[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

S.1360 and security.

To: med-privacy@essential.org
Subject: S.1360 and security.
From: rj.mills@pti-us.com (Dick Mills)
Date: Mon, 29 Jan 1996 17:22:55 -0500

  I'd like to raise a different issue.  Think of the
  potential damage that can be done by a single 
  criminal violation of the proposed Health Privacy 
  Act S.1360.  
  
  The problem isn't with the act per se, but with the
  accompanying centralization of the nations records in 
  master data bases, combined with rapidly advancing
  computer technology greatly increase the potential damage 
  of a *single* criminal act.  Consider the following
  little science fiction.
  ------------------------------------------------------
  June 2005, somewhere near the White House.  Mr. "Deep
  Troat" meets with the reporter from Hard Copy.  He wants
  to turn over some medical information on the vice president
  that he feels strongly that the public *needs* to know.
  His motivation is strong enough that he is willing to
  risk 10 years in the Federal pen if caught.  He hands
  the reporter a fistful of CEDs (Compact Enhanced Disks, 
  500,000 megabytes each) and says, "I don't have the
  expertise to extract just the VP's records.  The only
  thing I knew how to do was to make a copy of the whole
  country's medical records.  Here."  
  
  Now we have a case like the Pentagon Papers.  Hard Copy 
  can use the data with impunity, protected by the first 
  amendment. All the existing restrictions and penalties
  are suddenly rendered moot with respect to the data
  copied. Just think how many juicy programs Hard Copy
  could make from the records of 300 million people?
  ------------------------------------------------------
  
  My point is that no criminal penalty is enough to prevent
  some person somewhere sometime violating the law.  Present
  trends act toward making even a single violation so damaging
  as to be unacceptable.  Death didn't deter the Rosenbergs.
  
  So what do we do?  There already exists a body of law, plus
  well tested procedures, plus widespread experience in dealing
  with such problems.  Guess where:  the handling of military
  secrets and dealing with legally classified information.  They
  know how to protect information and how to mitigate the damage
  caused by both internal and external attacks.
  
  I could just suggest that we make all medical records classified,
  and make the doctor's office a fortress with Marines at the door,
  then duck my head and run. But even I am not that stupid, so
  I wont make that suggestion.  This paragraph isn't a suggestion.
  Ignore it. :)
  
  Perhaps more practical in dealing with the realities of medical
  data, would be  to hire a think tank like the Rand Corporation 
  (I have no connections or interest in Rand).  Rand has lots 
  of experience with military security.  They could study the
  problem and recommend ways to achieve appropriate security.  
  It is much more of a technical problem than a legal one.  
  Given the marvelously flexible encryption technology we have 
  today, I'm confident that they could propose security measures 
  that would be truly secure, and also affordable.  Wouldn't 
  that be refreshing?
  
  Technology isn't advancing so fast,  that we need the answer 
  tomorrow.  Two to five years from today is fast enough.  I think
  the Health Privacy Act could include provision to set funding
  and deadlines for the study.  
  
  --
  Dick Mills                               +1(518)395-5154
  AKA dmills@albany.net      http://www.albany.net/~dmills

Follow-Ups:
- Re: S.1360 and security.
  - From: "R.J. Anderson" <rja14@newton.cam.ac.uk>

Prev by Date: Re: Policy versus implementation
Next by Date: Re: Policy versus implementation
Prev by thread: Re: Policy versus implementation
Next by thread: Re: S.1360 and security.
Index(es):
- Date
- Thread