Thursday, July 5, 2007

A Zero Sum Game

Yesterday I received an email from Lyndon Dubeau, an information security specialist at the Ontario Association of Community Care Access Centres. He sent a link to a Health IT Survey conducted by Kaiser Permanente in conjuction with the Health Care IT Summit focusing on question 10 which reads as follows:
"10. I'm going to read you a statement and please tell me if you agree or disagree with it:

'The benefits of electronic medical records, such as better treatment in an emergency and a reduction in medical errors, outweigh any potential risk to patient privacy or the security of health information.'"

The survey showed that 73% of respondents agreed with the statement, 25% disagreed, and 2% were unsure or didn't know.

Lyndon writes:

"The zero-sum-game approach to question 10 is interesting and pits two risks against each other.

1) The risk of not getting the best treatment in an emergency (a risk that people can relate to and understand)

2) The abstract risk of 'something' bad happening from a privacy/security perspective.

The challenge I face as an information security professional is helping the business understand that it's possible to have reasonable security/privacy controls in place without hampering the ability to get work done."

Lyndon is right-on with respect to the corner health informaticians paint themselves into with the fuzzy logic of public opinion. This isn't an either/or question. It isn't a question of privacy and security of information OR safety. Patients need and deserve both, and quite frankly, we are dishonest when we suggest that patients need to make a choice.

The issue is similar to discussions I had recently with some Waterloo Bootcamp and eHealth Risk Workshop participants. I was asked to comment on an Order by the Ontario Information and Privacy Commissioner that required health organizations to apply strong security measures to personal health information on laptop computers. The suggestion from some participants was that this was an onerous obligation to put on health care organizations struggling to improve and deliver patient care. My reaction was that the Privacy Commissioner's order was not only reasonable, but organizations that failed to apply readily available technologies such as encryption to information on laptop computers were remiss in their basic responsibilities.

Of course the real problem these people faced was getting healthcare professionals, and in particular physicians who wanted to download their patient records from the hospital system to their own computers, to apply basic security measures. It requires well thought out polices, training and enforcement that some organizations, because of the power politics, are reluctant to implement. I'm sure that a 100 years ago doctors complained about hand washing and how it wasted time that could otherwise be spent with patients.

The survey itself is problematic. Question 10 is a bad question. Given the bald choice between death and disclosure of my personal information, of course I'm more likely to side with safety. I'm encouraged that 25% of respondents saw through this ploy. I would suggest that anyone who uses the data to support less privacy and security is doing a great disservice to patients, health care providers and healthcare organizations.

For an example of an excellent survey of consumer attitudes towards EHR's I would point you to a 2003 survey by the Information and Privacy Commissioner of Alberta titled OIPC Stakeholder Survey 2003. In particular, check out section 6 (pages 31 - 35) for some real information on consumer attitudes, interests and concerns about EHR's.

I invite everyone who reads this post to comment. Is question 10 a fair question?

No comments: