FUD From Dr Peel

FUD stands for Fear, Uncertainty and Doubt. You should probably take a moment and read the wiki-page, otherwise the rest of this post might be lost on you.

In the United States, FUD seems to be a legitimate marketing strategy for many institutions. Microsoft uses FUD regarding the coverage of their patents on the Linux kernel. SCO used FUD as its last central business strategy. Both the political parties use FUD constantly to target the other party.

It is easy to spot FUD, here is the easy criteria: If the source of potential FUD can be summarized as saying “Given a substantial lack of information about what is actually happening, there remains very good reason to still be terrified about it”

FUD is unpopular with advocates of Free and Open Source Software. Our community values transparency that is the opposite of FUD. Generally our expectation is that the data regarding any kind of problem should be made available for analysis, and then, and only then, should conclusions be made. Our community has the patience to read long contracts, to perform subtle meta level data mining or just to carefully review code for bugs.

Generally, unlike politics, real dialog is favored over mere rhetoric in the FOSS community. Don’t get me wrong, we also enjoy zinging those we disagree with (I am particularly fond of it), but zings are supposed to be fact-based and meaningful. In fact, we have a very handy way to detect when conversations are no longer meaningful and have become purely rhetorical. We call it Godwins law:

“As an online discussion grows longer, the probability of a comparison
involving Nazis or Hitler approaches one.”

Of course, the most important is the implication of the law:

“Godwin’s Law? Isn’t that the law that states that once a discussion
reaches a comparison to Nazis or Hitler, its usefulness is over?”

– Cliff Stoll (“Cuckoo’s Egg” author), ca. 1994

I would like to formally propose that we add Dr. Peels Corollary to Godwin’s law:

“As an online discussion of medical privacy ethics grows longer, the probability of comparison to the Tuskegee Study approaches one.”

Dr. Peel has commented on the announcement that an EMR vendor to share patient data with genetics research firm by calling it the “new Tuskegee.” (update 3-25-08 Joseph Conn conducted an investigation into the research story, that is well worth reading) Here are the problems with that comparison:

The Tuskegee Experiment stands as one of the most blatant disregards for ethics in modern medical history. By comparing this modern data analysis project to the Tuskegee experiment, Dr. Peel has solidly crossed over into FUD Territory. I have heard Dr. Peel speak in person, and I believe that her heart is in the right place. However, by making a comparison to Tuskegee, we are no longer having real discourse about the ethical issues about the case in question, which is obviously quite different from the original Tuskegee experiment.

In the data mining study in question, the patient data is de-identified. Which means that discrimination as a direct result of this study will be very difficult. It also means that the study qualifies for a HIPAA carve-out for de-identified data sharing.

However, there are some very concerning ethical issues in this case which deserve attention.

  • The EHR vendor in question is anonymous, so we cannot really tell who is really participating in this. Knowing which vendor is doing this is a prerequisite for further discussion and thought.
  • It is unclear from the article to what degree patients will have the option opt-out or opt-in, and at what stages this is an option.
  • There is no mention of the algorithm used to do de-identification, so there can be no analysis on the possibility of a correlation attack.
  • The study is covering genetic markers for type II Diabetes, which has a genetic race-related component. Although the current study is unlikely to be “racist,” it could lead to some tests that are used for the purposes of racial discrimination.

Some of these issues are ethical issues surrounding this study in particular. Others, especially the last one, are larger ethical issues faced by the entire medical community. The a real and sobering implications of these ethical implications as it is. It seems to me that by making an unwarranted reference to the Tuskegee Experiments we are moving to far afield from todays facts.
By making a reference to the Tuskegee experiment, Dr. Peel is essentially forcing these issues into a political debate, rather than the subject of further rational discourse. Perhaps I should be thinking about this differently. Perhaps I should be happy that Dr. Peel continues to raise consciousness with old-fashioned Republican/Democrat type politicians regarding issues of patient privacy.

So I leave it to the reader for comment. Is the use of Dr. Peels reference to the Tuskegee experiments in this context appropriate?

-FT

HealthVault team responds to security model criticism.

In further evidence that the Microsoft HealthVault team might actually be making good on a move towards real openness. Sean Nolan has addressed some of my criticisms in a post entitled Sharing Data using HealthVault

I have updated the post in question to correct the errors that I had made. However, even with the correction made I still think the HealthVault authorization model has erred too much on the “functional” side. It is worth pointing out that this is a design decision that many programmers would side with Microsoft on. It is a tricky issue: How do you allow for the transfer of ownership of a record without also creating a system that can be easily abused? Microsoft has historically taken the view that functionality comes first, and so they have always released operating systems that are extremely functional, but that hackers inevitably have a field day with. They have done pretty well with the “functionality first” design paradigm. (who am I to argue with the whole Windows install base?)

I will not reply fully to Seans post until I have had the opportunity to study HealthVault more closely and perhaps even ask Sean some very specific questions, however, the most significant thing here is that Microsoft is responding at all. This is awfully quick turn-around for a company that has historically ignored criticism.

I do believe Microsoft is listening.

-FT

Google Health vs. HealthVault round 1

Everyone is talking about Googles new PHR offering vs. Microsoft HealthVault. Mostly the talk is drivel. I was able to get a seat at the Press Interview with Google CEO Eric Schmidt at HIMSS and, I kid you not, two reporters asked “Is the data in Google Health covered by HIPAA?” within five minutes of each other. Frankly, not-covered-by-HIPAA is an industry standard for PHRs, and the fact that the question was asked at all is an indication that the press covering this largely have no idea what is going on. (I will talk more about HIPAA and PHRs in a future post.)

Rather than finding drama in all of the wrong places, I wanted to highlight a couple of differences that really are worth paying attention to. I have had the privilege of speaking with the programming leads for both projects extensively, and it is not yet time to give a close blow by blow of where these two system are in comparison to each other. (that will happen after Google Health goes live) I hope that what little technical meat I was able to dig up will be interesting to you.

Privacy Policies:

Google has not published its privacy policy. However, it has historically given great weight to privacy concerns. Most notably take the Google Toolbar privacy notice. It begins “Please read this carefully, it’s not the usual Yada Yada”. It does a fair job of warning a user about the considerably privacy issues surrounding a tool placed directly within a browser. In fact, the sites you browse on the internet is probably as great a privacy concern as any health information you have. If you have any serious health conditions you have probably already searched for them and visited sites with content relevant to that condition. If you use toolbars, the information about where you visited was potentially transmitted back to the author of that toolbar. Google is upfront about this, and gives you an opt-out. This is much better than your average toolbar.

Microsoft’s Privacy Policy is awful. It has language that includes things like: “you give us permission to host your data off-shore”, and “we can change this policy anytime we like”. The current HealthVault privacy policy does nothing to protect a patients privacy from future policy changes within Microsoft. Based on the current language, the privacy policy might as well not exist. I discussed this with the HealthVault team and their response was “boiler-plate language”.

Frankly, the fact that ANY boiler-plate language was included in a privacy policy is a good indication that the thinking at Microsoft Legal is totally backwards. It is currently thinking “What will the market let us get away with” rather than “Hey this is a new moral sphere, if we do the right thing here, maybe the Government(s) will not make our lives completely miserable by over-regulating this industry.”

Privacy Policy Verdict:

Google wins. Without even releasing a Privacy Policy. On a scale of 1-10 Healthvaults scores a -2 which in English translates “hell-no”. That makes Google’s lack of score actually come out ahead.

API Design:

Google Health uses a CCR record wrapped in some of its standard web-service APIs. It would be better if they could have adopted CCD. But they said it was not ready when they started, which is a fair response. Still CCR is already a popular standard and a smart move for Google.

HealthVault has released its own XML specification. While they have promised to promise not to sue the pants of people like me who decide to use those specifications, creating a “new standard” in the healthcare space is regrettable step backwards.

API Design Verdict:

Google wins for respecting current standards.

Security Architecture:
Google is using their authsub system to allow users to provide token based access to other people (care-givers etc) for temporary and limited access.

HealthVault is using a “root” user notion that is transitive. That means that if I trust bob enough to make him a “root” user on my PHR record, then he can do anything with my record. Including passing the root privilege to Jenny, who can pass it to Sam, who can pass it to Ruth who can then do anything with my PHR account. See the problem? While the HealthVault system does allow for finer grain control, there is no concept of passing along “complete control” without also passing along the ability to create other “root” users.

(updated 03-04-08 Sean Nolan from Microsoft has posted a rebuttal to the previous sentence, while the rebuttal does not address my criticisms of a “transitive root” privilege system, it does argue that this design can be considered a feature rather than a flaw)

Security Architecture Verdict:

Obviously Google has time to screw this up before coming out of beta, but it looks like its access control system has been better thought out.

Time to Market Verdict:

Obviously, Microsoft wins here. HealthVault has been out for months. However, if they do not get their act together they will not have any remaining first-mover advantage. Google is obviously making very sharp moves, in fact, maybe their best move was not coming to market before they were ready.

Now that Microsoft has made some FOSS friendly sounds, I will take a closer look at their software. When Google Health is finally released, I will do a complete comparison.

-FT

Meeting Dr. Peel

Medsphere, and the Shreeve Tragedy have left me a little jaded. I have little patience for those who threaten the health FOSS community. Believe it or not, I rarely allow my aggression to turn public. I can think of at least 5 friendships with current FOSS community members, that began with rather nasty emails originating from me. Most of these useful harassments never make it into the public eye. The work that Dr. Peel has done with Microsoft around their HealthVault line has been a notable exception. Dr. Peels public endorsement of Microsoft originally shocked me so greatly that I felt I had to publicly respond.

So it was with great anticipation that I was able to hear Dr. Peel speak for the very first time today at HIMSS 08. In her talk, she indirectly addressed many of my criticisms. Lets review some of the “potshots” that I have taken at her, and detail what I heard in her talk about this issues.

Dr. Peel detailed her plans to create a new organization to perform privacy reviews of PHR sourcecode and privacy policies.

Apparently the new certifying organization will not certify PHR systems, without performing a sourcecode review.

Obviously, through the new certifying organization, the “endorsement” of Microsoft would become a formal matter. The endorsement would be withdrawn, if Microsoft started behaving badly.

I wish that I could believe that Dr. Peel started these initiatives in response to my criticisms (it would make me feel very important indeed to know that she was listening), however it is entirely possible that she may have had this plan in her organizations Skunk Works long before I was saying anything.

Here are some further snippets that I found comforting from her presentation.

  • She has claimed that she has not taken any money from Microsoft, she gets her funds from her own network of friends and supporters. (Transparency is good)
  • When I asked about the clause in Microsoft’s privacy policy that specifically gave permission for Microsoft to off-shore data storage, she immediately replied that she thought that was totally unacceptable.
  • While she listed Microsofts Healthvault as a “good” project, she also listed Microsoft on the pages of privacy violators, so she both endorsed and condemned them in the same talk.
  • She talked to me after her talk and was quite friendly

The only thing I could criticize about her talk specifically was her slide about the VA data thefts. She had put a WorldVistA logo on the top of the page, but the data breaches were a problem within the VA, and had nothing to do with WorldVistA. WorldVistA is a private organization that shares an interest in VistA with the VA, but otherwise is not connected with the VA at all, and certainly had nothing to do with the data breaches. In fact WorldVistA has and will continue to improve the overall privacy and security of private installations of VistA. Still, I am probably the only person in the crowd who even noticed this, and I doubt anyone thinks negatively about WorldVistA as the result of her talk.

In short, Dr. Peel is probably going to address the bulk of my complaints. She may have been planning to for months before I said anything.

So this is not a retraction of my attacks against her, but rather a reprieve. (When someone turns around like this a reprieve from criticism is popular within our community). If she continues on this path, I will fully retract my criticisms towards her personally.

Also note, that despite the fact that HealthVault has surprised me recently, it has NOT earned a reprieve yet. That may happen in a following post. There seem to be some changes in the privacy policy, and there has been some movement towards open-ness. HealthVault has invited me to engage them in person and I plan to do that before the conference is over. I am hopeful.

-FT

Dr. Janice Honeyman-Buck at HIMSS 08

For those that do not know, I am blogging HIMSS 08 for LinuxMedNews. I will be posting on anything that is relevant to FOSS that happens here. I did not have to wait long. One of the first talks covered the use of FOSS in medical imaging, something that I knew little about until Dr. Janice Honeyman-Buck clued me in.

Here is a shot of myself and the good doctor.

Fred Trotter and Janice Honeyman-Buck at HIMSS 08

HealthVault: becoming un-Microsoft?

What I have read this morning almost made me choke on my cheerios.

Neil Versel (one of the most in-the-loop Health IT journalist I know) turned me on to a blog post from Sean Nolan, that I obviously did not want to miss. The post, aptly titled Opening up the Vault revealed several important claims:

  • Microsoft is releasing a Java wrapper library under the OSI approved Microsoft Public License
  • Microsoft is releasing some .NET code under a read-only license (i.e. not open source)
  • Most importantly Microsoft is releasing the entire HealtVault XML interface specification under the Microsoft Open Specification Promise

I need to research the Microsoft Open Specification Promise, to say the least it appears that there is some confusion as to its legitimacy for FOSS developers. I have “call” into the Software Freedom Law Center, to see what their current evaluation of the promise is. Still the significance of this cannot be underestimated. Sean claims:

“With this information, developers will be able to reimplement the HealthVault service and run their own versions of the system.”

Don’t get me wrong, I trust Microsoft about as far as I can throw them (all of them… at once), but this is definitely a step in the right direction. It will take me some time to sort out just how meaningful a step.

This is a smart time to do this too. There is like a 90% probability that Google will be officially announcing its PHR effort at HIMSS. (Heck its been leaked already) By releasing an API, Microsoft is essentially challenging Google to do the same, and that could mean that hacktivists like myself could build arbitrary bridges between the two (now this is hopeful…) which would mean that Google and Microsoft’s systems would compete on merit rather than most-effective-lock-in.

-FT

HealthVault: Michael Zimmer digs deeper

Michael Zimmer, a new media commentator and blogger, that I had not heard of before now has gotten access to the HealthVault team. He just wrote a new post called “Designing for Privacy: Microsoft HealthVault” that is worth reading from start to finish.

There are several interesting things about his post. First, he details several specific technical measures that Microsoft claims that they will be undertaking in order to protect the privacy of its users. Here is a brief summary, and my impressions:

  • HealthVault will use HTTPS only : Pretty obvious first step.
  • “Bluntly targeted” ads : What does this mean? Whatever Microsoft wants it to.
  • HealthVault tracking cookie will expire with each session or 90 days : This is probably the most exciting point here, since we can test this.
  • HealthVault will destroy search history after 90 days : Bold Claim. It would be great if this was true.
  • HealthVault will submit to audits : By whom? Again, this means little without being able to gauge the neutrality of the auditors, or to what standard they would be auditing.
  • HealthVault will allow “apps” to access data, but will show users a log of exactly what apps or people accessed the data : This seems like a good idea, but I am dubious to see if this can remain useful. A potential deluge of access means that users will cease to pay attention.

Michael obviously has at least a clue about the concepts of privacy and security. At least he uses terms like “https” and “cookies” in relevant ways. It is ironic that Michael gives the following caveat

“I must note that I haven’t been able to verify these technical claims, and my research in this area is only beginning — many other harms could remain even if all the above are fully implemented.”

That is the kind of thing technical people say when they know they do not have the full story. Compare this to the response that Dr. Deborah Peel has, to what was probably the similar technical information:

“Microsoft is setting an industry standard for privacy”

I like Michaels conservative approach to these kinds of claims. It should be noted that he has ties to Micorsoft, he is the Microsoft Fellow at the Information Society Project at Yale Law School. His association with Microsoft explains how he got access. I hope he continues to use that access to generate similarly good posts.

Probably the most important thing we have now is some objective technical standards that we can watch. If anyone feels like testing out the HealthVault cookie content and expiration to see if it squares with what Michael was told, give me a buzz. I would be happy to post or link to your results.

-FT

Defending VA-VistA

I was heavily quoted in a recent article in Government Health IT entitled VA’s health IT gamble. In it, I present the case that the current IT centralization efforts within the VA are damaging to VistA and therefore the VA’s ability to deliver quality care. From the article:

“Historically, each hospital hired programmers to solve that hospital’s needs,” Trotter said. “Other hospitals then adapted those solutions to their own needs. With the centralization process, all VistA programmers will be working for a central bureau. This could stop 30 years of innovation in which the best local innovations were taken national.”

Ironically the article cited a VA official as saying that they were taking a “Evolutionary approach”, despite the fact that they just bought a Cerner lab system rather than building the functionality into VistA. Strange.

-FT

Healthvault: In summary, so far.

Lets review the problems with HealthVault.

Most of my posts have been centered on the problem with Dr. Deborah Peels endorsement of Microsoft’s Healthvault.
In Medically, Legally, and Politically Savvy but Technically Uninformed. I discuss the fact that Dr. Deborah Peel has endorsed Healthvault, despite being totally unqualified to do so. I also note that no one from the organizations that Dr. Peel represents was both qualified to evaluate the privacy features in HealthVault and actually involved in the evaluation process. Although Dr. Peel had access to some of the top security minds in the industry, she failed to consult them when endorsing HealthVault.

In The Food critic never took a bite I discuss the basic impossibility of knowing if something respects privacy without reading the sourcecode. How can Dr. Peel’s organization endorse the privacy and security of HealthVault without having read the sourcecode?

In Privacy, a Complex Problem Underestimated (which has turned out to be my most popular post on the subject), I discuss the fact that the privacy of patient records is vastly more complex than is allowed by the simplified HealthVault privacy systems.

In Abusing vs Implementing Standards I discuss Microsoft’s history of abusing standards to their own advantage, and the implications this practice could have in the fragile domain of patient medical records.

In Failing the seven generation test, I argue that medical records need to archived for decades if not centuries. Information entrusted with HealthVault is not protected in any way that respects this future need.

I have written more articles, which you can find by clicking the HealthVault category on this website. But I feel that these posts specifically cover areas that Dr. Deborah Peel’s endorsement ignores. Dr. Peel has accepted Microsoft’s platitudes as fact. This is despite the fact that Microsoft is famous in the information security industry for giving assurances with regards to information security without providing comparable investments. Ironically Dr. Peel consistently views Payers, Drug companies and others who presume to profit from patient data as being evil, but Microsoft is given her highest endorsement. This is despite the fact that so many in the technical industry view Microsoft with distrust and apprehension similar to the distrust that those in the medical field often view payers and drug companies.

More troubling still is who Dr. Peel represents. Dr. Peel is the founder of and spokes person for the Patient Privacy Rights organization. Patient Privacy Rights claims to be the nation’s leading medical privacy watchdog organization. More troubling than this, (as if we were already not troubled enough) is the Coalition for Patient Privacy. This is a meta-organization that includes lots of very legitimate interests. Further, most of the activities that this coalition puts forward are pretty meaningful, for instance, they recently delivered a letter to congress, which asks for some pretty reasonable things. In fact if I was called before Congress and was asked to give that letter a thumbs up or down, I would endorse it. I would also point out that Microsoft as a signer is laughable. The problem is that in the same breath that it asks Congress to do good things, it gives a blank check to Microsoft to do bad things.

I will be contacting some members of the Coalition to see what can be done about this.

Regards,

Fred Trotter

On Patents…

Often I get phone calls, emails or other correspondence that begins. “We have this great patent pending idea and we want to use open source”. Hopefully I will take some time and write more about why software patents are a particular problem with medical software, but for now I am satisfied to link to a good summary article on why the Free and Open Source community generally has a problem with patents. If you feel like contacting me about using FOSS with your company and your company has patents, reading this first will save us some time.

-FT