February 21, 2007

Prescription Records for Sale

In January 2007, the new National ePrescribing Patient Safety Initiative (NEPSI) debuted with a high-profile article in Time magazine.

This web-based system is supplied free of charge to physicians, ostensibly to reduce prescription error rates. Revenue to pay for the information system comes from the participating pharmacies and insurers who save time and money.

Now there are accusations that this database has been developed to give drug marketers, insurance risk assessors, and employers access to patients' private prescription records.

According to a Government Health IT article, all the prescription records stored in the new NEPSI database are for sale:

Security makes little difference because every identifiable prescription in the country is data mined and sold daily. Nobody needs to break into pharmacies to steal our prescriptions; they are for sale. For example, market intelligence firm IMS Health reported revenues of $1.75 billion in 2005 solely from the sale of prescription records, primarily to drug companies.

In another article, Dr. Peel says that NEPSI sells data to large employers:

In 2006, the national Blue Cross and Blue Shield Association announced its Blue Health Initiative to aggregate and sell the claims, medical and prescription data of all 79 million enrollees to large employers. This database will include far more detail than e-prescription records, making the sales of Blues data worth far more than the billions in revenue from selling e-prescription records alone.

But Allscripts CEO Tullman denies that prescription data will be misused:

Patients and physicians will have unique access to all the information. It's not our data. We don't claim it's our data. [...] Google will have no access to data we receive as part of the electronic prescribing process.

What can you do?

  • Ask your medical care providers if they use the web-based NEPSI electronic prescription system.
  • Consider refusing prescriptions for conditions that you would not want your employers or government to know about. Some doctors will give out samples to their patients, and this might be a sufficient quantity to forgo a formal prescription.
  • A cash transaction by itself won't keep you out of the NEPSI database because it contains patient information and the prescription itself, not just billing information like an insurer's database might.
  • February 9, 2007

    Laptop data searches at border checks

    U.S. courts have approved border agents' search of traveler's laptops without articulable probable cause.

    Indications are that U.S. and Candian customs officials are searching laptops for pornography and obscene material.

    Some travelers report being asked if the laptop they were carrying was a personal or company unit. Presumably, corporate laptops are less likely to be checked for obscene material than personal units are.

    Authorities also have the ability to conduct forensic computer searches at border crossings and have done so in the past.

    Data transmitted across national borders via the Internet is more strongly protected than data hand-carried through Customs checkpoints, because wiretaps must comply with the requirements of Title III, 18 U.S.C. §§ 2510-2522, or the Pen/Trap statute, 18 U.S.C. §§ 3121-3127. The few advantages of hand-carry are totally lost if one cannot be assured that the data hasn't been copied, or that software or hardware spying mechanisms haven't been implanted within it.

    Travelers with sensitive or legally privileged data will want to Customs-proof their laptop before crossing a controlled border. Strong encryption is the best tool to protect data that must be hand-carried through Customs instead of residing on a remote server. Some organizational IT departments are investigating hardware hard-disk encryption, sometimes combined with hardware biometric readers.

    It is unclear at this time whether a traveler can be forced to divulge a password. One privacy wonk has suggested wearable or concealable USB drives as a measure of protection.

    February 3, 2007

    The power of data mining

    An exercise in finding subversives through Amazon.com wishlists illustrates the power of data mining:

    It used to be you had to get a warrant to monitor a person or a group of people. Today, it is increasingly easy to monitor ideas. And then track them back to people. Most of us don't have access to the databases, software, or computing power of the NSA, FBI, and other government agencies. But an individual with access to the internet can still develop a fairly sophisticated profile of hundreds of thousands of U.S. citizens using free and publicly available resources. Here's an example.

    There are many websites and databases that could be used for this project, but few things tell you as much about a person as the books he chooses to read. Isn't that why the Patriot Act specifically requires libraries to release information on who's reading what? For this reason, I chose to focus on the information contained in the popular Amazon wishlists.