Personal health information is the next national security problem
Often we read the headlines on how to protect ourselves is becoming ever more problematic. For some it’s as simple as having the ability to carry a concealed weapon, premised on the idea that if you want to hurt me, be prepared for the consequences. Needless to say, that’s extreme security process when it comes to healthy living. Most of us enjoy our lives without the need to put a gun beside our mouse and keyboard.
Along the PC and the Internet
Today we use personal firewalls and anti-virus software that we hope protects our information and valuables. And that doesn’t protect the most valuable part of your life – information about you. Information about you and your family is everywhere and you can’t go buy protection for it – from anywhere or anyone. You can’t even call the police to find out. For years, fraud based on identity theft has been a significant challenge to defeat. The simple things that help prevent such opportunities are well established: Shredding or burning junk mail credit card offers and other financial information and records before they hit the trash bin. Destroying computer hard drives or wiping them clean using software. Phishing and junk email is becoming easier to manage and control, although it still has a long way to go. Are there other areas beyond our control that could be damaging?
Yes. Too many areas are beyond our personal ability to protect. And it’s going to expand in the future. Now on the U.S. Administration's radar screen is EMR -- Electronic Medical Records -- which will lower the administration component of medical services. Hopefully instead of spending hours filling out forms, and staff spending hours sorting and inputting paper forms, that cycle time is actually used to attend to your medical needs and service. The doctor would see your entire medical history, ensuring that every allergy and drug you have taken is taken into consideration in medical treatment and ensuring that the right consultations are prescribed. In general terms that will increase efficiencies in the medical industry – lowering costs.
This creates a whole new set of security problems that go beyond just worrying about who is making loans in your name and destroying your credit. And worse, we don’t have any direct personal control in securing or protecting ourselves on who has access or management of this information. Medical records are the next big area of information that is now becoming digitized and recorded. Over the past 5 years, every medical visit, drug and appointment you have ever had is now bar-coded, logged and tracked on paper and sometimes the local clinic you go to. If you visited the emergency room at a hospital, that visit was likely recorded on the local server at that facility. The records will include every personal detail about you and your family’s health, becoming the basis of information for EMR. Local medical record storage has never been a problem since most systems are not accessible from the outside world and thus are on a computer server, but segregated from an integrated or national system. That will soon change.
Gone will be the days that your medical records are simply stored in a file at your local family doctor's clinic. If someone is “authorized” to see them, it will be in nanoseconds, not a few days by way of a courier service. Checks and balances for authorized access will be easy components to solve. Many countries already have some wide area storage of information about patients since it’s a national medical insurance program, often run by the provincial or state government. Many are now seeing problems from within the medical industry such as internal fraud billing for medical visit, specialist visits and prescription drug services becoming a real financial concern. Analytics is about to get a huge surge in business just like what the credit card industry does today.
With such information now being available and archived, that brings about huge security and privacy challenges that courts, legal experts and lawmakers will be faced with for decades. Software and hardware solutions for such applications will have to face performance scrutiny to standards as high as the Pentagon’s. The value of the data is potentially significant. In the wrong hands it creates a massive set of protection and security challenges beyond what most envision. Credit card data is selling to the highest bidder to the tune of millions. Medical records are worth significantly more.
The security of the information asks more questions than we have current answers for; who has access and who protects it? Suddenly this becomes more than just a series of ethics debates. In the United States, and in fact, most of the world, insurance companies already have significant checks and balances in place to ensure data integrity for claims and patient records for each claim made, are in fact secured and protected. Those records are not a complete picture of your medical history – but soon they will be if not properly controlled, protected and policies put into place. In some countries, your premiums are determined by that information, just like your car insurance is. The more problems you keep on making claims for, the higher your insurance premiums are or worse, discontinued. Now consider if the information about your entire family is now available or accessed, without your consent and what that implies. The 5 W’s comes to mind -- Who, What, Where, When, Why -- are all checks and balances that while solvable will create critical challenges to the health of the system. An example is what if that information is now in a central data center and not just at one insurance, hospital or clinic facility; who ensures the integrity of the data being input and is it accurate? Don’t even ask if you have access to it.
Pharmaceutical companies would find complete electronic medical records a treasure trove for what drugs to maintain low cost and which ones to charge premiums for, literately right down to a city block radius. The architecture of the data centers will likely follow industry standards, such as Critical Infrastructure Protection (CIP) parameters. But who is going to protect, secure and watch over the information? What regulatory or enforcement agency is ensuring your privacy rights are going to be adhered too? And what if the data is shipped outside of the country – then what laws or regulations protect your information then? If a major disaster strikes, is the data safe, redundant in security, access or storage? Having Clint Eastwood with a .357 Magnum at the front door of the data center isn’t going to help.