Even in the information age, the answer to healthcare privacy might lie in an ancient concept: The Hippocratic Oath.
According to cybersecurity professional and author Bruce Schneier, the traditional oath all physicians take regulates medicine at the edges, where doctors meet patients.
“Modern medical privacy law tries to regulate in the center. It centralized rules about data privacy, and it’s a bad idea that’s not working,” Schneier said at TEDMED 2016 in Palm Springs, California, last fall. TEDMED organizers posted the video of his talk last week.
“It’s time to go back to regulating at the edges,” Schneier said.
“Current privacy laws like HIPAA don’t protect us. The privacy protections we have don’t match the real-world privacy risks,” he said. That is because they cover the healthcare industry rather than the data.
“HIPAA is basically a liability shield for healthcare companies,” according to Schneier. It has driven people to stop sharing “intimate details” with their physicians, sometimes leading to misdiagnosis or treatment avoidance, he argued.
“In order to bring medicine into the technological age, we need to make the medical data network look more like the internet,” Schneier said.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Early healthcare data networks look more like the old-fashioned telephone grid, with a smart central hub and dumb devices at the user level. The internet has flipped that equation in the telecommunications world, but healthcare has not completely caught up, he said.
That has to change with the advent of data-driven medicine, which is augmenting each person’s “medical data shadow,” as Schneier put it. “It’s the sum total of all the health and medical information about you,” he explained.
“You’d be amazed at what kind of adventures your medical data shadow is out there having,” Schneier said.
The problem, according to Schneier, is that neither patients nor their physicians control the technologies that store and process medical data. “They’re owned by medical institutions as strategic corporate assets,” he said. “They’re owned by lots of third parties, all of whom buy and sell your data.”
Individuals usually don’t even get to dictate who uses their data. “The medical data economy is largely invisible. This has to change. You, the patient, need to be at the center of your data,” he said.
In his view, patients should be able to access wherever and whenever they want, to correct errors and decide who gets to see their own records, Schneier said.
The idea of patient privacy dates back perhaps 2,500 years, to the advent of the Hippocratic Oath, Schneier contented. For centuries, individual doctors generally kept patient records. Now, institutions hold medical data.
“Meanwhile, the internet has brought us the surveillance economy.” Medical information gets sold as much as any other kind of data that drives revenue for internet companies.
He noted that pacemaker manufacturers won’t even give complete data streams to patients or physicians — a policy that pacemaker recipient Hugo Campos has been publicly fighting for years. “None of these companies are staffed by people who took the Hippocratic Oath,” Schneier said.
The answer, he said, is to rethink handling of patient data. “We need privacy rules that are patient-centric, and not institution-centric.”
In his view, patients should be able to control access to data and have a right to know who is using their data and for what purposes. This means freeing algorithms locked inside medical devices and proprietary software.
“The goal is to move medical records out of the large institutions and into patient control, and to protect that data wherever it is,” Schneier said.
Watch his talk here:
