This story appeared on Network World at

http://www.networkworld.com/columnists/2007/100907-bradner.html

Microsoft HealthVault requires suspension of disbelief

'Net Insider

By Scott Bradner, Network World, 10/09/07

In what at first glance seems to be a bizarre move, Microsoft recently announced HealthVault, a service that wants you to upload your most private heath records so that they can be accessed by others.

The idea actually is not too bizarre — although there are very real problems with Microsoft's approach and the concept itself. However, it is strange for Microsoft to think that people will trust the company widely disparaged as a prime cause of security problems on the Internet today.

Records are created every time we go to a doctor, dentist or any other healthcare professional. Records are also created when we buy prescription drugs, get medical tests, etc. Over the years a person can wind up with a lot of records in a lot of places. These days many of the records are electronic, but that is relatively new, and even when the records are electronic, the data formats are often very different.

Electronic health record standards have been developed, and over time I expect new systems will wind up with compatible databases. But even with that, it will be a very long time before most medical records about anyone over the age of 10 will be in any standards-based electronics form.

There has been a push for a long time to get medical records into a form that can be quickly accessed by, for example, emergency room workers so that appropriate treatment can be provided when a patient shows up on the doorstep. (Read an example here.)

This does sound quite important, but many of the people pushing for this only focus on solving their own problems and tend to ignore or at least downplay other issues, such as privacy.

One way to make medical records available is to put them in one place and then let approved people access them there. Along comes Microsoft to propose that very thing. HealthVault is a service that lets a user upload and maintain medical information in a Microsoft server, then enable specific people to access the information. As announced, this "service" will flop. For example, the idea that anything like a reliable and useful set of records could be created and maintained by individuals without getting records directly from the healthcare providers that create the information is laughable.

Microsoft also has a very long history of inattention to security to overcome to get many people to trust it with this kind of data. The two privacy statements on the Web site (here and here) do not help much. They do not provide any assurance about the architecture and operation of the systems that will store the data and, inexplicably, say that Microsoft can send your private medical records to anyplace in the world it does business.

Microsoft's security reputation is not the biggest problem with this concept. A far bigger one is the very idea of putting information of this type in one place without very strong laws governing access. A database like this will be a magnet that will attract lawyers of every stripe from divorce to employment, insurance companies, employment agencies, your employer, credit bureaus and law enforcement agencies. All of whom will see that their own access, without the permission or even over the objections of the individual, as totally justifiable.

It is also totally predictable that someone, acting in what they think is the best interested of the people whose information is in the database, will wind up opening it up in a way that effectively removes all user control over the spread of the information. (This is not theory. Read about it here.)

For me, if anyone is going to collect such information it better be a hospital — at least there are laws that apply to their handling of the data. Though even them I still worry about since information in the form of bits is so slippery.

Disclaimer: For the vast majority of Harvard's existence electronic records of any kind were not an issue. They are now, but the university has not expressed an opinion on the wisdom of collecting information on the operations of your body parts and outsourcing its protection to Microsoft. Thus, the above opinion is mine.