September 5, 1995 – December 16, 2005
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

September 5, 1995 – December 16, 2005 PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on
  • Presentation posted in: General

September 5, 1995 – December 16, 2005. We won! :-). RISKS of electronic patient records (EPR) The Next Ten Years Karin Spaink [email protected] Hacking health. six books in three years effects of technology underexposed subjects theory / practice 2005 sept: EPR 2006 mar: Gaming

Download Presentation

September 5, 1995 – December 16, 2005

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


September 5 1995 december 16 2005

September 5, 1995 – December 16, 2005

We won! :-)


Risks of electronic patient records epr the next ten years karin spaink karin@spaink net

RISKS of electronic patient records (EPR)

The Next Ten Years

Karin Spaink

[email protected]

Hacking health


The next ten years

six books in three years

effects of technology

underexposed subjects

theory / practice

2005 sept: EPR

2006 mar: Gaming

2006 oct: Web 2.0

....

The Next Ten Years


Why a book on eprs

no public debate whatsoever about why & how

newspapers: press releases, progress reports etc.

policy makers: absolute faith in technology

examine premisses

re-sensitise the public w.r.t. privacy issues

Why a book on EPRs?


Why eprs

make medical information accessible nation-wide

all health professionals have the same information,

without time delay or paperwork

enforce co-operation and sharing

reduce bureaucracy, increase efficiency

reduce medical errors

reduce costs

Why EPRs?


September 5 1995 december 16 2005

old situation

  • patient records stored in

    various, contained places

  • GPs, hospitals, pharma-

    cies and para-medics all

    have their own patient

    information systems

  • communication and

    exchange of information

    though EDIFACT, letter

    or phone

  • exchanged information

    stored locally again, on

    paper or electronically


September 5 1995 december 16 2005

projected situation

  • patient records stored

    in various open places

  • (para-)medics can

    consult data stored

    elsewhere over the

    internet in real time

  • National Exchange

    Point will show what

    data is stored where

  • data stays where it

    is generated


Patients need to be unique

previous secretary of Health, Els Borst: 'We will not

use the social security numer, for obvious reasons'

new government, new climate: Civil Service Number

for all citizens will be introduced in 2006

CSN = SSN

SSN: work, taxes + welfare

EN: education

HIN: health + child / youth care

Patients need to be unique


Risks of one overall number

practical problems:

SSN is not unique

unwanted / unforeseen / unaccounted linking of

personal data in various domains

identity theft

political problems:

extending the law w.r.t. data linking

CSN is meant from its inception to assist law

enforcement & investgation

Risks of one overall number


Government on csn

'Implementing an overall personal number is important to meet the desire to have more means available to link data for purposes of law enforcement and investigation. Extending the legal possibilities to do so is being considered within the current European privacy directives.'

- Kamerstukken II 2002-2003, 28 600 VII nr. 21, p. 2.

Government on CSN


Companies on csn

'Companies should be allowed to use the CSN for their own purposes and not only to exchange information with the government. [..] Companies will be obliged to use the CSN when they deliver information about people the government. Privacy laws prevent them from using that same CSN for their own administration. According to VNO/NCW, this is an unneccessary cost.'

- VNO/NCW: Privacy hindert doelmatigheid, AG 12 november 2005

Companies on CSN


Introduction of enic

government has been eager to introduce a biometric

electronic national ID card (eNIC)

'lack of identity-rich applications'

summer 2005: Dpt. of Health supplies solution:

eNIC will be used to authenticate patients when

consulting their own EPR, starting Oct. 2006

while we have DigID

but no card readers

nor is patient access part of EPR programs

Introduction of eNIC


Technical problems re epr

virusses:

Spaarne hospital (March 2005)

various radiology dpts.

bugs:

pharmacies (Nat. Health Inspection 19-08-1005)

data entry errors:

identification, dosage, codes

Electronic Medication Programs are currently the fourth cause of medical errors, while EPR/EMR were intended to remedy those

'Technical' problems re. EPR


Securing patient data

Dpt. of Health: no extra money for new software or implementation of EPR

National Health Inspection: no requirements set for software ('market must solve it')

NICTIZ: 'responsibility for data and software lies

with health institutes themselves, not with us'

GP's: no knowledge / infrastructure

legacy software (esp. hospitals)

health care as a sector is not very computer savvy

Securing patient data


September 5 1995 december 16 2005

Safety was an aftertought, the glacing of the cake. ('We will add a firewall to protect our data.')

Data security (integrity) is not be the icing on the cake but part of the backing process. Safety is the backing soda, part of the design.


Practical part of the project

negotiations with 3 hospitals; 2 agreed to a penetration test

(A) regional hospital providing EPR for GP's, revalidation clinic, nursing home

(B) one of the biggest academic hospitals

results were shattering: we could access 1,2 million patients records (8% of Dutch population)

access = copy, delete, change

Practical part of the project


September 5 1995 december 16 2005

insurance number, initials, surname, phone, date of birth, insurance number, street, zip code, city

99xxxxxxx,B.,Waxxxxxxxx,05xxxxxxxxx,Jul 7 2004

99xxxxxxx,xxxxxxxxstr,11,xxxx TC,xxxxxxx

01xxxxxxxx,E.J.,Kaxxxx,07xxxxxxxxx,Jan 2 1962

01xxxxxxxx,xxxxxxxxxxxln,30,xxxx ND,xxxxxxxxx

34xxxxxxx,R.,Bexxxxx,03xxxxxxxxx,Jul 7 2004

34xxxxxxx,xxxxxxxdiep,19,xxxx NR,xxxxxx

00xxxxxxx,F.M.,Vexxxxxx,06xxxxxxxxx,Jul 13 1979

00xxxxxxx,xxxxxxxxln,46,xxxx VA,xxxxxx

06xxxxx,N.C.,Boxxxxxx,07xxxxxxxxx,May 18 1994

06xxxxx,xxxxxxxxxstr,3,xxxx BH,xxxxxx

95xxxxxxx,N.,Baxxxxx,05xxxxxxxxx,Apr 21 1993

95xxxxxxx,xxxxtuin,51,xxxx ZX,xxx

20xxxxxxx,A.M.,Ogxxxxx,03xxxxxxxxx,May 8 1972

20xxxxxxx,xxxxxxxxxxxxwg,29,xxxx BT,xxxxxx

81xxxxxxx,D.,Boxxxxxx,03xxxxxxxxx,Jul 8 2004

81xxxxxxx,xxxxxxxxxxwg,23,xxxx HC,xxxxxx

92xxxxxxxx,E.,Rexxxxxx,03xxxxxxxxx,Jul 8 2004

92xxxxxxxx,xxxxxxstr,16,xxxx VL,xxxxxx


September 5 1995 december 16 2005

patient code, infection, informed by, notes

10xxx,4,beh.arts,Patient bekend met MRSA inmidd,

10xxx,2,behandelnd arts,ESBL positief. bij opname: con,

25xxx,4,arts,Tot 05-01-2003 MRSA verdacht. ,

28xxx,4,niet,Mogelijk contact met MRSA B6 W,

38xxx,4,arts,Tot 05-01-2002 MRSA verdacht. ,

43xxx,4,verpleeghuisarts,Patient is MRSA positief. Bij ,

46xxx,4,behandelend arts,patient bekend met MRSA. MRSA ,

51xxx,4,huisarts,Strikte isolatie volgens MRSA ,

51xxx,4,niet,Mogelijk contact met MRSA B6 W,

55xxx,4,nog niet,Bij opname in strikte isolatie,

69xxx,4,behandelend arts,tot 01-07-2003 verdacht van MR,

75xxx,4,Dr. Hxxxxx,Dhr. is positief voor MRSA, Bi,

76xxx,2,behandelend arts,Bij opname in contactisolatie.,

81xxx,4,arts,bij opname: isolatie op een kamer,

81xxx,4,van den xxxx neurolo,Bij opname patient isoleren al,

85xxx,4,,MRSA verdacht tot 12-02-2003. ,

10xxxx,4,xxxxxx Blxxxxx, Dhr. is positief geweest. Bij ,

10xxxx,4,arts,bij opname: isolatie op kamer,

10xxxx,4,hygienist,Bij opname MRSA protocol, stri,

10xxxx,4,arts,Bij opname: isolatie op een ka,

11xxxx,4,behandeled arts,MRSA positief. Opname op eigen k,


Secr of health about the hack

'The privacy of medical data should not be at stake. Medical data should not be out in the open! Hospitals are responsible for the enforcement of safety requirements with respect to sensitive data and should take action. That is actually not a matter of money, but of internal procedures and a proper adminstrative organisation.'

- secr. Hoogervorst in Parliament, Sept. 6 2005

Secr. of Health about the hack


On second thoughts

Nov. 11, letter to parliament:

implementation of national EPR postponed

'security' mentioned 27 times

NEN 7150 (set of safety rules) becomes touchstone

new committee within Dpt.

law on medical secrecy might be re-assessed

Yet:

wrong level: hospital A sends sysadmin

wrong problem: 'we have a proper firewall' (AMC)

wrong solution: NEN 7150 far too broad (skirthings)

On second thoughts...


Resum

technology is hailed as a cure-all

three huge problems within six months

(virusses, software bug, hack hospitals)

improvement of health care dubious

protection of highly sensitive data severely lacking

EPR is politically abused (law enforcement, eNIC)

Resumé


  • Login