HealthVault: Medically, Legally, and Politically Savvy but Technically Uninformed.

Dr. Deborah Peel has endorsed Microsoft’s HealthVault PHR. From the Patient Privacy Rights press release:

PatientPrivacyRights.Org founder, Dr. Deborah C. Peel, will stand with Microsoft in Washington, D.C today at a press conference to announce the launch of HealthVault.

Is Dr Peel qualified to make this recommendation?

Please take a look at Dr. Deborah Peel’s bio, she has done an impressive amount of medicine and privacy activism. At least on this bio, she lists no formal computer science training. On the same page we find the bio’s of the other members of the Patient Privacy Rights board members. Please note especially the bio of Tina Williamson (use this link as the one on the bio page is broken) who was formerly the Vice President of Marketing for a dot com company. This work should count as negative experience for determining the validity of marketing claims as per sourcecode. Perhaps the computer science expertise upon which Dr. Peel relies is on staff? Nope no computer science trained staff there.

According to the Patient Privacy Rights website, there is no competent electronic security or privacy expert with actual computer science training associated with Patient Privacy Rights organization. But remember the Privacy Coalition is much more than just the Patient Privacy Group! It is made up of 45 different organizations with interests in patient privacy. Perhaps some of these organizations are informing Deborah Peels recommendation of the most abusive, monopolistic software company on the planet as the “leading” caretaker of the American consumers healthcare record.

Of the 45 organizations, (which are probably great organizations…) only three are technology oriented. One of them is a meta blog site called NewsBull. For the moment I will assume that blogging expertise does not necessarily translate into informed insights into the complexities of protecting patient information, and I will exclude the possibility that informed recommendations came from NewsBull.

The other two organizations with a technical focus are Electronic Privacy Information Center (EPIC) and Computer Professionals for Social Responsibility (CPSR)

From what I can tell the most technically impressive person at EPIC is Simon Davies, the rest of the staff appear to be well-meaning policy types. I contacted him to see if he was informing Dr. Peels recommendation. His reply:

“I’m still looking into this technology and am hoping to find out more details on the security aspects fairly soon…”

Not exactly a glowing endorsement, instead it sounds like typical statements from someone who recognizes the depth of complexity involved. I doubt that Dr. Peels technical assessment was informed by Simon Davies.

CPSR, on the other hand, is clearly the home of some very serious tech talent. CPSR was one of the organizations that fought the Clipper chip nonsense. It is currently lead by Annalee Newitz and Fyodor Vaskovich, of nmap fame. These people obviously have enough technical muscle to make definitive statements regarding the security of Microsoft. I am still talking to them but so far it does not seem like they were consulted, Fyodors first response to me began:

“Hi Fred. I wouldn’t trust Microsoft with my health records either….”

Somehow, I doubt that Deborah Peel asked the author of nmap what he thought about a PHR from Microsoft before delivering her unqualified recommendations. The fact that she might have had access to that level of expertise and did not insist on consultation is pretty shocking. Of course, it takes some insight to know just how important nmap and Fyodor are in security circles.

Why would someone make a recommendation like that without possessing a tremendous amount of technical savvy or without consulting someone who had a tremendous amount of technical savvy? Only someone who assumed that this was merely a legal/medical/ethical issue rather than a legal/medical/ethical/technical issue. I have a degree in psychology, and it would be utmost of hubris for me to question a prescription that Dr. Peel gave to one of her patients. It would be totally unethical for me to recommended specific drugs to a mental health patient, despite that fact that I have some informal on-the-job experience with mental health drugs.

The problem with psychoactive drugs, and with medical information privacy, is that the devil is in the details. If I was forced to choose an anti-depression medication for someone, I would probably choose one that I had worked around alot, something with a big name that made me and my patients feel more comfortable. 8 times out of 10 my prescription might work fine, but I have no idea why it would not work the other 2 times, no idea how to determine if it was working or not and no idea what to do to fix it. I have a four year degree in mental health… what would it take for me to get that last 20% of prescribing potential? I would need two years of undergraduate courses in hard life sciences, followed by four years of medical school and then four years of residency. In short, to move from 80% accuracy in understanding of drug impact to something like 98% accuracy takes about a decade (not to mention the time required by board certification) . Hardly seems worth it… until you think about how easy it is to kill someone with drugs. Would you want to see someone who was 80% sure that the drugs you were given would not kill you?

Psychiatrists are qualified to make recommendations for mental health drugs, but their medical training does not qualify them to examine source code and determine if they match high level privacy guidelines. Based on my personal experience it takes at least 7 years to really have a clue about a specific technology area like this. I have been studying this for 13 years now, and I am often humbled when I discover just how little I know about this stuff. Even with over a decade of training I often feel overwhelmed about what I should do, just concerning the technical issues involved. I would never presume move outside of my area of expertise to make any clinical decisions.

Dr. Peel should have the same humility when it comes to technical issues. Despite this, Dr. Peel has said “Microsoft is setting an industry standard for privacy.” I am not the only one who thinks that is ridiculous.

But wait, having expertise in medicine does not exclude expertise in Computer Science generally or elctronic privacy specifically. It is possible to have both skill sets in one person.

What happens when a board certified psychiatrist also has a masters in Computer Science? What happens when the same person spent a decade studying the way information moves in a computer system AND a decade studying medicine? Then they write posts like this one from Dr. Valdes of LinuxMedNews. Granted, I tend to agree with Dr. Valdes on issues like software freedom and ethics in medical computing. Granted, there are experts at Microsoft who would be able to speak intelligently regarding the technical concerns that I am raising. Many of Microsoft’s experts have experience that are equivalent to Dr. Valdes’ training. But those experts are not speaking for 45 different organizations with legitimate interests in patient privacy endorsing a company with arguably the worst security and privacy track ever. In short, Dr. Peel is guilty of hubris. While she may have good intentions and clearly has a sincere desire to protect patient privacy, she appears to be very much past her technical depth.

Of course I could be wrong. I have not seen Dr. Peels vita. If Dr. Peel will publish her full resume and it contains solid computer science based privacy training and experience that she has left off of her online biography, I will be happy to retract some of these criticisms. The only thing that can justify Dr. Peels endorsements are a full source-code review by a professional electronic privacy expert. If Dr. Peel can show that she had access to such a review, then I would be happy to retract some of these criticisms. Finding this article unchanged and unamended implies that my assumptions about Dr. Peel are, in fact, correct.

If HealthVault were to be successful it would be good for Microsoft’s bottom line, but terrible for our cultures. Indeed Dr. Peel is right about one thing, Microsoft would be “leading” us. Those wearing shackles are often lead by others.

-Fred Trotter

3 thoughts on “HealthVault: Medically, Legally, and Politically Savvy but Technically Uninformed.

  1. Fred,
    Let me ask you a couple of questions. Do you think it is alright that insurance companies (i.e. BC/BS and Atena) are in collusion with each other sharing common data fields across their databases about our health records? Or how do you feel about our government wanting to create one big data base of health data? You obviously have a passion and great acumen for our health records; but at this point it is NOT a technology issue. I wish that you would concentrate your writing talent on PHRs and how the American people need to be involved in what is happening (not just Microsoft and Google and Dossia) but what is really happening. Thank GOD for Dr. Peel (I have no connection to her) and her initiatives. Our govnernement and this next election is what we should ALL be scared about. I have always said to guru technical guys…look at the big picture, because the issues about what is happening to our health records is so far from a technology issue..

  2. Regarding insurance companies. I whole heartedly disapprove of many things that insurance companies do. But I am not an insurance expert and so I cannot really do much about that.

    Regarding “one big database of health data”. I am absolutely for it, as long as the database uses de-identified data. There is no other way to measure progress on public health issues. Again, the “big picture” actually requires understanding of some pretty subtle technical issues. What algorithm should be used to de-identify? What role should one-way hash functions play? Which one-way hash function should be used? I think you may be in danger of missing the trees for the forest.

    Regarding “this point it is NOT a technology issue”. My point is that it is not-only a technology issue and not-only policy issue.

    Regarding Dr. Peels initiatives: I think her initiative previous to her work with Microsoft have been first rate. I have looked over her testimony in congress and I am very happy with many of the things she said. I have a lot of respect for her policymaking positions, but not her technology positions.

    Regarding politics: I try to focus on areas where I can make the most difference, and the next presidential election is not it.

    Hope that is clearer.

Comments are closed.