Last fall I blogged about Microsoft’s HealthVault, “Why Would You Trust Microsoft To Store Your Sensitive Health Information?”
It didn’t take long before Google got in on the game.
Today an interesting story ran in the New York Times, “Warning on Storage of Health Records” that also points out the concerns with having huge amounts of health information stored in some mega-multi-services-products types of monolith company. The issues are the same for any organization storing such information, though; but putting health information in the same corporate systems that contain the records of billions of people really open up quite a Pandora’s box of privacy breach possibilities.
Here are some excerpts from the news story that make some good points…
“The authors say that consumer control of personal data under the new, unregulated Web systems could open the door to all kinds of marketing and false advertising from parties eager for valuable patient information.”
Indeed. Combining huge numbers of health records with the billions of other customer information records Microsoft and Google hold creates quite a nice customer relationship management (CRM) possibility for them. Not to mention a whole new set of revenue paths that they may have from selling the information about the people storing health records on their systems to an unlimited number of other organizations.
“Peter Neupert, the vice president in charge of Microsoft’s health group, said that he admired the authors and that they raised some important issues. But he resisted the suggestion of extending Hipaa to newcomers like Microsoft and Google.
“Philosophically and politically, I am skeptical of the concept of paternalism,” Mr. Neupert said in an e-mail response to the article, which he was sent, and to the authors’ comments. “It never turns out to be ‘limited.’ ”
Designing a health records system that clearly informs consumers and requires their consent for data use is the better approach, Mr. Neupert said. “We have to earn the consumer’s trust for our brand,” he said. “So I can imagine a scenario where we have a third party verify that our system works the way we assert it does,” much as an auditor reviews a company’s financial reporting.”
You bet; the “Trust me!” approach is much better than requiring organizations to follow data protection safeguards and approprite practices…NOT! It has not worked so far, why would it now?
Have you ever read the horrible notification communications from Microsoft and Google? Most individuals will “consent” to something that they have no idea was even described based upon poorly worded, or hard to find, notification.
We need one federal data protection (privacy) law, applicable to all organizations that handle personally identifiable information (PII), that addresses the entire scope of privacy issues related to PII.
Tags: awareness and training, google, Healthvault, HIPAA, Information Security, IT compliance, Microsoft, policies and procedures, privacy, privacy compliance, risk management, security awareness, security training