Our recent coverage of HealthVault has received some attention from other news outlets.

VentureBeat author David P. Hamilton has been covering HealthVault. He began with an attempt to review HealthVault that ended in frustration attempting to register a password. His next post was a review of HealthVault itself. Recently he posted his thoughts regarding our coverage of HealthVault.

Our comments also received some attention from Dana Blankenhorn at ZDNet. Robin Harris, another ZDNet author, believes that HealthVault is a sick joke. ZDNet also has some screenshots of HealthVault in action for those who may not have the time to play around with the site themselves. ZDNet also has a news article about Microsoft’s efforts to get health records online.

All of the articles are well worth reading if you are concerned about the privacy implications of electronic health records.

Last week, Microsoft announced a new PHR (Patient Health Records) system called HealthVault. HealthVault is a web-based portal that enables end-users to upload their health records on the web. Unfortunately, what people don’t realize is that HealthVault and similar PHR systems are not subject to or governed by law. When the Health Insurance Portability and Accountability Act (HIPAA) was enacted, we did not envision that private software firms would eventually want to create databases for our health records. As a result, HealthVault and other PHR systems are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States because they are not “covered entities” as specified in the HIPAA.

Over the course of the past 7 years, researchers at ThePrivacyPlace.org have evaluated over 100 privacy statements for financial and healthcare web portals. In addition, we focus on evaluating the extent to which the privacy of sensitive information is protected in these systems as well as the extent to which system comply with relevant regulations.

Even though physicians and the press are excited about the introduction of these new PHR systems [1], there are questions that I urge the public to ask before entrusting their sensitive health records to any PHR system. My concerns are based on a careful evaluation of the HealthVault privacy statements [2, 3]. Microsoft appears to have sought the counsel of physicians who believe that patient consent is the best indicator of privacy protections. Unfortunately, most physicians do not understand the subtleties buried within healthcare privacy statements within the context of the software that implements those statements. For this reason, I now list three primary questions that one should ask before entrusting their health records to HealthVault or any other PHR system:

Will your health information be stored in other countries without appropriate legal oversight, skirting many of the protections afforded by the HIPAA?

The HealthVault privacy statement explicitly states that your health records may be off-shored to countries that do not afford the same privacy protections for sensitive information that we do in the United States. In particular, if information is disclosed or altered, do you have any legal recourse or remedy?

Will your health care records be merged with other personal information about you that was previously collected within the context of non-health related services?

Within the context of HealthVault, the answer to this question is yes. Microsoft explicitly states that they will merge the information they have previously collected from you via non-health related services with your HealthVault information. Moreover, it is unclear what information Microsoft already has about us other than our names and contact information and precisely what information third parties may access. Furthermore, we don’t know if that information is accurate or complete. Thus, use of the merged information may not be what we expect.

Are the access controls to your health records based not only on your consent, but also on the principle of least privilege?

Although HealthVault requires patient consent for any accesses and sharing of your health records, access controls leave the door wide open for data breaches. HealthVault enables individuals to grant access to other people and programs that can further grant read/write access to your health record. The only safeguard is a history mechanism to provide an accounting of accesses if you suspect that your information has been breached after the fact. A better approach would be for Microsoft to proactively enforce contractual obligations via audits and monitoring mechanisms.

The hype surrounding HealthVault’s privacy protections among those in the medical community must be balanced with the reality of the information security and privacy practice expressed in its public privacy statements. It is critical to address these privacy concerns in the design of PHR systems before we deploy them with vulnerabilities that will ultimately lead to yet another rash of data breaches.

References

[1] Steve Lohr. Microsoft Rolls Out Personal Health Records, New York Times, 4 October 2007.

[2] Microsoft HealthVault Search and HealthVault.com Beta Version Privacy Statement, October 2007.

[3] Microsoft HealthVault Beta Version Privacy Statement, October 2007.

Those of us who come to the privacy management arena from a computer security background tend take an extremely narrow and focused view of how technology can protect privacy. We love to debate each other on esoteric subjects cryptographic key strengths, the merits of strong two-factor authentication, trust models in networked systems and all sorts of deep technologies. As someone who worked in public key infrastructure technologies for several years and firewall technology before that, no one is a bigger fan of emerging security technology than I. These are all good and useful topics to be discussing and theses sorts of technologies are important foundations of a networked world.

Traditionally we think of privacy enhancing technologies has tools for hiding, obfuscating, and controlling disclosure. But in terms of an overall approach to privacy management we should also think about how technology can be used to creates visibility and awareness of informations security practices.

This point was made quite well recently by Harriet Pearson, VP of corporate affairs and Chief Privacy Office for IBM, in an interview with Computer World.

Read the rest of this entry »

Computerworld story reports that the employee was caught only after one of the owners of a property under foreclosure was called by the employee and the property owner subsequently complained. The ComputerWorld story is careful to note that “no actual hacking” took place. But more importantly, there was no internal business process or IT infrastructure in place to detect the “wrongful” accesses. The good news is that the actions taken by the employee were clearly against Progressive’s published information security policies and the employee was quickly fired.

The ComputerWorld article correctly points out, in my opinion, that this is an example of the rising problem of insider threats from rogue employees.

Read the rest of this entry »

We all are aware that our lives are practically becoming digital; so are hospitals. Major funding initiatives are underway to support the transition of hospitals into the digital age. In 2004, the US government spent $50 million to test computerization of health records and further proposed $125 million in related federal spending for the year 2005.

In April 2004, President Bush asked the IT industry to build a system that would provide every citizen of the United States with an electronic health record (EHR) that could be accessed from any location by 2014. He appointed Dr. Brailer (national coordinator for Health Information Technology for the Department of Health and Human Services) to coordinate this effort and establish the Nationwide Health Information Network (NHIN).

In December 2005, Dr. Brailer’s office awarded $18.6 million in contracts to four consortia led by IBM, Computer Science Corporation, Accenture and Northrop Grumman to develop prototype architectures for the NHIN. Each group consists of developers, hospitals, laboratories, pharmacies and physicians who must prove that EHRs can be exchanged across different health organizations.

In a similar effort to build such data interchange networks, Connecting for Health, a public-private collaborative led by the Markle Foundation, developed a prototype system (which will release in Spring 2006) that was successful in exchanging thousands of health records from three independently developed regional records systems (California, Massachusetts and Indiana). These three independently developed health systems had no common architecture but were able to apply the common framework developed by Connecting for Health for the exchange of records.

Seeing such successful projects, we can be rest assured that our federal money is being utilized efficiently and in the right direction.

When we talk about privacy enhancing technologies we often immediately jump to talking about encryption methods and DRM technologies and instance based access controls. But sometimes we forget about techniques for minimizing data disclosure. I know I’m guilty of this. I’d much rather debate the pros and cons of various policy expression languages!

I was reminded about data minimization recently when I tried for the first time a service from my credit card company, virtual credit card numbers. With so many people experiencing credit card fraud online, I’m surprised more people aren’t using virtual credit card numbers. They are a great way to minimize the disclosures of your real credit card to others. So I thought I’d share my experience with the service so far.

Read the rest of this entry »

RFID is a super hot topic right now. The potential market is huge. Many chip makers, including Texas Instruments, Intel, AMD, Motorola, etc., are convinced that RFID will become the most prevalent “electronic-based intelligence” technology of the 21st century. RFID will link machines, goods and people, helping companies gauge consumer preferences. RFID has raised a lot of concerns about compromising consumer privacy. Some people even set up a website to raise the public’s awareness on this topic. There is a also new book “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID” by Katherine Albrecht and Liz McIntyre that was recently published by Nelson Current.

The Chicago Bulls requested NBA player Eddy Curry to provide his DNA sample for testing his genetic makeup before signing a one-year $5M contract with the Bulls. Curry’s lawyer Alan Milstein says this is an invasion to Curry’s privacy and the implication could go beyond the sports world. “Hand that information to an employer,” he said, “and imagine the implications. If the NBA were to get away with it, what about everyone else in this country looking for a job.” Read the whole story.

Researchers at Georgia Tech have developed a prototype system to cancel out a digital camera trying to take a picture aimed its way. The system, described in more detail in this news.com article, targets any detected digital camera lens with focused light to thwart successful picture-taking. Where the photographer might have tried to capture a private meeting or an inappropriate picture, they instead will have a “blurry picture of what looks like a flashlight beam.”

The technology works by actively detecting a digital camera lens based on its ‘retroreflective’ properties. Digital camera lenses are much more retroreflective than other surfaces, such as eyeglasses. The system is constantly putting out infrared light to find any spying cameras; after sensing a camera lens aimed towards the system, it immediately targets the origin with a “localized beam of light” to neutralize the attempted photograph. The researchers provide more detail at their page describing the project.

Security company Aladdin’s eSafe Content Security Response Team (CSRT) found that 15 percent of spyware threats succeed in copying a user’s passwords, usernames, hashes of an administrator’s passwords, instant messaging usage, email addresses and other sensitive information. The two-month analysis of top 2,000 known spyware threats shows that there is a growing amount of spyware specifically designed for identity theft. These spyware poses tremendous threats to both personal and commercial privacy, with potentially dangerous effects for large organizations in need of protecting proprietary information. Read a full article of this story.

Author’s recommendation:
For Windows users, please download ALL of the following three antispyware tools and run them once a WEEK on your personal computer. All these three tools are free for personal use:
Ad-Aware
Spybot Search and Destroy
Microsoft Windows AntiSpyware