Privacy Joy

Privacy JoyWe have to limit access to certain information

The stakes regarding the dangers of EMR privacy violations are higher than we realized. The threat extends well beyond the individual violated. The information in one patient's medical record could be used by "bad guys" to kill thousands of others (healthy people). That kind of information is freely available, on the Internet, in medical information such as in GenBank (referenced below). With rapidly evolving incorporation of genomic information derived from clinical care data, that risk translates straight into the EMR. The Mumbai attack illustrates that "bad guys" can and do use technology. The sophistication to breech security, violate privacy, and use data for mass destructive purposes is at our door step. Bill Joy's prescription? Re-think and restrict information access beyond current practice, since technologic barriers aren't defendable alone.In a TedTalk in 2006, Bill Joy concluded that "we have to limit access to certain information." The 1982 co-founder of Sun Microsystems, an author of BSD Unix, and other significant accomplishments, Bill was asked to speak a bit about technology and the potential for abuse. In light of the terrorist attacks last week in Mumbai, and the growing discomfort with the challenge of patient privacy, I thought it worthwhile to draw a connection.The terrorist attacks were characterized by unbridled access to power (guns, grenades) and technology (BlackBerry). Bill opened his 2006 talk by sharing that 'offensive uses of technology have an asymmetric advantage' compared to the challenges of defending against them. Bill was living in NYC during 9/11, doing research on the technology and the potential for abuse.

"Civilization is a bargain to not use [destructive] power [in exchange for peaceful co-existence]." Since this obviously cannot be assured, we need to consider the catalytic role of information technology and act accordingly.How dangerous is the bio-information available today? As he described in the NYT article excerpted here, the virus that caused the deadly 1918 flu is considered too deadly to store and transport for scientific research. If you need a copy, "just reconstruct it yourself. [the genetic sequence is freely available on the Internet.]" The scientists who made that statement were not kidding.

Recipe for Destruction

By RAY KURZWEIL and BILL JOY

Published: October 17, 2005

AFTER a decade of painstaking research, federal and university scientists have reconstructed the 1918 influenza virus that killed 50 million people worldwide. Like the flu viruses now raising alarm bells in Asia, the 1918 virus was a bird flu that jumped directly to humans, the scientists reported. To shed light on how the virus evolved, the United States Department of Health and Human Services published the full genome of the 1918 influenza virus on the Internet in the GenBank database.

This is extremely foolish. The genome is essentially the design of a weapon of mass destruction. No responsible scientist would advocate publishing precise designs for an atomic bomb, and in two ways revealing the sequence for the flu virus is even more dangerous.
...

As I shared at the outset, Bill Joy concluded that "we have to limit access to certain information. That's the price of the rule of law. Information represents unbridled power, including the ability to launch a global pandemic."

When our patient privacy violations are looked at in this way, the stakes around privacy go up orders of magnitude from the common perception. Will a patient's records soon contain information about an infectious agent, perhaps including the sequence of a deadly virus, identified in their blood? Yes.

If Bill Joy is correct, and I think he could be, disclosed medical records carry a much greater risk. Notions previously elaborated (below) that "privacy is an illusion (Ellison)" or freely publishing all genetic information (PGP) might be in need of serious revision.

What do you think? Do the risks warrant much more restrictive access procedures for medical information?