hank@tardis:~$ wget -S http://www.ralree.com
--2009-06-30 09:52:13--  http://www.ralree.com/
Resolving www.ralree.com... 74.54.115.108
Connecting to www.ralree.com|74.54.115.108|:80... connected.
HTTP request sent, awaiting response...
 HTTP/1.1 200 OK
 Date: Tue, 30 Jun 2009 13:49:54 GMT
 Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a Phusion_Passenger/2.1.3
   mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
 X-Powered-By: PHP/5.2.8
 X-Pingback: http://www.ralree.com/newblog/xmlrpc.php
 Last-Modified: Tue, 30 Jun 2009 13:49:21 GMT
 X-Content-Security-Policy: allow self; img-src *; object-src *.ralree.com
  *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com
  friendfeed.com; style-src *.ralree.com *.ralree.info
 Content-Length: 57457
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8

As you can see, my content security policy is sent as an HTTP header on all HTTP responses from my site.  I basically stole an example from this page.  I’ve attached it in the .htaccess file in my site’s root, before everything else in there, like so:

<IfModule mod_headers.c>
Header set X-Content-Security-Policy "allow self; img-src *; object-src *.ralree.com *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com friendfeed.com; style-src *.ralree.com *.ralree.info"
</IfModule>

I highly recommend everyone with commenting activated on their blog enable this, since XSS is a serious pain.  This seems to work very well on Site5, where mod_headers was simply enabled out of the box.

TR: What about the public-health benefits? Systems that house large quantities of patient data could enable new types of research studies.

KB: Absolutely, that’s something I get really excited about. It will totally break open our knowledge base. For example, I have been diagnosed with low-pressure glaucoma, which is fairly unusual. No one knows what causes it. I would love to be able to search the system for anyone with this form of glaucoma and start to look for similarities.

I’d love to be able to do that too, except it would potentially violate the privacy rights of all of those individuals if they hadn’t agreed to specifically let you see their records. If they were to elect to share their information to help others find similarities as she suggested, that would be fine, but we should not assume everyone will do that, and we would have to have a process for this election upon diagnosis.

The first issue to cover is whether the Internet will be used as the medium of record transfer, if point-to-point connections will be established using the phone system or another network, or if an entirely new network will be created to facilitate these transfers, like the financial network. This article assumes the first option, especially since citizens will supposedly have access to the information online.  A separate network would be a much better solution, but would cost much more to deploy.

Why does it matter?

What are the non-privacy-related implications of Internet-accessible health records vs. them being on paper in a drawer? Most of them have to do with hacking, bribery and blackmail. Let’s say someone pays the Database Administrator of the health system $1,000 to change your health records to indicate you saw the doctor about gonorrhea (or they simply use a stolen doctor’s account, or they’re a hacker, etc. etc.). Now, they give you a call, letting you know that they’ll tell your wife unless you pay $10,000. Blackmail is a huge possibility. This is possible now, but only by those who work with patient information physically.

One effect of the centralized hackable database of health records would be the illegal issuance of prescriptions for drugs like Valium, Oxycontin, etc. for a fee. All that would have to happen is a falsified entry into the database, and you can go down to the store and pick up your bottle. I don’t necessarily oppose loosening rules on prescription drugs, but creating a new electronic black market for health record falsification could prove dangerous. After considering this possibility further, it would be possible to remove prescriptions from the system as well, possibly endangering lives.

So we should just use paper?  Come on!

Now, I’m not necessarily against digitizing health records. If each citizen, on the initialization of their record, was given a private key, and all the records were encrypted with the matched public key, and kept in a large central database, that would be fine. Yet, there are problems with this too since in an emergency, the health records wouldn’t be accessible unless the patient was conscious and able to type their passphrase. Therefore, there would have to be an override of some sort, which would destroy the security of the system. This override could be a “health safety deposit box” provided to patients optionally by a private corporation, which would contain their passphrase for emergency use, and would be authorized for query by the living will of the patient. This is the only possible way I can see for centralized health records to be implemented securely, but it seems to be unworkable at the moment.

So what about decentralization, which is what we currently have with paper and with the SAFEHealth system. If the records were kept by the doctor, and encrypted with both his and the patient’s public keys (for patient confidentiality), that would be secure. Of course, assuming the medium of transfer is the Internet, the decryption and changes would have to be done on a standalone computer to prevent the cleartext from being retrievable from the Internet, and any transfer to another office would involve re-encrypting the files with the other doctor’s public key, transferring of the result to an Internet-enabled machine, and the reverse process on the other end to read the records. Because this is painful and time-consuming, doctors and administrative assistants (I like ’secretaries’ better, but whatever) would obviously skirt the security here. And human involvement to decrypt would still be needed in emergencies. I’ve just sent an email to SAFEHealth asking for more information about their system:

Hello,
I’m interested in learning more about how your system works at a deeply technical level. Could you please point me to an explanation of exactly how records are stored, accessed, encrypted, decrypted, which keys are used, who generates those keys, and what network protocols are used to access the information? Thanks.

The only workable solution seems to be the patient signing away the rights of the government to make his/her health records potentially public information. We’ve seen various scandals involving medical industry employees already, like Octomom. Many people would sign this, especially if they went to different doctors all the time. Many people don’t care about their medical records being public, so they’d do it for convenience. But at a process for removal from the system at any time should be available for all patients. A system like this might complicate seeking diagnosis for things like alcoholism, opiate addiction, and mental health for fear that one’s employer might find out about the condition. Any patient should be able to elect to use paper instead, and be responsible for the transfer of his/her medical records to medical professionals for treatment.

But it’s for your own good!

A dangerous assumption is that we must force the patient to allow doctors access to their medical records for his/her own good. The fourth amendment exists to prevent this very thing from happening. It could also be argued that random searches of homes would discover meth labs and would save children, but it is unacceptable in this country because of our natural right to privacy. One way to assure access in case of emergency for those who have privacy concerns is by using a living will to allow access to the paper records assuming they’re filed somewhere accessible. Private companies could provide medical record storage facilities for profit, and could be called in case of emergency need of the records (or as I described before, the passphrase to unlock the records).

If one thinks this article is scathing to the whole idea of digital health records, he/she should have a look at this one.  While some of the same concerns and many more are brought up, different fears are addressed.  The corruption of government employees would also be a danger (which I touched on with the DBA bribe example earlier), but some of the later examples (the police officer having access) are a little unfounded and paranoid.

Microsoft and Google both have products for storing large amounts of health information.  When stories like this are appearing all the time, that really concerns me.  I’ll finish up with a good quote from this article.

“Ironically, HIPAA creates felony penalties if a doctor or hospital abuses the data, but there’s absolutely no penalties for a Microsoft or a Google because they’re not covered by the law,” Brailer said. “It’s nothing that they’re doing wrong. It just shows you the state of mind of Congress when that rule was written 10 years ago, because they never ever envisioned there would be online services managing health information.

“I think that’s a very high priority, because one consequence of the President-elect ramping up people’s attention to this is that people will come back to a lot of their fundamental worries about the protection of their health information,” Brailer said.

I look forward to comments and suggestions for this post.  This is definitely a hot-button issue at the moment, and any constructive criticism will be appreciated, and probably responded to.

Update 4/10/2009

So, Lawrence Garber, Principal Investigator for SAFE Health, and I have had a great email thread going on the security details of their system.  It sounds pretty good, but there are still concerns.  Apparently, they use HTTPS over a VPN, which isn’t a bad solution for network traffic security.  Yet, the last response I received from him indicated the following:

There’s no need or requirement to encrypt the data on the server because it’s within our physically, password-protected, and firewall secured datacenter. However passwords and credentials are encrypted.

So, again, we’re back to the unhackable datacenter with unencrypted data idea, which, from personal experience, isn’t a good idea.

I plan to write some code implementing the algorithm.  That should be fun.

I have joined the GSWoT. I am the newest Gossamer Spider Web of Trust Introducer! This is a great honor, and I’d like to thank Kara Denizi for giving me the chance to join.

Above, I’ve posted the current state of the keyring. It also includes an outlier from my personal keyring.

Props to sig2dot for creating that graph. Here’s the commands:

wget -O gswot.keyring "http://biglumber.com/x/web?keyring=5802;download=1"
sudo apt-get install graphviz imagemagick
wget http://www.chaosreigns.com/code/sig2dot/sig2dot.pl
gpg --list-sigs --keyring ./gswot.keyring | perl sig2dot.pl > gswot.dot
neato -Tps gswot.dot > gswot.neato.ps
convert gswot.neato.ps gswot.neato.jpg

Pretty easy – I might have to use this in the future for more graphs and digraphs…

  gpg --export-secret-keys > gpgkeyfile
  gpg -c gpgkeyfile
  shred -u gpgkeyfile

Then move gpgkeyfile.gpg to another computer. To import them again:

  gpg -d gpgkeyfile.gpg > gpgkeyfile
  gpg --import gpgkeyfile

gpg: key 9140A8C7: secret key imported
gpg: key 9140A8C7: *** 1 new signature
gpg: key 5EF4A221: secret key imported
gpg: key 5EF4A221: public key *** imported
gpg: key 46C171A0: secret key imported
gpg: key 46C171A0: public key *** imported
gpg: Total number processed: 3
gpg:               imported: 2
gpg:         new signatures: 1
gpg:       secret keys read: 3
gpg:   secret keys imported: 3

Woo hoo!

Wordpress is a joke!!

Mephisto Wins!