Electronic health records: don't get me wrong

The post below about my experience at a health panel at SXSW may have left the impression that I'm opposed to Personal Health Records or its superset, Electronic Health Records. Far from it. At the start of the panel, the moderator showed this video from one of the EHR vendors. Yes, it's a bit over the top, but it does fairly lay out the problem. The failure to ditch paper records and go electronic wastes a tremendous amount of money and costs many lives per year.

EHR is coming; there are too many reasons for it not to. It is going to be a crucial part of any political plan for healthcare reform; both Clinton and Obama have it as a cornerstone of their plans, and many Republicans support it (though it is notably missing from McCain's campaign site. And if you look at his healthcare page, it's a freaking joke; it's all platitudes and bullshit GOP nostrums like tax credits that won't do a damn thing to solve the real problems that face us). But EHR must be implemented in a way that doesn't lock in the patient to any one vendor's system.

Microsoft HealthVault: I remain unconvinced

At SxSW today, I attended the Transforming Hospital Systems: The Digital Future of Healthcare panel. In it, we got a pitch from the Microsoft representative for their entry into the electronic medical records field, Microsoft HealthVault.

I asked him the following question, which I admit was kind of tough:

"Microsoft operating systems and software are famously insecure, and Microsoft itself has the unfortunate reputation for being a corporate predator. What is Microsoft doing to win the trust of medical consumers, and show them that Microsoft would be a good steward of their private medical information?"

His answer was disappointing. He admitted that Microsoft has had problems in the past, but claimed that the premise of my question was based on outdated information about the security of Microsoft products. He didn't provide an answer about what proactive steps Microsoft was taking to reassure people about the safety of their medical data.

In my view, merely asserting that security problems are a thing of the past, then in effect asking for the public's trust, is woefully insufficient. We still often hear reports of malware and security breaches in Microsoft products. And many people (I'm not one of them, btw) believe that Microsoft is just plain evil; bland assurances of safety will not cut the mustard.

Another issue wasn't dealt with in the panel, and I can't find a mention of it on the HealthVault site, either. That's the Roach Motel problem, where your data checks in, but it never comes out of the Microsoft system. In the past, Microsoft has been infamous for that kind of lock-in, implemented through proprietary formats and by providing no tools for extracting data. According to the site's privacy statement, you can delete your account and personal information, but there's no mention of ways to get the data &mdash your data &mdash out of the HealthVault system, should you choose to switch to another electronic medical records system.

It's clear that all of these systems, from Microsoft, Google, or others, must be required to have an interchange format that all of them can read and write. That's obviously something that would need to be mandated by the government, and possibly regulated, too.

Without a much better answer for health information security, and without knowing how my medical records can be made portable, there's no way I'd be interested in using HealthVault. A name that merely connotes security is no substitute for real security.