as prescriptions, allergies, blood type and copies of actual medical files or images, are pre-selected by the user for inclusion in the online read-only Emergency Folder.

In addition, MMR also includes an online ESafeDeposit Box feature that enables users to securely store any important document in a virtual “lock box” and access them anytime from anywhere using an Internet-connected computer or PDA. These documents can include Advanced Directives, Wills, insurance policies, birth certificates, photos of Family, Pets and Property, and more. MMR is clearly one of the most complete user-friendly Personal Health Records available today (I can provide details).

Incidentally, MMR has built a two-way data interface to Google Health and our understanding with Google is that MMR will be part of their public launch expected shortly. This will enable users to move information from their Google Health account to their MyMedicalRecords account and vice versa. This will enhance the Google Health user experience by allowing the individual to store documents, images, and other personal information in MMR’s easy-to-use personal health record and will have the benefit of all the additional features MMR has that are not available directly within Google Health.

I would encourage you to visit MMR and set up a complimentary account. Simply go to www.mymedicalrecords.com and sign up using registration code MMRBLOG. I would be interested in your experience and hope that you will include us in any further discussions of Personal Health Records. I could also send you more information by email or snail mail (the latter allows me to send a bit more than I’d want to clog your email with). Recently, we sent out a release about MMR Pro, which will better enable physicians to put patient records into secure, online accounts.

Sincerely,
Scott S. Smith
Director of Public Relations
MyMedicalRecords.com
11000 Santa Monica Blvd. #430
Los Angeles CA 90067
888/808-4667
Ext 123 (Cell: 310/254-4051)
ssmith@mmrmail.com


Posted by: Scott Smith | April 18, 2008 3:38 PM

Scott, thank you very much for your detailed comment! I am delighted that you engaged in this conversation.

I checked out your site and the service, and I will make some blogs regarding them sometime this week.

In particular some issues I want to touch on are:

* Whether or not there is a true need to place all electronic health records within a non-healthcare third-party system.

* The risks of this type of service for contributing to the growing numbers of not only financial identity theft incidents, but also to medical identity theft incidents.

* The vulnerabilities I see with the "Emergency Log-in" feature and associated procedures as they are described.

* And others as they pop to mind when I get a little more time to spend thinking about this (gotta get several projects wrapped in the next three days).

Sure! You can send me snail mail; I'll send you my business mailing address in an email.

I'll look forward to hearing your thoughts about my follow-up blog postings for this topic that I will make throughout this week and/or perhaps next week.

Rebecca

Posted by: Rebecca | April 21, 2008 11:01 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.