Feeds:
Posts
Comments

Archive for the ‘Medicine’ Category

I like statistics. When properly used, they can tell you what has actually happened in the past. Statistics can provide valuable information to help you run your company or for the government to run the country. Statistics can tell you how closely two sets of data are related, their correlation. You might notice, for example, that since you introduced pastel colored widgets, your sales to teenage girls have significantly increased. You might jump to the conclusion that teenage girls prefer pastel colored widgets, and you might be right. On the other hand, the increase in sales to teenage girls could be due to your increased marketing of widgets in women-only high schools and colleges.

When statistics tell you that two quantities vary together, most people will believe that they are related in some way. You should always beware of jumping to conclusions. Correlation does not equal causation. Here are three very high correlation examples from Tyler Vigen’s book Spurious Corrections.” I suspect there really is no relationship between the two quantities in each case.

CorrelationEven if there is an actual cause and effect relationship, it may not be in the direction you think.

Your company collects more and more data about its operation, products and customers. Additionally, thousands of data sets are available from public and private sources about behavior, health, poverty rates, driving accidents and just about anything you can think of. Given enough processor power, you can search for correlations among these data sets. Sometimes these “strange” correlations can prove valuable. A dozen years ago, an almost random check of the correlation between auto accidents involving personal injury or death across the counties of one state had a very high correlation with the number of people over 55 who were taking a specific medicine. The resulting investigation by the pharmacy company that manufactured the drug led to increased warnings to doctors and patients about a previously unsuspected age-dependent side effect.

When someone brings you one of these correlations, pay attention, but apply reason. Correlation is not causality

The last word:

President Obama and many other politicians on the left want to make it illegal for law abiding citizens to own a gun. In their view, only the government should have any weapons. They want to eliminate the Second Amendment to the US Constitution. The primary reason the first session of the US Congress included that amendment in the Bill of Rights was the recent experience with their prior government. The British Government severely limited gun possession in towns and cities; they could not police the rest of the colonies. They feared, rightly it turned out, that the colonists could use those weapons against the British government. The US Founding Fathers wanted to make sure that a future government could not take away citizens rights without the citizens having a last resort to deal with a run amok government.

President Obama will tell you that eliminating all legal guns is the solution to these tragic mass-shooting events. But we know that is a false argument. Almost every one of the mass shooting events in the past two decades has been in a “gun-free zone.” We have been steadily increasing the number of these zones, so it includes virtually every school, sporting event, shopping area, government facility, and even most portions of our military bases. We actually put signs up to indicate to potential terrorists of where they will have five to thirty minutes of unbothered time to kill as many unarmed victims as they can.

Consider the recent Oregon tragedy. Chris Mintz is student at Umpqua Community College. As a decorated Army veteran, he tried to stop the gunman before he entered the classroom where the gunman killed nine students. Mr. Mintz was shot seven times for his bravery. If Mr. Mintz had a weapon with him, the results could have been vastly different.

Oregon state law actually requires that colleges allow guns on campus in some circumstances. At a minimum, a college must allow a visitor with a carry permit to bring a gun on campus, but not necessarily a student. Until police arrived, the gunman was the only person with a weapon on the campus.

Gun control laws do not keep guns out of the hands of criminals and terrorists; they only keep them out of the hands of law-abiding citizens. Chicago, with restrictive gun control laws, had over 400 murders in 2014. That is the equivalent of an Umpqua Community College event every 8 days.

We are painting a target on the back of our children.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

1000-year-old-recipeA writer friend posted a blog about Ancient Remedies Resurrected. He blogs mostly to help other writers use medicine correctly in their fictional murders. This particular post discusses the surprising success of a medieval recipe in killing specific troubling antibiotic resistant bacteria.

  • Who would suspect that a thousand-year-old Anglo-Saxon recipe to vanquish an infected eyelash follicle could do that?
  • Who even tried the recipe on something different than its original documented purpose?
  • Why was the recipe still around?
  • Who could read it?

Babylon-recipeThe first two questions are relatively easy. Some ancient remedies actually work. They were created over hundreds or even thousands of years of experimentation in the real world. Many experiments failed, with the expected unpleasantotherresults. Some worked and were passed down orally from “doctor” to “doctor,” often from parent to child. Often the “doctor” was closely associated with the local religion. One recipe for curing fever occurring in the brain is on an eight century BC tablet. The particular poultice is attributed to oral medical lore dating back to around 1860 BC. The tablet itself cites “mythological sages from before the Flood.” It is hard to argue with such authority. Enough of these old recipes work that it is well worth the effort to test them. Government agencies, pharmaceutical companies and universities all spend some effort searching ancient texts and experimenting. Looking at what the recipe does from a scientific viewpoint may point out some other possible uses of the drug.

The last two questions are the really important ones.

The survival of any particular ancient text is more due to luck than good data management. There is so much that can go wrong. The document first of all has to avoid being broken into a thousand pieces, sunk in the middle of the ocean, cleaned and reused, or being damaged by the ravages of nature with floods, fire, mold, or rot. But perhaps the most danger to old documents is man. Opened in the third century BC, the Library of Alexandria was one of the largest and most significant libraries in the world of its time. The library was destroyed, first by Julius Caesar when he conquered Egypt in 30 AD, and finally by Coptic Pope Theophilus in 391. Pope Theophilus was very thorough. Not only did he complete the destruction of the main library, but also a smaller version, the Serapeum, located elsewhere in Alexandria. Perhaps the first recorded case of a backup failure.

Maya-CodexMaybe as significant for the preservation of possible ancient medicinal cures was the destruction of all but four of the thousands of Maya codices by Spanish conquistadors and Catholic priests. Why were they destroyed? According to Bishop Diego de Landa in July 1562, because “they contained nothing but … superstition and lies of the devil.”

Unfortunately, this organized destruction of the past continues to this day as the result of conquest and religious fanaticism.

We recently visited one such ancient document, and it was only 800 years old. If was both surprisingly readable and very hard to read, and it was a language we had some rusty familiarity with. Image the difficulty of even deciphering an ancient text and then determining its meaning. We do not have a Rosetta Stone for most ancient languages. I am referring to the multi-language stone found in Egypt during Napoleon’s conquest, not the language instruction company – although the statement applies to both. Often even the structure of the language as well as the meaning of individual characters or symbols had to be coaxed out of many documents by many people over many years. Only after that can other researchers begin to search for specific snippets of interest, like medical recipes.

In trying to recreate the recipe that began this post, researchers had to figure out what the ingredients really were, and hope that modern garlic is similar enough to 1,000 year old garlic to actually work. In most cases an ancient text will not describe exactly how hot or long to cook something, or even how much of each component was to be used.

As a discussed earlier, it is perhaps as difficult to keep data for the long term in today’s electronic age as it was in ancient times.

The last word:

Save the data, especially if you have no idea what value it might have in the future. Pictures, movies, personal history stories whether written or currently only oral could be important. Talk to older relatives and friends and get their stories saved. Do it now while you still can.

If you save oral recordings, go back and make transcripts that can also be saved. A hundred years from now there may be no one who can understand what was said.

If your family knows a language that is little used, work to preserve it so its oral and written legacy can be saved.

Even mundane business records can have historical value in a distant future. Kyle Harper used ancient purchase records to reinterpret the end of Roman slavery by determining what slaves were eating in Rome around 300 AD. This kind of information can help fill in the gaps about a civilization and the well-being of its people, whether wealthy citizens or slaves.

As I have said before, keeping data on paper only is not the best idea.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

AnthemOnce again a company that we trust with our health and personal information has betrayed that trust. Cybercriminals were able to hack into an Anthem database that contained up to 80 million records of current and former customers and company employees. The information now in the hands of criminals includes names, Social Security numbers, birthdays, postal and email addresses, and employment information including income data.

Anthem stated that no credit card or medical information was compromised, but the information that was stolen is sufficient to launch successful identify theft attacks against every one of the tens of millions of compromised individuals.

Anthem noted the intrusion on January 29, but based on analysis of the cybercriminal infrastructure likely used suggests that the attackers first gained a foothold into Anthem’s servers in April 2014, nine months before Anthem noticed the attack. One link in the chain of establishing the Malware at Anthem went through China. Whether that is a significant fact is unknown at this time. Anthem immediately notified the FBI.

Since admitting the attack, Anthem has been sharing information about the attack including IOCs (indicators of compromise) with HITRUST, the Health Information Trust Alliance, and NH-ISAC, the National Health Information Sharing and Analysis Center. These groups disseminate information about cyber threats to the healthcare industry. So far, these IOCs have not been discovered by other health care organizations. It appears that this attack was focused against Anthem.

Clearly, Anthem is not paying attention to the security of their customers’ data. None of this data was encrypted. Anthem has contracted with Mandiant, a cybersecurity firm, to evaluate their security systems and identify solutions. Seems to me they are a year late with this kind of analysis.

The brands impacted by this breach: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, and Healthlink. It can also impact anyone holding a BlueCard. A BlueCard enables members of one Blue Cross / Blue Shield plan to obtain healthcare sevices while traveling or living in another service area. Blue Cross / Blue Shield Federal Employee Programs are also impacted. This information is linked through a single electronic network throughout the US and 200 other countries and territories.

What should you as an individual do if you think you were impacted?

  • You may receive an email apparently from Anthem. These emails are not from Anthem and are scams attempting to get your personal information. Do not click on any link in such an email.
  • You may also receive a phone call apparently from Anthem about the attack. These calls are also not from Anthem. As always, do not give out credit card or Social Security numbers over the phone on any call you did not initiate. Hang up.
  • According to Anthem you should receive a letter in the mail “in the coming weeks.” That letter will advise you of the protection(s) being offered.
  • Take whatever identity theft services they offer.
  • Continue to monitor all of your financial accounts, including mortgage, investment, and loan accounts.
  • Consider putting a security freeze on your credit reports at each of the three reporting companies, Equifax, Experian, and TransUnion. Since most businesses will not open a new account without first checking your credit history, if they can’t access your credit history they are quite likely to deny someone getting credit in your name. It may cost you a few dollars, but it really does stop most identity theft. Availability and cost vary by state. If you want to request credit, you can lift the freeze enough to let a specific request be accepted.

If you are responsible for the personal information of your customers, employees or contractors, how vulnerable are you? You should not guess the answer. Find out, before you become the next Anthem.

Anthem will have some very stiff fines as a result of this breach. Between 2009 and 2013, HIPAA has levied fines of more than $25 million for data breaches. But this attack impacts more than twice as many people as all of the 2009-2013 breaches involving fines combined.

In 2014, Columbia Medical Center was fined $4.8 million for a data reach involving less than 10,000 people.

The last word:

Sometimes personal data is “released” on paper. Hundreds of documents from the Philadelphia Adult Probation and Parole Department were found in early February strewn across several streets in part of Philadelphia. These documents contained names, addresses, birthdates, Social Security numbers and signatures. The best guess as of this writing is that one or more boxes of information fell of a truck on the way to a nearby recycling center. The documents were not shredded.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

I recently wrote about some of the impacts that government regulations around the Affordable Care Act are having on small medical practices. One of those differences has to do with coding. These codes are established by the World Health Organization, part of the United Nations, in a medical classification list called the International Statistical Classification of Diseases and Related Health Problems, usually just called “ICD.” This is really two lists: a list of diagnosis codes and a separate list of procedure codes.

The current set, ICD-9, has about 13,000 diagnosis codes and 3,000 procedure codes. The 30-year old ICD-9 suffers from several problems: it lacks detail, uses generic terms, is based on outdated technology,and has limited capability to add new codes.

The new set, ICD-10, addresses those problems. It provides for up to 68,000 diagnosis codes and 87,000 procedure codes.

In a recent one-week nation-wide test involving over 127,000 claims from 2,600 health care providers, suppliers, billing companies and clearinghouses, only 89% of the claims were accepted without issues. This test involved claims from only about 5% of potential claim submitters, and only included those who agreed to be part of the test and had been working on this conversion for years. After October 1, 2015, claims that do not use ICD-10 or have issues with the ICD-10 codes will not be processed, and claims not processed will not be paid. The official position: physicians are urged to set up a line of credit to mitigate any cash flow interruptions that may occur.

As you can imagine, there are some fairly unusual codes. One that has made the NPR circuit is V91.07: burn due to water-skis on fire. But NPR did not get the story correct. V91.07 is an invalid code; you must use one of the three subservient codes to describe the diagnosis in greater detail:

  • V91.07XA – initial encounter
  • V91.07XD – subsequent encounter
  • V91.07XS — sequela

A “sequela” is a chronic condition that is a complication of an initial event.

Before you scoff at this diagnosis, check out these guys.

For some reason, there are different sets of ICD-10 for different countries, so for those of us who travel to foreign countries, there is likely to be some confusion with your insurance provider and local healthcare facility if you are injured or sick outside your home country.

Many organizations have already been working on this conversion for a few years. There are also lots of companies out there to help medical staffs make the transition. For example, Find-A-Code has search solutions for small practices ($300/year) and larger facilities ($950/year).

Like a lot of things in the Affordable Care Act, the end result of the convesion will be beneficial to patients. Getting there will be a really interesting ride, and will contibute to the loss of small medical practices with potentially a significant negative impact in rural areas.

The real concern will be the significant number of coding errors during the transition. Each diagnosis coding error can lead to health workers adminstering the wrong procedures, especially as patients are shifted between doctors and other care providers in larger medical organizations.

The last word:

Considering the large number of people who have access to your health care information, and the number of breaches in personal health care data, you should be concerned over misuse of your data. Certainly the government will have access. Expect companies, perhaps legally, to offer your health care information to your current or potential employer, and certainly to your insurance providers.

Read carefully the fine print around any job or insurance application you submit. You may be granting them access to all of your medical data as well as your financial data as part of a “background check.” HIPAA actually treats much of your medical information as a valid part of your employment record. This includes anything related to drug testing, Family and Medical Leave Act, Americans with Disabilities Act, Occupational Safety and Health Administration, workers’ compensation records, sick leave or return to work documents, and anything related to a drug or alcohol free workplace.

There are legal restrictions on what a company can access or ask for, but if you say “yes” in a job application all bets are off.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Last time I wrote about The Need to Protect Healthcare Data, or perhaps more importantly the potential cost of not protecting it. This time I want to talk about how to do that in a non-disruptive way that will probably save your organization money while significantly reducing the chances of a major data breach involving hundreds or thousands of patient records.   Of course the same approach can be used to protect any kind of protected information from exiting en masse in any line of business.

The key is to protect the “crown jewels” – the database that contains the data that must be protected. Normally, these systems are implemented as three-tier environments. To keep the picture and words simple, in this discussion each tier has only one server but in a real implementation each tier is usually composed of multiple servers for redundancy or to provide the necessary performance.

  • The data tier contains the database server that actually contains the database. This server contains the software that manages all access to the data: no one can access the data without eventually getting to the database server.
  • The application tier that controls the business logic that uses the database. These are the programs that implement information retrieval and update for the medical staff, capture information from medical device controllers, and handle data retrieval for meaningful use and billing.
  • The presentation tier is what interfaces with the user or another application system. It is often implemented as web services so that any device with a web browser can access the same information.

For example, when a doctor needs to see a patients chart from her tablet, she can use a browser or a special tablet application to ask for the current chart for “John Smith DOB 04/23/1945.” The tablet browser or application sends that request to the presentation tier, where the doctor is authenticated if necessary, then sends that request to the application tier. There a program formats a query against the database and sends it to the data tier. The data tier retrieves the information and sends it back to the application tier, who formats the specific information for the chart and sends that to the presentation tier. The presentation tier then sends it to the tablet browser or application for display to the doctor.

While this may seem like a complicated process, it nicely separates the operation so that, for example, a different kind of user device with completely different display characteristics can be easily added by changing only the presentation tier, and usually just making a single change that will work independent of the specific kind of transaction. Similarly, it allows the application layer to perform additional validation on a specific transaction, such as verifying that the doctor is permitted by HIPAA to see John Smith’s information.

The purpose of this requirement is to limit access to the application and data tiers to only those specific devices that have a valid need to access those tiers. In particular, only the servers in the application tier should be allowed to access the servers in the data tier, and only the servers in the presentation and data tiers should be allowed to access the servers in the application tier. There are, of course, users called administrators that require access directly to the application and data tier servers. These are the people who are responsible for the management and operation of the applications and database. In most organizations, there are just a few database administrators and application administrators who must have direct access into those servers.

This solution described there uses the Unisys Stealth Solution. Stealth uses state-of-the-art encryption, but the key principle behind Stealth is that it only allows a device to communicate with another device if they share a Community of Interest, a COI. A COI is nothing more than a group of people and servers. Data can be shared freely within a COI, but must not be shared with any person or server not in the COI. In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on. If some device tries to access a Stealth-protected server or workstation without belonging to the same COI, then the Stealth-protected device is completely invisible; the Stealth-protected device simply will not respond to anything from that device.

StealthDCS

The picture represents each tier by a single server and shows one database and application administrator. As stated before, there are usually multiple of each. The red lines show the communications paths protected by Stealth. The black line represents clear-text traffic coming from the organizations internal network or over the Internet. The Internet traffic should already be protected by some form of encryption such as IPsec or SSL. There are three Communities of Interest (COIs) in the diagram. The green dots represent devices in the DB COI, the blue dots represent devices in the Application COI, and the yellow dots represent devices in the DB Administrator COI. Only the database Administrator and the application tier server can access the data tier server. Only the data tier server, application administrator, and presentation tier server can access the application tier server. Any other device attempting to access the data or application tier servers would be completely ignored.

Since the individual administrator’s COI is determined at log on time, it does not matter which workstation an administrator uses. When an individual signs on with a database administrator’s credentials, he now has the DB ADMIN COI and can access the data tier server.

One Stealth implementation can protect multiple databases that are in the same network segment, i.e., are visible from each other in the network. Otherwise you can replicate the Stealth implementation as needed.

This solution has no impact on existing applications and is invisible to end-users and even to the database and application administrators. Capital savings come from not requiring as much network infrastructure such as firewalls. Operational savings come from not needing to reconfigure firewalls or other network security devices and applications. If an administrator is added or moves on, simply change your identity management system. Stealth then automatically permits or prevents the individual from accessing the database or application servers.

If you do not have a tiered implementation or have collapsed the tiers onto a single server, and therefore allow end users to directly access the server containing the database then this mechanism does not help. Then again, not much would be able to help in this situation. You first need to separate your environment into multiple tiers so that any security solution can control access to the database and application servers.

The last word:

This mechanism does not protect against the accidental or deliberate loss caused by inappropriate actions of individuals who are authorized to access the data. This includes the file clerk who walks away from a logged-on workstation in a semi-public area, or the doctor who foolishly loads a couple of patient files on her son’s laptop at home. There are ways to reduce the chances of these kinds of incidents, and in super-sensitive environments it makes sense to make those investments. But they are very expensive and usually not worth the cost. While these errors are regrettable they rarely lead to fines or the risk of losing accreditation, or the CIO needing to find a new job.

As always, the key is to have a good security policy document and provide annual security training emphasizing to employees and contractors that you are serious about data security.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Science and technology have provided many new wonders in the past few years.

DNA analysis is an important tool in convicting and exonerating criminals, and just opening up new possibilities in medicine, with some cancer centers analyzing your DNA to help determine the most effective treatment program.  Check out Jim Murray’s blog for lots of postings on the intersection of murder and medicine.

But an even more enabling technology has been the Internet and Cloud Computing.  You are all aware of their impact on business.  The Cloud has disrupted the music and movie industry, news media, and many consumer-oriented businesses.  Legacy companies who have learned to embrace a new paradigm for customer relationships and doing business by seamlessly integrating their brick and mortar and on-line presence are thriving.  Those who have not are in deep trouble even if they don’t know it yet.  New companies have almost unlimited opportunities for growth at costs that are a fraction of the cost of starting a new business just ten years ago.

As I recently posted, the Cloud is also driving a much-needed revolution in education, with the opportunity for vastly superior education opportunities at significantly reduced cost.

Sometime in the next five years, after we get over the conversion hump, electronic medical records (EMR) will revolutionize the actual practice of medicine, significantly reducing errors while reducing clerical requirements.  EMR is impossible without the Cloud providing a consistent set of information everyone connected with your health care including doctors, hospitals, pharmacies and other caregivers.

Last year I wrote about “Your Smart House in the Cloud.”  Home security is also changing, with traditional home security services and traditional ISPs (like Comcast or Verizon) are offering the ability to monitor and control your house from a smart phone.  Want to see what your children are doing while you’re on a busy trip?  No problem.  Forget to set the thermostat?  No problem.

Google and others already have cars that can successfully navigate autonomously.  No more getting turn-by-turn directions from Google maps, let the car do that and get you there while you read, watch a movie, or get some shuteye.  Although, based on a recent personal experience with a closed bridge, it could be amusing.  Our smart phone was baffled by the situation and kept trying to get us back to where we could try to cross the same closed bridge.  In October 2012, California joined Nevada and Florida in approving those cars for the public highway.  (Interestingly, no state actually has a law that prohibits a driver-less car, and as of this writing, none of the autonomous cars can backup, yet.)

By every one of these benefits is potentially a two-edged sword.  One of the most serious dangers is what I call “predictive punishment.”

Some auto insurance companies want to constantly monitor your car to determine how your are driving in real time, and set your rate accordingly.  I’m not sure what kind of algorithm they are using, but at least it includes speed and braking information.  Someone driving at 75 mph on I80 in Nevada is likely to be a safe driver, yet someone driving 75 mph on the Schuylkill Expressway in Philadelphia is definitely not a safe driver.  This is a maybe benign form of predictive punishment: based on a couple of data points on your driving, I will punish you with a higher rate.

Jim Murray often writes about the relationship between genes and crimes or diseases.  While there may be statistically significant relationships between a particular gene or set of genes and socially unacceptable behavior (the “killer gene,” for example), these relationships are not guaranteed.  The vast majority of people with these genes do not actually commit the crime or exhibit aggressive behavior, and many people who do murder do not have the gene.

We are steadily accumulating DNA.  In some jurisdictions, police officers collect DNA from anyone they bring into the police station, even if they are not a suspect, never tried, and never convicted.  That DNA is never destroyed.

Expect your health insurance company to ask for and eventually demand your DNA.  Or, more likely, the U.S. government will demand your DNA for identification as well as health care.  Already the government controls what medical treatment you can get based on symptoms, as I found out when my doctor prescribed a specific test and Medicare told me I could not get the test because I did not have the appropriate symptoms.  This happened on two separate occasions with two separate tests.  Under U.S. Health and Human Services Rules, the government can violate HIPAA security requirements to use your health data for “meaningful use.”  It is not a leap to some serious predictive punishments by forcing or denying treatment based on your DNA.

DNA information could also be used to set your life insurance rate, or prevent you from getting a job.  If a company had your DNA, they could deny you a job because you had a slightly high probability of being aggressive or getting an expensive disease.  If they had two qualified candidates, it would be very hard to prove that they used DNA in the final selection.  On the other hand, if they had a candidates DNA, hired him, and he later “went postal” the company could be liable for law suits because they knowingly created a higher risk working environment.

The issue is that there are far too many false positives: indications that something might happen.  This type of statistical analysis, whether based on how fast you drive or your DNA, may be exceedingly likely over a large population but is almost useless as a prediction for the individual.

We may want to consider an addition to the protections against government provided by the U.S. Constitution: the protection against predictive punishment based on statistical analysis and not behavior, especially as related to our personal DNA.

The last word:

Once something gets into the Cloud or on the Internet, it is there forever.  That data is vulnerable for attack by cybercriminals and governments.  Incidentally, that includes the camera feeds from your new home security system.

As companies and governments collect more and more personal data, the risk that data will be used against us increases.  The recent revelations of what the U.S. National Security Agency collects from the Internet is likely just the tip of the iceberg of what they really collect.  The U.S. intelligence agencies have demonstrated that they are very bad at “connecting the dots” before an event.  That does not stop them from violating U.S. citizens’ rights as they come into the U.S. because of a random “connection.”  Check out a recent NPR On the Media article.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Older Posts »