Implantable RFID chips marketed to consumers

Posted April 26, 2008 by Lygeia Ricciardi

Following on our previous discussion of implanted RFID to store health information, note that VeriChip, maker of the chips, is now marketing direct to consumers.

A Banner Month for Health Privacy Breaches

Posted April 16, 2008 by Lygeia Ricciardi

It’s been a particularly busy month in the world of health privacy breaches. Health records have been breached both individually and in massive data sets. They include highly personal information on the young and the old, the rich and famous and the poor.

Although Project HealthDesign and its next generation PHR tools are vastly different from the data repository type records that were recently breached, the Project is very aware of the vulnerabilities that exist within currents systems and the need to address those vulnerabilities in any context—its work in association with the University of Miami Bioethics Program continues in that direction.

On Monday the Wall Street Journal reported that nearly 50,000 patient records had been improperly accessed using the computer login of an employee of New York-Presbyterian Hospital. The employee, who worked in patient admissions, sold data on about 2,000 people for roughly $1,350 total.

On April 8, 2008, meanwhile, The Atlanta Journal-Constitution reported that the insurance records of 71,000 disadvantaged Georgia families had been made public. The families were participating in insurance programs for the poor.

On April 3, 2008 the Los Angeles Times reported that staff at the UCLA Medical Center had gone through the cancer treatment records of 70’s TV star Farrah Fawcett (of Charlie’s Angels fame). The Enquirer posted news about the return of her cancer on its web site soon after Fawcett herself had learned of it, and before she had told her son and close friends. The story followed news that pop star Britney Spears’ privacy was breached at the same center following her hospitalization in a psychiatric ward earlier this year.

In late March we learned that a laptop containing personal medical information on about 2,500 patients enrolled in a National Institute of Health (NIH) cardiac study had been stolen from a laptop in the trunk of an employee’s car.

Let’s let this month’s impressive lineup of health privacy breaches serve as a reminder that the topic is, unfortunately, still very much a growing concern as health information becomes more liquid. For some ideas about how to address privacy from a policy and technical perspective, see previous blog entries on privacy (and the Project HealthDesign e-Primer on Privacy and PHRs).

Deidentified Data Doesn’t Exist… and What to Do About It (Part II)

Posted on March 7, 2008 by Lygeia Ricciardi

This is the second part of the entry called “Deidentified Data Doesn’t Exist… and What to Do about It”. In the first installment, I wrote about the extreme difficulty of stripping the identity from any reasonably meaningful set of health data.

If we assume there is a clear distinction between personally identifiable and deidentified data, we can apply certain policies to the former and other, less restrictive ones, to the latter. But unfortunately, if we conclude that genuine deidentification of data is very hard to achieve and/or yields outputs of relatively low value for most purposes, we need a more sophisticated (though not necessarily uniform) degree of privacy protection for virtually all health data—including data in PHRs generated by patients or consumers.

There is no silver bullet when it comes to privacy protection. No single element can do the job, but an array of coordinated polices and technologies together can be very effective. There is a lot we can gain from previous efforts to protect privacy in disciplines other than health. For more than 25 years, Fair Information Practices have been used in the US, Canada, and Europe to define appropriate ways of handling electronic personal information, whether it is health information, financial information, or any other kind.

According to the US Federal Trade Commission, the five core principles of privacy protection embodied in Fair Information Practices are (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security and (5) Enforcement/Redress. It’s important to apply the practices as a group, not just pick and choose among them. While many stakeholders—especially policymakers—have a role to play in implementing Fair Information Practices, part of the responsibility falls to designers of applications such as PHRs because design shapes use; you can’t just graft privacy protective policies onto a technology after its features have been set.

In 2006 the Markle Foundation released the “Common Framework”, which applies Fair Information Practices specifically to the case of health information exchange. Markle is currently working on a paper as part of the Common Framework that will address consumers’ access to their own health information via PHRs and related tools and services. That paper contains very specific guidelines on, for example, how to write and post a privacy notice, and how to protect the integrity of data. I’ll post a note on this blog when the paper is publicly released later this spring.

In addition, if you are not already familiar with it, I suggest the Project HealthDesign e-primer on privacy as a resource for exploring this topic in greater detail.

Report on Privacy and PHRs Released

Posted February 20, 2008 by Lygeia Ricciardi

FYI today the World Privacy Forum released a new legal and policy analysis examining Personal Health Records and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.

Deidentified Data Doesn’t Exist… and What to Do About It (Part I)

Posted January 29, 2008 by Lygeia Ricciardi

Ah, the promise of deidentified health data. If we can just strip any identifying characteristics from your health information—whether it’s the medical record your physician maintains or the information in your PHR—imagine what we can do with your data! We’ll slow disease outbreaks, develop wonder drugs, and maybe even cure cancer. All this and your privacy will remain completely protected.

If only it were so. While many of the potential benefits of sharing “deidentified” health data for research, public health and other laudable purposes exist, the unfortunate truth is that it is technically very difficult to classify any meaningful data as deidentified. While a single data element may be hard to trace, alone it holds little value. The more data elements you link together, the more valuable—and sourceable—they become.

Peter Swire, formerly the country’s Chief Counselor for Privacy, helped to illustrate the problem for me. As Peter explained it, let’s imagine you know someone’s date of birth. Birth date splits the population into roughly 25,000 categories—365 days in most years times roughly 80 years of life. So a city of 100,000 people (say, Albany, NY) has on average only four people with that exact date of birth. That makes it relatively easy to identify a particular person based on birth date alone. Now add more data (such as gender, zip code, or a particular health condition), and it quickly becomes much too easy to zero in on an individual. (Though technically date of birth is considered “protected health information” under HIPAA—and thus would not be part of a legally “deidentified” data set, it illustrates the point that by knowing only a little information about someone you can home in significantly on his or her identity.)

A related problem is that clinical data in one database can be matched with the same clinical data in an allegedly deidentified database. For instance, your pulse reading during a workout might be “67, 68, 93, 110, 115, 84, 67” on a certain date. If that sequence appears in a deidentified data set, then anyone who gets access to the identified version on pulse can match it to your entire “deidentified” record.

The fact that deidentification is so tough is pretty discouraging, considering its value and the fact that the success of PHRs is tied to dramatically increasing the amount of health data collected and exchanged about individuals. And of course data collection and storage is proliferating in nearly every other aspect of our lives, too (someone is recording who we call and email, where we drive, what we buy…and on and on).

So what can we do? One answer implied by relatively extreme views of health information exchange (see for example Patient Privacy Rights, which states that “the greatest use of your health records today is to hurt you, not help you”) is to slow or minimize the electronic exchange of health data. I don’t support that view. The potential benefits are much too great—and I doubt we could realistically do so even if we wanted to. Rather, I think we must employ a variety of parallel strategies to address the nonexistence of foolproof “deidentification” – in addition to the other privacy risks inherent in electronic health data exchange. I’ll discuss some of the ways to approach this challenge in Part 2 of this entry, stay tuned….

On Privacy and PHRs

Posted by Lygeia Ricciardi on December 19, 2007

Many of the posts on this blog directly or indirectly address the topic of privacy, which is of course a core issue concerning PHRs specifically and the electronic exchange of health information generally.

If you haven’t already seen it, take a look at the Project HealthDesign E-primer, The Need to Know: Addressing Concerns about Privacy and Personal Health Records. It gives a good overview of the privacy landscape in this context, touching on topics including pending legislation and ethical issues.

Regarding ethics, Ken Goodman explores the implications of defining privacy as a “human right”—if our society does so, we free ourselves from a great deal of debate about protecting it. But where would the boundaries of such a right lie? The E-primer poses some difficult policy questions, such as whether health information collected by a patient in a PHR should be treated differently from medical record information under current regulations.

A couple of privacy-related questions that the E-primer brought to my mind are the extent to which “deidentified” data are really deidentified, and the immense challenge of consumer engagement and education about health information exchange. Many of us want consumers to have a greater degree of control over their own health data, but how do we accurately convey everything consumers need to know to make well-informed choices? How can we realistically involve consumers not merely as recipients of electronic health information and the policies that govern it, but as active participants in shaping the policies and tools that apply to them? More on these and other privacy-related topics soon...

Lessons from a Disastrous Data Loss in the UK

Posted by Lygeia Ricciardi on December 5, 2007

As we Americans basted our turkeys and mashed our Thanksgiving potatoes, a disastrous data drama was playing out in the UK. Although it doesn’t involve health information specifically, there are several lessons the American or international health IT community can take from it—in addition to giving thanks that we were not involved.

The mishap concerns the loss of several discs containing information related to the administration of government benefits for children—personal details on every family in the UK with a child under the age of 16. That translates into information on 25 million UK citizens, including names, addresses, dates of birth, national insurance numbers, and bank details. The discs were lost in an attempted transfer between two government agencies, Her Majesty’s Revenue and Customs (HMRC) and the National Audit Office (NAO).

As is often the case, the loss involved a combination of high tech elements (eight CDs) and old fashioned sloppiness—the disks apparently “went missing in the post,” as the Brits put it. Ooops. And now, according a poll described in the (British) Times, 73% of British citizens have lost confidence in their government’s ability to handle confidential data, and 64% claim the blunder calls into question “the basic competence of the Government”.

The problem stems, of course, not only from the initial mistake, but also from poor handling of it. The reality is that mistakes happen, whether in a paper-based or digital context—but we must learn to diminish their number and address their repercussions more skillfully than our friends across the pond have. A couple of key lessons we can take from their experience:

Share only data that is necessary for a particular task.  The intended recipients of the data needed records from only 1500 people, not 25 million, and did not need financial data at all. But 25 million peoples’ financial and other data may be compromised simply because the HMRC neglected to extract a subset of it. According to the BBC, the practice by HMRC of downloading the entire Child Benefit database to share with the NAO for auditing purposes, regardless of what portion was actually needed, began last March, but was made public only in November following investigation related to the lost discs. An email from an official at the HMRC to the NAO around the time the discs were mailed explains, “I must stress we must make use of the data we hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department”. In this case an ounce of prevention would have been worth quite a few pounds sterling of cure.

Technology should follow policy. The point above leads to a bigger one: technologies—whether applications, such as PHRs, or entire network systems—must be designed to support desirable policies or behaviors and discourage undesirable ones. If it had been easier for an HMRC official to download just a few key elements than an entire database, the current mishap could have been much less damaging. The idea that technical design decisions must support policy goals are at the core of the Markle Foundation’s Common Framework, which proposes guidelines to inform the development of regional and other networks for health information sharing. According to the Markle framework, health information should be stored in a decentralized configuration to minimize the use and abuse of large repositories of data like the UK’s Child Benefits database. In practice that means that patients’ medical records should be controlled by the doctors, patients, or others who create them, not the government or a RHIO.

When you make a mistake, own up to it. There’s nothing unique to IT about this point. Prime Minister Gordon Brown, however, claims the fault for this error rests primarily with “officials not following the rules rather than ‘systemic’ failures at HMRC”. Meanwhile the HMRC Chairman resigned on November 20^th, and a 23-year-old HMRC junior official is being suspended pending disciplinary action. The government is telling citizens potentially affected by the data loss to watch their bank accounts for any “irregular activity,” but the government hasn’t fully taken responsibility for the mistake or sufficient action to counter the widespread public concern it has caused.

The UK data blunder serves as a reminder that you cannot (especially in a health context) be too careful in protecting peoples’ privacy or in gaining and maintaining their trust. Readers of this blog who develop PHRs or related services should strive not just for elegant technical solutions, but for systems that make it easy for users to minimize risks.

One other thing—lest we get too high on our American horse, the US certainly has a lot to learn from the UK and its European neighbors concerning data protection. There are open questions about whether the blunder described above actually broke any data protection laws. Regardless, the UK and EU have much better legal frameworks to build on in this area than the US does, and our policymakers would do well to emulate them in some measure.

For deeper discussions of privacy and its implications in the PHR context, keep an eye out for an electronic primer on privacy to be released by Project HealthDesign later this month—subscribers to the PHD listserv or this blog’s feed will get an email alert when it becomes available.

Your Health Record Embedded in Your Arm

An article by the Associated Press last weekend points to the link between microchip implants and tumors in animals. It adds to other health concerns about subcutaneous chips described in a report released early last summer by the American Medical Association (AMA), for example, that they could become dislodged in the body, or interfere with a pacemaker (it’s CEJA Report 5-A-07 on the AMA web site). The chips, called RFID (radio frequency identification) tags, are already widely used by Wal-Mart and others for managing product inventory, and have for years been implanted in animals to help people to identify lost pets. The recent article rekindles an ongoing debate about whether they should be implanted under peoples’ skin to facilitate access to critical health information.

RFID implants in humans have been relatively rare, but they could become more mainstream. According to VeriChip, manufacturer of the only FDA approved version, more than 2,000 people worldwide now carry the chips under their skins. Some view them as a medical safeguard—a chip could convey the identity and condition of an unconscious patient to a doctor in an emergency room. For others, an implanted RFID chip is primarily a convenience or status symbol—one that lets them pay, with the wave of a hand, for drinks in certain trendy bars.

The basic concept behind RFID was first articulated in 1948, but in recent years the chips themselves have become smaller, cheaper, and more widely used. RFID is effectively the next generation of the bar codes you find on groceries. Except that RFID, because it uses radio waves, can communicate information without the line of sight required by bar code readers, and makes it possible to read multiple tags at a time. It is also more durable than a bar code—better able to withstand heat, moisture, and pressure. In humans, a tag about the size of a long grain of rice is generally implanted above the right tricep. After the surgery there is no outward sign that it exists.

While some RFID tags regularly emit data through radio waves, subcutaneous ones are “passive,” responding only to a request from an outside reading device. Because of both size constraints and privacy concerns, the tags embedded in humans contain only a reference number (as opposed to say, a list of the individual’s allergies). That number is linked to a database containing medical, financial, or other data, and it may require a password or other means of authentication for access.

One hundred and sixteen US hospitals have already signed up to adopt the technology in their emergency rooms, while others, such as Beth Israel Deaconess Medical Center in Boston, already use RFID on humans (embedded or merely affixed to a bracelet) to match newborns in the intensive care unit with their mothers’ milk or to verify that patients are taking the correct medications.

What are the potential implications of embedded RFID from a Project HealthDesign perspective? It could help solve a big challenge several of the grantee teams are wrestling with: patient identification and authentication. Several of the teams are developing devices that wirelessly transmit data, such as blood sugar levels from a glucometer, to a software program that can track and analyze it. But how do you really know who used the glucometer? What if you have two people in the same household that are using the same measuring device? Embedded RFID chips could automatically identify individual patients and keep their records separate and accurate.

But assuming the potential health dangers associated with the chips can be overcome, is society ready for embedded RFID chips? Many people are alarmed by their potential privacy implications. If information on the chips is linked to the user, theoretically anyone from law enforcement officials to criminals or terrorists could abuse it, for example by tracking an individual’s movements. Some extremists even suggest that RFID portends the end of the earth.

Dr John Halamka is the CIO of Harvard Medical School and the CareGroup Healthcare System. He’s also an emergency physician at the Beth Israel Deaconess Medical Center. His research has shown that it would be fairly easy to intercept and mimic the data on an implanted RFID chip. In part because of this vulnerability, he argues that subcutaneous RFID chips should be used only to identify people, but that they should not be used for authentication purposes. Identification confirms that a person is, for example, Jane Smith, but authentication takes identity a step further, using it as a condition to enable an individual to do something—like access a building, bank account, or anything else of value. If chips are used for authentication, they could put their “hosts” at greater risk of kidnapping or physical harm.

I asked Halamka, who is an avid mountain climber, about his own decision to have an RFID chip implanted in his arm a few years ago. “Implanted RFID is a personal choice.  For some people, such as those with cognitive or communication impairments, it offers an easy electronic pointer to a PHR which authorized clinicians can access in case of emergency. For others, such as myself, who travel to the corners of the earth, including its most extreme places, I have the security of knowing that my record is always with me. Of course, not every healthcare institution has the ability to scan RFID, so at present the technology is in the early adopter phase.”

On the topic of privacy he underscores the importance addressing the privacy and security features of implantable RFID as early as possible. As he put it, “You can’t just let the technology develop and try to correct the resulting social problems later.”