Sunday, February 19, 2012

Trust in the Machine

Enigma Machine
We talk about trust a lot these days. Trust is one of those things that the scarcer it becomes, the more you find yourself thinking and talking about it. Trust is also a very fragile entity and it comes in a continuum of shades and magnitudes, from trusting your alarm clock, to implicitly trusting your mom, to trusting in God. Trust can be based on exact understanding (the alarm clock), reinforced by repeated experience (mom), or a result of pure faith (God). Trust that needs to be verified is no trust at all. Trust usually comes into play when one willingly relinquishes control over certain outcomes to a trusted entity. The amount of trust involved is in direct proportion to the importance of expected outcomes, thus “I trust you with my life” is very different than “I trust you to deliver my mail”.

For a while now, I have been following ONC’s efforts to build public trust in health information exchange and electronic health records, summarized in this appeal to patients: “If your health information is sent or used electronically, it's important that you trust the systems that protect it.” Yes, it is important and it is also not much different than trusting the United States Postal Service (USPS) to deliver your mail. You trust that your letter will be delivered in a timely manner to the intended recipient and nobody else. You trust that it will reach its destination in one piece, that nobody will open and read your letter in transit to “provide you with better service” and that the USPS will not make copies of your letters and otherwise use them or sell them to the highest bidder. Tampering with other people’s mail is a Federal offense subject to fines and jail time. Pretty good start, if you ask me.

When we advanced from paper letters to email, we paid a price for the associated convenience and instant delivery. Regular electronic mail has no envelope. Your email service providers reserves the right to read all your emails and use the content any way they see fit. Unless you take special precautions, anyone could intercept your mail and derive some joy from reading it too. Interestingly enough, most people became impervious to the loss of privacy. Now we are contemplating the exchange of health information through similar mechanisms, and we are being told that we should really use envelopes for exchanging health care information.

Our health care providers have been exchanging information about us for quite some time and much of this is done over the Internet now, but instead of using a public postal service, they established private networks and secured those as best they can, thus obviating the need for envelopes. This is very much like the diplomatic pouch system, where the channel itself is secured, but each secret document inside it is not necessarily locked down.  To be fair, the amount of data exchanged between health care providers (prescriptions, lab results, claims, radiology images, etc.) is so massive that it would be rather inefficient and expensive to start putting each message in its own separate envelope. The individual envelope system does make sense for exchanging small pieces of information with patients, and even for some small health care providers when they communicate amongst themselves and with larger ones infrequently.

But this is not just about envelopes. It is also about making sure that our messages go to the intended recipient and that we are certain that the sender is who he said he is. The last part is a bit tricky and the USPS, for example, never purported to verify the sender’s identity, maybe because mail fraud is punishable by up to 30 years imprisonment.  In lieu of similar laws for health information exchange over the Internet, we are being told that technology exists to protect us just as well. These technologies consist of software tools for proper authentication, non-repudiation, integrity, availability, confidentiality and the associated paraphernalia of cryptography, ciphers, encryption, public keys infrastructure, passwords, biometrics, tokens and networks of machines to support this mathematical infrastructure.

There may be value in explaining the technology to people, but even the most technology-challenged folks amongst us know enough to trust the machine, just like we know enough to trust that the alarm clock will go off in the morning, or that the TV will turn on when we push the power button. And we do understand that a certain rate of failure is to be expected. But, and there is always a “but”, we are not the ones pushing the buttons here. All these wondrous technologies are applied by an intermediary. Basically, we are delegating the stuffing and opening of envelopes to someone else and that someone else is not your trusted secretary of 25 years. It is a complete stranger, and if we are to comfortably exchange our secrets over the Internet, we must somehow trust that those intermediary folks are not reading our messages for entertainment in the lunch room, or making copies to read later or to sell to interested parties. It’s not about technology. It’s not about trust in the machine. It’s about trust in the operators, and we know next to nothing about those operators and their interests other than that they are called Health Internet Service Providers (HISP) and could be large clearinghouses like Surescripts, or your own EHR vendor, or a local health information exchange organization, or an independent technology firm, or anybody else selling electronic envelope stuffing and opening services.

There is of course HIPAA, and there are all the new regulations specifying what needs to be encrypted, how and when it should be exchanged, who gets to be the keeper of the keys, and the process by which we choose to participate or not. People have an expectation of privacy when seeing a doctor, although with the advent of health insurance, those expectations have been greatly diminished. We have come to accept that certain data about us is not private, but we are still holding on to the notion that other, very personal, things need not be shared outside the exam room. Doctors don’t usually report to insurers how much alcohol we consume, whether we are sexually active and in what manner, what we eat, which illegal drugs we use, how we sleep and all other intimate fears or dilemmas shared with a doctor. Your doctor is entering all this information in a computer now, giving it a life of its own, and since sooner or later this information will be leaving the doctor’s computer, it may end up in unexpected places, not because the system was breached, but because the “system” sent it there. Will it end up on Google? This is the trust issue that needs to be addressed. Or perhaps it doesn’t.

In a world where most folks are just fine with seeing targeted adds on every browser page based on the contents of their gmail messages, maybe it makes no difference to us if Google “knows” that our last A1c was >9 and a flurry of diabetic adds are unleashed when we browse the Internet. In a world unperturbed by having every smart phone equipped with what amounts to a keylogger, where the Internet Service Provider and the phone manufacturer, along with the keylogger vendor, read every text message you send, perhaps sharing your overactive bladder issues with these folks is also a nonevent. And if that’s the case, why would we even bother with triple DES or AES or Blowfish or Twofish encryption and PKI and certificates? Let’s just cut through the chase, do me and Google a favor and post the stuff to my Facebook page and maybe Tweet a quick clinical summary for my 5000 most trusted friends.


  1. Margalit,

    You assume that the Direct Project specification includes off-loading security to a full-service-HISP. This is not true. The specification is completely secureable to your computer. The technology chosen is off-the-shelf secure email. Just like I use for all my internet e-mail. Just like is available in off-the-shelf Microsoft-Exchange, Lotus Notes, or open-source Thunderbird. This is secure right to my system, even my company doesn't have access to the content.

    The marketplace is offering full-service-HISP solutions, to ease the administrative burden. It is fully true, that if you choose to outsource your responsibilities then you must fully trust.

    I just want to make clear what some in the market is offering is not the specification. I fear for those that are not as well informed seeing the full-service-HISP as an easy choice. Not realizing exactly the weight of their choice.

  2. This conversation is continuing on Google+. Join us if you are interested....