Europe: ‘All your medical data belong to us’.

 

 

The last couple of weeks there has been a huge discussion in The Netherlands about the introduction of infrastructure making it possible to retrieve patient’s medical data from system A to give an insight to a caretaker in a different location. The Dutch senate voted the structure out unanimously by stating it was lacking on security measures and violated the privacy of the patients.

This led to private insurers and some other stakeholders to form a group and implement the system anyway. A large group of medical doctors filed a lawsuit on the basis of violation of doctor- patient privilege; we’re expecting a ruling on the 19th of December.

We started to do some international research and found a remarkable resemblance in the same sort of systems being pushed almost worldwide and yesterday we hit the jackpot by locating EpSOS, a European large scale project already in the testing phase making it possible to collect medical records of all Europeans.

 

EpSOS

 

You may have never heard of it, we surely hadn’t but the formal documented decision process to create an interoperable Electronic Health records (EHR) system goes back as far as 2003 from what we could find on the web.

According to Tiani, the company building the software ‘…The next step, the interconnection between Europe and the United States, was demonstrated at the HIMSS’11 in Orlando..’¹

Let’s give you a moment to catch your breath; interconnection between the EU and the US. The US being the country living under the Patriot act.

EpSOS² is being sold to the public as a wonderful structure for all Europeans travelling in need of medical care abroad. By logging on to a portal a doctor on your holiday in Greece can enter your unique identifying code (EU wide code implemented by the EC used for all EU communication). This will trigger the system to collect data from all hooked up medical systems and dump it into a document as a summary or as a document containing all of your used medication.

Sounds nice right?

Let’s dig into some basic assumptions.

 

Basic assumptions

 

-       The quality of healthcare improves when medical workers have access to patient’s medical records.

We’ve been searching for weeks and haven’t been able to come up with one methodologically sound piece of research that proves beneficial health outcomes. It’s based on some sort of logic thought or gut feeling. It may well be that expected benefits are outweighed by three other major effects, namely standardization effects, tunnel vision and self censorship.

In order for an interoperable system to work, rigorous standardization of terminology is needed, to translate free text into another language is virtually impossible to do in a reliable manner.

Standardization has evident negative effects; it strips a medical file of all context³.

The assumption that the information in the system is correct is another diagnostic obstacle, it may lead to the caretaker relying too heavily on the data in the medical file and making the same mistake(s) a prior health worker made.

The last effect, self censorship, may be the most devastating. Privacy is a basic human need. The conversations you have with your doctor are privileged, you share sensitive issues. The mere thought of possibly millions of health workers being able to access your information, will lead to a person thinking twice about sharing for instance a drinking problem with your physician.

One can only guess what the health and societal effects of this line of reasoning will be.

 

The justification for EpSOS

 

By far the largest groups that could probably benefit from interoperable EHR’s are the chronically ill and the elderly. These groups however travel the least. Why would the EU and all the corporations involved spend a huge amount of money on an interoperable infrastructure that won’t be used all that often?

To answer that question we had to do some serious digging since the system is being sold as this fantastic infrastructure benefiting the EU citizens. What we found is data mining, integration with other systems for predictive medicine and surveillance, usage of the data for clinical research purposes and risk modeling.

Apparently one of the major reasons for rigorous standardization as stated in a report by the European commission⁴ is ‘..Ensure the necessary data quality and consistency to enable rigorous secondary uses of longitudinal and heterogeneous data: public health, research, health service management…’  

In this standardization the WHO is involved as well.

In another EC article⁵ some digging is done into all the benefits which could mount from all sorts of data mining and risk management activities.

One might note that there’s little to no scientific evidence⁶ supporting the assumption that risk modeling has beneficiary effects on the quality of healthcare nor cost efficiency.

 

Integrating other systems

 

A first example of an EU wide project which marks the end of medical data confidentiality is the Active and healthy aging project⁷.

All old people’s relevant medical, social, environmental, cultural and economical data will be used in order to save costs, prolong their lives and boost industry profits.

The plan uses offensive terminology about our elderly like ‘from burden to asset’.

It also strips them from their patient’s rights by using a loophole from article 14 of the EU directive on patient’s rights cross border⁸.

Can you be sure your medical data won’t be used to create a monstrous livelong file with all of your other data integrated? No you can’t. Those with unlimited trust in governments are highly recommended to read Falkvinge’s article  ‘ Debunking the dangerous if you have nothing to hide, you have nothing to fear’ ⁹

For some examples; it took the Dutch police less than 24 hours after introduction of the public transportation chip to demand the personal data of all travelers on a certain tram to catch a suspect of a crime and the Danish were forced to give the US access to their DNA database.

On top of this, American companies are involved in building the infrastructure and software which puts them under the Patriot act. This means effectively that companies who get served with a gag order aren’t even allowed to inform the European union if data have been ceased.

 

Will your medical data be secure from unauthorized entrance and hacking?

 

No they won’t be. Even though entering the system by medical workers who have no business accessing your files leaves a digital trace, you can’t block it upfront. You are not needed to access your data. Having a hold of your E-identification code will do.

As for hacking, surely the system will be better secured than the average doctor’s computer files, but on the other hand the enormous scale of the possible loot will attract the best hacking criminals in the world. Medical files are even stolen for ransom money and since 2009 in the US alone 21 million files have been stolen.

 

 

Conclusions

 

By far, most medical aid is given within 25 kilometers of the patient’s house so there is no justification for European let alone global interoperable EHR systems.

Patients who travel who have specific allergies and/or use medication could carry a written medical passport.

There’s no need for big data and total control of the EU population by using all sorts of unproven risk and predictive models and by cross matching our data.

Improving healthcare starts with bigger investments in education instead of killing the quality of our educational systems by austerity measures.

It also starts with taking away restrictive rules which make it almost impossible to help the sick and old ourselves as a society.

If the industry, medical staff or governments need steering data, they can ask by using a system that will give us the possibility to log on anonymously.

Surely E-health can have good benefits but the success of implementation is highly dependent on normal scale usage.

One could pledge for regional EHR’s with a maximum of about 200.000 patients in them and loose infrastructure, built Open source, crowd sourced by the IT community and certainly not with the involvement of American companies under the Patriot act.

People don’t trust huge data systems that contain their unique identifying code and they are right not to.

 

 

Literature

1.)     http://www.tiani-spirit.com/us/solutions.php

2.)     http://www.epsos.eu/

3.)     http://www.huffingtonpost.com/janet-dillione/electronic-medical-records_b_872343.html

4.)     http://www.calliope-network.eu/Portals/11/03_Thun_TerminologyManagement%20%5BCompatibility%20Mode%5D.pdf

5.)     http://www.ehealth-for-safety.org/news/documents/eHealth-safety-report-final.pdf

6.)     http://prognosismethods.cochrane.org/sites/prognosismethods.cochrane.org/files/uploads/2012,%20Moons%20et%20al,%20overview%20risk%20prediction%20modeling%20part%202%20Heart.pdf

7.)     http://ec.europa.eu/research/innovation-union/pdf/active-healthy-ageing/presentation.pdf#view=fit&pagemode=none

8.)     http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:088:0045:0065:EN:PDF

9.)     http://falkvinge.net/2012/07/19/debunking-the-dangerous-nothing-to-hide-nothing-to-fear/