John Young <jya@pipeline.com> writes:
11-15-95. NYPaper Page One:
"When Patients' Records Are Commodities for Sale."
Individual medical records, carrying more sensitive personal information than ever before, are increasingly being gathered and stored by the tens of thousands in commercial databanks maintained by institutions like hospital networks, health maintenance organizations and drug companies. And although there is a Federal law that protects the privacy of video rental lists, private medical information is being bought and sold freely.
A (possibly stupid) thought: could commercial key escrow help here? I very much want hospitals to have fast access to my medical data if my broken and bleeding body should come through their door, even if I am unconscious and my personal physician cannot be reached. On the other hand, I don't want anyone to be snooping through them right now. One solution is for me to carry my records around with me on a smartcard or some such device. But there are problem with that approach; for example, do I want that personal information to be in my wallet if it's stolen? Do I want to add another item to the list of physical items I have to keep secure? So, what if my records were available on the net, but encrypted with a an key known to my physician and an escrow agency? (Equivalently, they could be on that smartcard, but encrypted.) If an emergency occurs, the hospital fetches my encrypted records from my physician's server, then sends a message (signed with the hospital's key) to Keys R Us, the escrow agent, saying "This is Dr. McCoy at Frobnitz Memorial Hospital, we need the key for FooBar Medix, Inc., patient number 147258369." (My FooBar Medix, Inc., insurance card lists my physician's server, the escrow agency, and my patient number.) Keys R Us verifies the message and sends the key. Perhaps there's also an alias to notify of the release, one that reports to but is not traceable to my physician or me. Keys R Us only has a number and a key; they don't know who my physician is and therefore don't know where to find the actual records. Anyone who gets my insurance card can find the records, but has to convince Keys R Us to release they key; and if I've done my homework in picking the agency, they won't. Does this give an advantage over just having a copy of my records kept by a trusted third party? Maybe so; I think maybe less trust of the escrow agency is necessary. No snooper can slip someone at the escrow agency a couple of cyberbucks to get a copy of my records, unless they've managed to match "FooBar Medix, Inc. patient number 147258369" with "Tom Swiss" and the location of my physician's server. (What if FooBar Medix, Inc., lets this information out? I dunno. I guess I visit their office with a shotgun. Better idea: FMI doesn't know what escrow agency I use. I fill in Keys R Us on the card myself.) No minimum wage slave can just casually browse my records for fun. Thoughts? [Since TIS is in the CKE field, I should note that this is my own boneheaded idea, not affiliated with the company in any way.] -Tom Swiss / tms@tis.com
If you have some personal data that includes your patient number, why not have a card that instead lists your important data? "This patient is diabetic, alergic to amoxicillin, and has Gold Cross insurance." The amount of important data that an ER needs is small. There is small benefit to building a huge infrastructure to get that data carted around. Also, in ERs, the computers are often authorized the same way everything else is: a nurse will tell you to leave if you don't belong there. At Defcon, Bruce Schneier was talking about the value stored in casino chips. Its sttaggering. Its an alternate cash system, with a huge float, astounding velocity, and very little fraud. Transaction costs are low, clearing is instantaneous. The comparison is fairly clear. Adam Thomas M. Swiss wrote: | I very much want hospitals to have fast access to my medical data if | my broken and bleeding body should come through their door, even if I am | unconscious and my personal physician cannot be reached. On the other hand, | I don't want anyone to be snooping through them right now. | So, what if my records were available on the net, but encrypted with a | an key known to my physician and an escrow agency? (Equivalently, they | could be on that smartcard, but encrypted.) If an emergency occurs, the | hospital fetches my encrypted records from my physician's server, then | sends a message (signed with the hospital's key) to Keys R Us, the escrow | agent, saying "This is Dr. McCoy at Frobnitz Memorial Hospital, we need the | key for FooBar Medix, Inc., patient number 147258369." (My FooBar Medix, | Inc., insurance card lists my physician's server, the escrow agency, and my -- "It is seldom that liberty of any kind is lost all at once." -Hume
"Thomas M. Swiss" writes:
A (possibly stupid) thought: could commercial key escrow help here?
I very much want hospitals to have fast access to my medical data if my broken and bleeding body should come through their door, even if I am unconscious and my personal physician cannot be reached. On the other hand, I don't want anyone to be snooping through them right now.
Actually, Bell Labs outlines a system which can preserve anonymity under these circumstances in "The Use of Communications Networks to Increase Personal Privacy In a Health Insurance Architecture" at <URL:ftp://ftp.research.att.com/dist/anoncc/privacy.health.ps.Z>. It's based on their anonymous credit card protocol, which is really a sort of identity escrow service managed by a remailer. You might find it interesting.
Scott Brickner wrote: | "Thomas M. Swiss" writes: | > A (possibly stupid) thought: could commercial key escrow help here? | > | > I very much want hospitals to have fast access to my medical data if | >my broken and bleeding body should come through their door, even if I am | >unconscious and my personal physician cannot be reached. On the other hand, | >I don't want anyone to be snooping through them right now. | | Actually, Bell Labs outlines a system which can preserve anonymity | under these circumstances in "The Use of Communications Networks to | Increase Personal Privacy In a Health Insurance Architecture" at | <URL:ftp://ftp.research.att.com/dist/anoncc/privacy.health.ps.Z>. | | It's based on their anonymous credit card protocol, which is really a | sort of identity escrow service managed by a remailer. You might find | it interesting. Maximchuck's anon credit card system depends to a huge degree on fast, highly available remailers, but he makes no provisions for funding them. He suggested at a talk I attended that the Federal Reserve could operate the one remailer that his system would use to protect your privacy. Other than that, its an interesting system which uses no public key crypto for mostly anonymous transactions. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (3)
-
Adam Shostack -
Scott Brickner -
Thomas M. Swiss