Can you be specific about what you're trying to get at here?
I don't understand why you think there is a difference between taking a health reading at your doctors office and having it included in your patient chart, or taking a reading at your house and having that included in your patient chart. I'm wondering if I'm missing something that is just being unsaid.
I think they are just saying the data is more likely to be secure if it is recorded at your doctor's office, which seems reasonable to me.
Let's say it is a blood pressure reading taken by your Fitbit and uploaded to Google's servers. That data is not subject to HIPAA regulations. When your doctor takes your blood pressure and records it in your chart, it is subject to those regulations (as you say, it would be wildly unethical for them to sell it).
Separately, even if the two scenarios were subject to the same regulations, I would still expect the doctor's office scenario to be more secure. I think that any given patient's home network/device/security practices are more lax than those of most healthcare organizations.
There are downsides to this too though. I wanted a second opinion on an EEG, and after some hassle getting the original office to mail a disk (the only way they can transfer it), the new doctor said they can't view it because they use different software at their hospital for EEGs. These are two well ranked US hospitals, and EEG is a fairly common procedure.
Perhaps this is not an inherent downside to the data security, but it's a reality with the current medical system and regulation does play a part in how we got here. And there is no financial incentive for hospitals to fix these sort of issues, in fact there is a disincentive (I'm doing another EEG now...). So I just don't see how it gets fixed without some outside disruption.
It may not be a popular opinion on HN but I'm much more concerned with having access to my own medical information than how secure it is.
"Separately, even if the two scenarios were subject to the same regulations, I would still expect the doctor's office scenario to be more secure. I think that any given patient's home network/device/security practices are more lax than those of most healthcare organizations."
For the most part security for healthcare systems is like security for government systems. A lot of checkbox marking and little real security. Just look at the large number of successful ransomware attacks against healthcare organizations. Having at one time worked in health informatics and from observing the practices at my healthcare providers I am not confident my data is anymore protected at a doctor's office.
Yeah that’s fair, I do think organizational ineptitude is a concern. I guess it’s just different threat models. A medical office has locking file cabinets, password-protected devices/networks, more robust building security, the standards of hipaa, etc. (granted all of those are subject to proper implementation)
If I needed to get one person’s medical information, I think I’d I have a higher likelihood of getting it from their medicine cabinet or snooping on their devices or search history.
If I needed the information of many people, I’d target the doctor. But even then, the goal typically isn’t to leak anyone’s information, it’s to get money from the healthcare provider and the information stays secret, theoretically.
Maybe I misunderstood you. I thought your point is that it doesn't matter if a third-party platform has patient's data because their doctor's office already has it.
I don't understand why you think there is a difference between taking a health reading at your doctors office and having it included in your patient chart, or taking a reading at your house and having that included in your patient chart. I'm wondering if I'm missing something that is just being unsaid.