On Wed, 2004-03-10 at 23:26, Thomas Beale wrote: > Gavin Brelstaff wrote: > > > Thomas Beale wrote: > > > >>> > >> A well known study in Harvard medical school (I think) showed that > >> putting the message "Do not inappropriately access patient data - all > >> your accesses are being logged" on clinician screens a few times a > >> day resulted in a drop to near 0 of inappropriate access. No other > >> technology was used > >> - thomas > > > > > > There must be a downside to do that too - discouraging access by those > > who have urgent need while being undertrained on the system - it would > > sure scare me off - and that would effectively reduce medic-medic > > communication rather than promote it. Sure security is important > > but don't forget it is always compromise [Bruce Schneier]. > > I actually suspect the key to this is: whatever the security measures, > we must assume that someday, one day, health data of you or me, or a > politician or an actress will be hacked and sent to the Mirror or Sun > (gutter tabloid press in Britain, for US readers!), or simply posted on > a website.
I think it is very important for all proponents of community-wide EHRs to sit down and contemplate a series of worst case scenarios. Sure, they can be dismissed as too unlikely to worry about - but they do need to be contemplated. How about this one: a sysadmin of an EHR facility copies not just the one medical record, but 100,000 medical records, and passes them secretly to a "data terrorist" who threatens to publish them on the Internet via BitTorrent or one of the other distributed, anonymous peer-to-peer networks - so that rounding up and destroying the information is nigh on impossible - in order to extort money from a government, or just to politically embarrass it (to death, probably). The sysadmin bypasses the audit logs, or simply doctors them to cover his/her tracks, or just skips the country. Then consider the slightly more probable scenario that the above happens not to your community EHR, but to some other community EHR, somewhere else in the world, with the whole event widely reported in the media. Either way, you need to be able to articulate why either a) this scenario could never happen or b) why the costs of protecting against it are too great, given the low but unknown probability of it occurring and c) what measures are justifiable to take to protect against it. As a member of the public, I hope and trust that the people responsible for, say, a nuclear power plant, have workshopped all kinds of extremely unlikely but extremely devastating scenarios. Failure to do so results in Three Mile Islands and Chernobyls. Community-wide EHRs are the nuclear power plants of the health informatics world. -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20040311/1dcecf77/attachment.asc>
