EHIP

Do you know what your data did last night? Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns.

There's a basic consumer protection principle at work here, and it's the concept of "unfair and deceptive" trade practices.

RealAge's privacy policy doesn't mention anything about selling data to drug companies, but buried in its 2,400 words, it does say that "we will share your personal data with third parties to fulfill the services that you have asked us to provide to you." They maintain that when you join the website, you consent to receiving pharmaceutical company spam. But since that isn't spelled out, it's not really informed consent.

Cloud computing services like Google Docs, and social networking sites like RealAge and Facebook, bring with them significant privacy and security risks over and above traditional computing models. Unlike data on my own computer, which I can protect to whatever level I believe prudent, I have no control over any of theses sites, nor any real knowledge of how these companies protect my privacy and security.

This may be fine – the advantages might very well outweigh the risks – but users often can't weigh the trade-offs because these companies are going out of their way to hide the risks.

Automated summary from: The Wall Street Journal

The Cloud is looming large, offering us ways to store and share our data in ways that were never before possible.

We can effortlessly share our documents and photos with our families and friends, while maintaining control over their spread using powerful granular privacy controls.

But in only the last two months, we've covered at least three major web services that suffered security lapses tied to software bugs or scaling issues.

Earlier this week Twitter posted a note to its Status blog saying it was having issues with "misdelivery of direct messages". In other words, some supposedly private messages were being routed to the wrong users.

These problems serve to undermine the public's trust in 'the cloud'. Once we get past the security problems, having our data immediately accessible no matter where we are is incredibly valuable - and probably inevitable. It's only a matter of time before our health records are going to be stored online in some form, simply because having instant access to them can be lifesaving. But if the public loses faith in the integrity of their data stored online, or the security measures protecting it, then it could take years to regain its trust.

Automated summary from: The Washington Post

Primary care physician Matt Handley believes that information technology enables him to provide better patient care. So much so that he recently spent an afternoon hooking up a computer and DSL line at the home of a patient so she can contact him more frequently.

Indeed, health information technology is the new rage for politicians and many healthcare providers who think it will help transform the industry. But computerized record-keeping and communication has the potential to change hospital care and procedures dramatically. "It gets right to the heart of what we do every day . . . and hospitals have to take pause and think about what this will mean for them," says Gary Kalkut, senior vice president and chief medical officer of Montefiore Medical Center in the Bronx.

Private-practice physicians who use comprehensive technology systems reported seeing positive effects on delivery of care and communication with other providers and patients, according to a New England Journal of Medicine survey published last summer.

The major barrier for health IT systems may be cost. Seventy-three percent of hospital respondents in the NEJM article said they did not have enough capital for the systems, and 44% were concerned about the maintenance costs.

Automated summary from: The Los Angeles Times

It was a dirty little secret among the nurses. A veteran physician at the prestigious Cedars-Sinai Medical Center here had been mixing up a certain drug dosage for decades. Then the computers arrived -- and when the doctor typed in his medication order, the machine barked at him. And he barked back.

For proponents of electronic medical records, the tale of the confused physician would seem the perfect argument for using technology as a safety net for fallible humans. Instead, his reaction proved to be emblematic of an array of problems that grew into a full-blown staff rebellion in the fall of 2002 and forced Cedars-Sinai to shelve its $34 million computer system after three months.

The spectacular failure at Cedars-Sinai—described by Bush's technology guru as "the worst case" he has seen—demonstrates how difficult it can be to make the transition.Even well-financed, sophisticated hospitals face enormous hurdles moving from the Marcus Welby era of pen and paper to one in which doctors spend precious minutes entering data into a machine that never went to medical school and does not have the flexibility to make nuanced judgment calls.

"First and foremost, it was change," said nursing chief Linda Burnes Bolton. By January 2003, at a heated showdown with management, several hundred doctors demanded an end to the hospital's short-lived experiment.

Automated summary from: The Washington Post

The personal details and medical records of nearly 1,400 people from across Scotland were stolen during a break-in at the north-east's biggest hospital. Health bosses confirmed that a laptop computer with the names, addresses and dates of birth of 1,392 patients was taken from a locked office at Aberdeen Royal Infirmary.

Officials said the details – taken from the gastro-intestinal department - were coded and protected by two passwords, making it almost impossible to read without the hospital's original software. But the Scottish Government criticised the health board last night, saying the sensitive data should have been encrypted to ensure the contents were useless to identity fraudsters.

NHS Grampian takes any breach of security seriously and letters have been sent to all the patients to alert them to the theft and apologise.

Automated summary from: Press and Journal

Experts at Wharton say that personal data is increasingly a liability for companies, and suggest that part of the solution may be minimising the customer information these companies keep.

The cost of a data breach in 2008 was $202 (Dh741) per compromised record, up 2.5 per cent from $197 per record in 2007, according to the Ponemon Institute, a Michigan group that researches and consults on privacy and information security issues.

According to Wharton marketing professors Eric Bradlow and Peter Fader, companies should deploy a technique called "data minimisation".

First, companies should figure out what information they need to track consumer behaviour. Then, aggregate that information over a defined period such as two to four months. With that aggregated information, a company can create histograms – graphical representations of aggregated data – and throw away original data.

Fader and Bradlow acknowledge that the argument for data minimisation is only just beginning. For data minimisation to become the norm, a company's management, privacy officers, legal counsel and marketing team will have to reach consensus on customer data collection. Legal and privacy experts are likely to support data minimisation, while marketers will argue for keeping all the data they can collect.

Automated Summary from: Emirates Business 24/7

The Federal Trade Commission was careful to point out its new interim proposed rule on federal breach notification requirements for the developers of electronic PHR systems did not apply to covered organizations or their business associates as defined by the Health Insurance Portability and Accountability Act of 1996, heretofore the key federal privacy and security regulation.

The FTC, operating under new authority given it by the American Recovery and Reinvestment Act of 2009, noted that its new rule seeks to cover previously unregulated entities that are part of a Health 2.0 product mix.

Pam Dixon, founder and executive director of the World Privacy Forum, said. "They bring a lot of enforcement actions. They're a very active agency, and healthcare may not be accustomed to this, but that doesn't mean they are wrong in their approach."

Automated summary from: Modern Healthcare

The Federal Trade Commission, which heretofore has had a minimal role in enforcing privacy and security laws affecting electronic health records, took a big first step Thursday toward its new role as a front line, federal healthcare IT enforcer.

In a 50-page notice and interim proposed rule, the FTC outlined its position on a set of new, federal breach notification requirements for the developers of electronic personal health-record systems and three broadly defined groups of related companies and organizations that send or receive patient information to or from PHRs, about 900 companies and organizations in total.

The FTC was dispatched by Congress in February via the American Recovery and Reinvestment Act to try and plug privacy and security regulatory gaps opened by PHRs and other related health 2.0 technologies that were not even a twinkle in a programmer's code base when Congress passed the Health Insurance Portability and Accountability Act, the principal federal healthcare IT privacy and security law, in 1996.

In the meantime, the law requires the FTC to publish "interim final regulations" covering breach notifications for PHR vendors and others not later than 180 days after the ARRA was enacted.

Automated summary from: Modern Healthcare

Google CEO Eric Schmidt appeared at his alma mater, Princeton University, on Saturday to discuss the Internet and globalization, Google products that have recently made headlines, and how not to be evil.

Google's information gathering processes, and what it does with that data, has been a hot topic of conversation since the company's inception. Schmidt pointed to Google Latitude as an example of a product that had to balance innovation and privacy. Latitude, which was released in February, lets mobile phone users share their locations, and track friends who have opted-in to the service.

During a product review session with executives last year, "this 22-year-old comes in…and shows his current position on his phone, and he shows the current positions of his friends," Schmidt said. 

Imaging the police and government subpoenas, as well as the lawsuits, that were likely to pour in seeking access to this data, Schmidt initially shot down Latitude.

"Eventually we made a change that is very easy to understand -- you can turn it off, and also, you can tell it to tell people that you're somewhere else," Schmidt said.

"Privacy is an evergreen issue of the Internet, and you're going to be having conferences on privacy for the next 50 years."

Google tries "very, very hard not to lock people in," Schmidt said. "We looked at Microsoft…and we wrote an internal policy on how to be good while being big. We won't trap your data."

Automated summary from: PC Magazine

Law enforcement officials are vastly expanding their collection of DNA to include millions more people who have been arrested or detained but not yet convicted. The move, intended to help solve more crimes, is raising concerns about the privacy of petty offenders and people who are presumed innocent.

Until now, the federal government genetically tracked only convicts. But starting this month, the Federal Bureau of Investigation will join 15 states that collect DNA samples from those awaiting trial and will collect DNA from detained immigrants --- the vanguard of a growing class of genetic registrants.

The police say that the potential hazards of genetic surveillance are worth it because it solves crimes and because DNA is more accurate than other physical evidence.

Britain may provide a window into America's genetic surveillance future: As of March 2008, 857,000 people in the British database, or about one-fifth, have no current criminal record.

As in Britain, expanding genetic sampling in the United States could exacerbate racial disparities in the criminal justice system, according to Hank Greely, a Stanford University Law School professor who studies the intersection of genetics, policing and race.

Automated summary from: NY Times