The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Microsoft HealthVault requires a suspension of disbelief

 

By: Scott Bradner

 

In what at first glance seems to be a bizarre move, Microsoft recently announced HealthVault (http://www.healthvault.com/), a service that wants you to upload your most private heath records so that they can be accessed by others.  The idea is not too too bizarre -- although there are very real problems with Microsoft's approach and the concept itself.  However, it is bizarre for Microsoft to think that people will trust the company widely disparaged as a prime cause of the security problems on the Internet today.

 

Records are created every time we go to a doctor, dentist or any other health care professional.  Records are also created when we buy prescription drugs, get medial tests etc.  Over the years a person can wind up with a lot of records in a lot of places.  These days many of the records are electronic, but that is relatively new, but even when the records are electronic the data formats are often very different.  Electronic health record standards have been developed (http://emradvice.wordpress.com/category/hl7/) and, over time I expect that new systems will wind up with compatible databases.  But, even with that, it will be a very long time before most of the medical records about anyone over the age of 10 will be in any standards-based electronics form. 

 

There has been a push for a long time to get medical records into a form that can be quickly accessed by, for example, emergency room workers so that appropriate treatment can be provided when a patient shows up on the doorstep.  (See for example, http://nursing.about.com/od/issuesaffectinghealthcare/a/electronicrecor.htm) This does sound quite important but many of the people pushing for this only focus on solving their own problems and tend to ignore or at least down play other issues such as privacy. 

 

One way to medical records available is to put them in one place and then let approved people access them there.  Along comes Microsoft to propose that very thing.  HealthVault is a service that lets a user upload and maintain medical information in a Microsoft server then   enable specific people to access the information.  As announced this "service" will flop.  For example, the idea that anything like a reliable and useful set of records could be created and maintained by individuals without getting records directly from the health care providers that create the information is laughable. 

 

Microsoft also has a very long history of inattention to security to overcome to get many people to trust it with this kind of data.  The two privacy statements on the web site (ttps://health.live.com/content.aspx?id=help/privacy.htm&rmproc=true and https://account.healthvault.com/help.aspx?topicid=PrivacyPolicy&rmproc=true) do not help all that much.  They do not provide any assurance about the architecture and operation of the systems that will store the data and, inexplicably, say that Microsoft can send your private medial records to anyplace in the world they do business.

 

Microsoft's security reputation is not the biggest problem with this concept.  A far bigger problem is the very idea of putting information of this type in one place without very strong laws governing access.  A database like this will be a magnet that will attract lawyers of every stripe from divorce to employment, insurance companies, employment agencies, your employer, credit bureaus, and law enforcement agencies.  All of whom will see that their own access, without the permission or even over the objections, of the individual, as totally justifiable. 

 

It is also totally predictable that someone, acting in what they think is the best interested of the people whose information is in the database, will wind up opening it up in a way that effectively removes all user control over the spread of the information.  This is not theory - see http://www.msnbc.msn.com/id/9341207/.

 

For me, if anyone is going to collect such information it better be a hospital - at least there are laws that apply to their handling of the data - even they I still do worry since information in the form of bits is so slippery.

 

disclaimer: For the vast majority of Harvard's existence electronic records of any kind were not a issue - they are now but the university has not expressed an opinion on the wisdom of collecting information on the operations of your body parts and outsourcing its protection to Microsoft - thus the above opinion is mine.