The concept of a personal health information application is compelling. As individuals we want our health information accessible by our doctor, pharmacists and other care providers when needed. We also want security and privacy when the information is not being used.
Today your doctor maintains a file folder with your health information in it in their office. If your doctor is like 80% of doctors today they keep your records in paper form. If you go see another doctor only if information is communicated from one physician to the other. Usually by phone doctor to doctor, or nurse to nurse or even by fax.
Should you be hospitalized the facility will start another file folder for your data. Your family doctor may be notified, but unless he has privileges at the hospital they are unlikely to participate in your care there. And it is unusual that your family doctors’ files will be transferred or shared with the hospital staff.
Pharmacies will fill prescriptions received from your doctor or from any legitimate board certified doctor. Because you can take a prescription to any pharmacy it is unlikely that the pharmacy has a record of all your medication. Since you get prescriptions from your family doctor, specialist or hospital physician it is unlikely that anyone of these sources has a complete history of your prescription or medication. If you use over-the-counter, alternative remedies or vitamins it is unlikely that anyone will review these within your health information.
How can we communicate our health concerns or issues effectively and reliably even when we can speak for ourselves? Ideally we want the care provider to have all the information they need, we don’t want them to be guessing. The best way to provide your doctor with all they need is to bring it yourself and have it available for them right then and there.
There are many paper based personal health journals that you can buy. These are notebooks that are sectioned off with categories about your conditions, medication, daily diet and activities. For people with ongoing or chronic conditions like diabetes these notebooks may have specific sections for glucose levels and lab tests related to the disease.
Today’s technology allows you to access your money anywhere in the world through bank machines. You can share photos of your vacation instantly with family members and friends from around the world. Web technology and the global infrastructure it is based on allow us to access information from both reliable and unreliable sources alike. We also walk around with technology on smart phones that is more sophisticated then business computers of 10-15 years ago that were tethered to our desks.
The ideal of having a secure, private health information available anywhere in the world is not just theoretically possible it is technically feasible.
To begin we need to secure data both at rest and in motion. The latter is the simple solution; using SSL (Secure Socket Layer) and encrypted end-to-end transmission of data we can prevent interception and misappropriation of personal data. For secure data being stored we can use encryption of personal data based high-level cryptology. While it is recognized that there is no perfect solution for encrypting data there are techniques used that will make the theft and decryption of this personal data un-economical for hackers. After all how important is it to be able to determine a specific individual’s ailment? What needs to be secured is personal identifying details that could be used for identify theft.
Two security levels must be considered – the physical security and the access security. Physical security can be addressed by the location of the database. Is it the physical machines that store the data in a safe place? And if the machines are compromised physically by someone entering the datacenter and taking the machine will the information still be safe? Therefore the means to decrypt the data and the actually physical files can not be together. This way multiple sources need to be compromised to unlock the information. Think of this like a safety deposit box that needs two unrelated people to have keys to enter, if you only have one it’s still not possible to break into the safe. This is similar to the access security as well.
Permission to access that data can be secured by userID and password. But this is only a minimum. Usernames and passwords are often simple, people tend to use the same user name and password on several applications for easy of recall. Strong passwords are easy to create but few people follow the basics on how to establish password, even more critical is that many users don’t change their passwords frequently. There are techniques to force strong passwords, to expire passwords at regular intervals and to improve user access.
To return to the banking example when accessing you money online you use a physical card and secret pin. When using online banking without a card reader device, you use a login with the card number as well as potentially a security code that is printed physically on the card. Can a similar method be used for health care systems?