The Online Medical Records Trap

Lauren Weinstein lauren at
Thu Oct 4 12:52:51 PDT 2007

                        The Online Medical Records Trap


Greetings.  Microsoft is rolling out their centralized medical
records project
( ) --
with the somewhat misleading name "HealthVault" -- and it's time for
consumers to start paying attention to what's going on in this
sector -- Google is working along similar lines as well.  (Why do I
call the HealthVault moniker misleading?  Keep reading.)

There is a vast market assumed for centralized recording of every
aspect of your medical life, initially through free accounts where
you would input the data yourself, but as quickly as possible the
intention is to move toward having doctors, hospitals, pharmacies,
and everyone else involved in your medical treatment entering the
data directly.  The federal government is also a big booster of the
centralized medical data idea -- a fact that might be enough to give
one pause in and of itself.

The selling points for such projects seem obvious enough.  Instant
access to your medical data for emergencies or other purposes, ease
of seeing test results and (in theory) correcting errors, and so
on.  All good stuff.

But what's not obvious from the sales pitches are the downsides, and
they could be serious indeed.

The term HealthVault is misleading because we know by definition
that such services will be anything but a vault when it comes to
privacy.  You can almost hear the conversations at Microsoft where
they tried to come up with a name that gave the impression of
security, Fort Knox, and impenetrability.  And of course, Microsoft
is making all the usual claims about encryption, safety, and the
same promises we always hear about centralized data systems.

But the big risk in centralized medical data -- arguably the most
personal data about any of us -- isn't about whether the servers can
be hacked or the communications eavesdropped (though these are real
issues, to be sure).

The most serious problem is that once medical data is in a
centralized environment, there are essentially no limits to who can
come along with a court order (or in the case of the government, as
we know, secret orders or illegal demands that can't usually be
resisted) for access to that data.  Service providers typically have
no choice but to comply.  The only way to prevent this is for the
data to be encrypted in such a way that even the service provider
cannot access it without your permission, even with a court order
staring them in the face.  As far as I know, none of the systems
currently in development or deployment take that approach to
encryption -- but I'd love to have someone inform me that such
techniques would be used.  That would change the equation

Who might want access to your medical data?  Insurance companies
obviously, and one might expect them to lobby hard for such access,
in the name of "reducing fraud and insurance costs" of course.  Many
employers would also love to get access, to help weed out medically
expensive employees and applicants.

Perhaps more ominously, broad "fishing expeditions" by the
government -- both for research, investigative, and other purposes
-- become far easier when medical records are centralized.  It's
very difficult to abusively search or gather such data in a broad
manner when it consists mainly of manila folders in cabinets at your
doctors' offices.

But once this data goes online centrally, it's one of those "bingo!"
moments for those who would just love to pry into the medical
histories of consumers and citizens.

Frankly, if people want to use such centralized systems voluntarily
I have no serious objection.  However, my gut feeling is that most
people signing up won't have a clue about the negative ramifications
of these services -- certainly the services themselves won't be
trumpeting such shortcomings and risks.

And worse, over time it seems likely that the service providers --
possibly in conjunction with government agencies at various levels,
will move to make such use a default condition (that is, it applies
unless you opt-out), and ultimately pressure everyone toward a
mandatory approach.

There could be a useful role for such centralized medical records
services, but only in an environment of laws and related broad
privacy protections that simply don't exist now, and don't appear to
be forthcoming anytime soon.  In their absence, using centralized
medical records services at this time, except in very special and
limited circumstances, would appear to be unwise and is not

Lauren Weinstein
lauren at or lauren at
Tel: +1 (818) 225-2800
Co-Founder, PFIR
   - People For Internet Responsibility -
Founder, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy
Lauren's Blog:

RSS Feed:
Powered by Listbox:

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list