Re: Denley-Weston-Smith article online

[Ross Anderson <Ross.Anderson@cl.cam.ac.uk>]

Thomas A. Poe writes, of the BMJ article at
<http://www.bmj.com/cgi/content/short/318/7194/1328>:

> I have read over the article, and wonder how you arrived at the 
> conclusion that "it" can be done?

Previously when we made proposals for securing medical information
systems, such as with the BMA security policy, the stock response
from officialdom was that `it'll never work in hospitals'. That
excuse is now shot away

> I sure would like to know how the system integrates with billing, 
> administration, etc.

The administration system is used to decide who can see what. If a
typical rule says `a nurse may see the records of any patient who
has been on her ward within the previous 90 days' then you need to
know what nurse, and what patient, was where.

As for billing, this is different in the UK from the USA. Here, a
summary of each finished consultant episode is typically sent to the
patient's general practitioner who approves it for payment and passes
it on to the health authority. This can be driven by the main record
system. The costing isn't as detailed as you're used to in America,
but on your side of the pond, you have a useful opportunity for
detecting abusive access: raise an alarm whenever anyone accesses a
record without subsequently sending in a bill. That way the patient's
interest in privacy is very well aligned with the hospital's interest
in maximising its revenue!

> Also, there was little discussion of the sharing of patient
> information with insurance, pharmacy benefits managers, employers,
> HMO's, etc. I guess there's a long way to go before a clear
> understanding of just what patient privacy means in this day and age.

Again, we have a different system. We have no HMOs, and the only
information employers get are sick notes from the patient's GP saying
`Joe Bloggs is sick and will be off for the next 3 days'. Insurance
companies also get access via the general practitioner, but only if
the patient signs a consent form - as I have to do, for example, to
get life insurance. But essentially all sharing is on paper and the GP
acts as the gatekeeper. The exceptions concern public health
information collected directly from hospital systems (e.g. from the
system which processes payments from GPs to hospitals) and these are
the subject of significant controversy: see for example
<http://www.cl.cam.ac.uk/~rja14/caldicott/caldicott.html>.

The significance of the Denley-Weston-Smith article is that it will
make it harder for the bureaucrats to obscure this information
harvesting exercise behind misleading claims of what hospital
information systems need to do. We've been told, for example, that
everyone in a hospital needed access to all records for safety
reasons, and to stop tests being duplicated. We always suspected that
this was baloney, and now we know for sure. A simple and robust
solution to the problem of protecting the primary uses of personal
health information throws the more dubious secondary uses (and abuses)
into sharp perspective.

> In terms of viewing patient privacy as a phrase that means the patient
> controls the flow of his/her information so that he/she finds out
> what's wrong first, now this would be a big step in the right
> direction.

That's exactly what we've been trying to uphold here in Europe. See
http://www.cl.cam.ac.uk/users/rja14/policy11/policy11.html for more,

Ross