October 9, 2007

Microsecurity on Microsoft’s HealthVault?

Filed under: — mlazoff

Last week, Microsoft unveiled HealthVault, the highly promoted collection of next-generation (Web 2.0) consumer health-related projects. Online now is a personal health records (PHR), which allows for traditional data storage within a consumer-controlled portal through which Microsoft-partnered doctors, clinics and hospitals can, with patient permission, also view the PHR and communicate information and test results back to the patient. According to a New York Times article from October 4th, Microsoft Rolls Out Personal Health Records, “The organizations that have signed up for HealthVault projects with Microsoft include the American Heart Association (AHA), Johnson & Johnson LifeScan, NewYork-Presbyterian Hospital, the Mayo Clinic and MedStar Health, a network of seven hospitals in the Baltimore-Washington region. The partner strategy is a page from Microsoft’s old playbook. Convincing other companies to build upon its technology, and then helping them do it, was a major reason Windows became the dominant personal computer operating system.” The article provides examples of several corporate collaborations: an online blood pressure management tool created by Microsoft and the AHA where data can be entered by patient or physician; a glucose monitoring tool for diabetics who use Lifescan meters; and how patients within partnered healthcare systems can receive and store test results, such as their EKGs. 

A second site feature provides access and storage facilities to selected consumer health information using their clustering HealthVault search engine, now in beta testing. Microsoft states that all searches are anonymous. The results page includes Sponsored Results. For more information, see Microsoft Debuts HealthVault, an article posted the same day on Digital Healthcare and Productivity Web site.

Privacy issues on PHRs and associated features are addressed. According to the article, ”Microsoft’s privacy principles have impressed Dr. Deborah Peel, chairwoman of the Patient Privacy Rights Foundation, a nonprofit group. In terms of patient control, and agreeing to outside audits, ‘Microsoft is setting an industry standard for privacy,’ said Dr. Peel.”

A news release on the Foundation’s Web site announces that Microsoft “sought advice” from the Foundation in preparing HealthVault and that Dr. Peel appeared with Microsoft at the press conference announcing its launch., a multi-institution academic research technical privacy center without known relationship to Microsoft, today posted an article on their Web site questioning Is The Vault Really Protecting Your Privacy? ”When the Health Insurance Portability and Accountability Act (HIPAA) was enacted, we did not envision that private software firms would eventually want to create databases for our health records. As a result, HealthVault and other PHR systems are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States because they are not ‘covered entities’ as specified in the HIPAA…Microsoft appears to have sought the counsel of physicians [Dr. Peel] who believe that patient consent is the best indicator of privacy protections. Unfortunately, most physicians do not understand the subtleties buried within healthcare privacy statements within the context of the software that implements those statements…The hype surrounding HealthVault’s privacy protections among those in the medical community must be balanced with the reality of the information security and privacy practice expressed in its public privacy statements.”

Powered by WordPress