[Indy9000]

There's no good reason to have personally identifiable information stored in the system. They could easily issue each patient an alphanumeric ID which is not tied to personal information yet uniquely distinguishable..

This is a system design failure to begin with. Design sensitive systems with only minimum required information. The alternative is to have a massive framework to make sure PII hadn't leaked. And then a legal and financial frameworks on top of that..

after all if a leak happens it can't be undone. Damage to the people will be long standing and cascading.

Best is to have a system that have no or minimum PII.

[arh68]

I thought along similar lines when I heard the Las Vegas high schoolers got hacked/dumped. Why not make standard the use of false/given names to these services which can't be trusted with PII but must transact in it? Part of enrolling for school should be getting your fake name & fake identity for the school DB, another pen name for Doctor 1, &c.

The DMV should provide New Identities as a Service, if the problem's going to be this bad.

[chrisseaton]

> There's no good reason to have personally identifiable information stored in the system.

They’re medical records. Seems inherently likely to be PII?

[Indy9000]

Medical records can be stored without personally identifiable information (PII). And they should be. That's what I'm proposing.

[chrisseaton]

Medical records are PII.

Do you mean store without names? The conditions, times, places, etc, are inherently PII themselves.

My wife gave birth on a given day in a given hospital. She also broke her ankle once. No names, but record uniquely identified.

[Indy9000]

What you say is that our actions even without explicit names, etc. can be used to identify the actual person. This is kind of missing the point. Because, that sort of reverse lookup can't scale, and in a very large number of cases it won't be. [Edge case: only person in a village or a post code].

By removing the directly identifiable info, the damage done in a breach would be less. Where as now, a single breach contains all the data that could identify a person and every person in that breach, without having to do any/much reverse look up.

Now, the orgs that collect this data does not have a certification standard and verification that they have to obtain before going operational. Even a restaurant kitchen has that.

On that note, I'd say that there should be a severity grading for the data items. Even Eggs have a grading system. Our personal data is a tad more valuable.

[Hamuko]

How do you link a person's medical history to a person without personally identifiable information?

[Indy9000]

Medical history has to be only meaningful between doctor and patient. Doctor can keep records under a unique ID which patient is given at the start of sessions and the patient presents it at each session to validate the relationship. In the event of a breach, even when all data is exposed, without tracking the unique ID back to a person (which would be difficult or impossible) the harm is little.. (Imagine reading a story of a person but you don't know who that person is..)

You might say that there would be other person names and places in mentioned in the records and from that network and timeline you may be able to deduce the identity.. but these PII can in turn be depersonalised. And also this is not scalable for widespread damage.

It just need a bit of thinking when designing a system. Frankly any org that ask for PII and doesn't have a well thought out way to store them should be heavily penalised.

That's what the law should do standardised methods of storing sensitive data.

[astura]

There's a third party involved here, the payer. The payer (according to tfa mainly Finnish Social Security (Kela) here) needs to know what they are paying for and on who's behalf. You can't just conduct medical treatment pseudo-anonymously like that.

That's ignoring the fact almost nobody will accept having to keep track of an "alphanumeric ID" to get treatment.

[blackbrokkoli]

The payer does not have to know content of therapy session though. Just have two databases and practice good separation of concerns.

John Doe | Street 1234 | Therapy | 6 Units | $12,367

That is way less interesting information than what we are discussing here...

[Indy9000]

I think a third party or minimum number of parties can be included in this trust network for exchange of information. Where as now (if the data gets public) there's no restriction.

This may not be the status quo of the medical system. But I'm willing to bet it wasn't conceived and put in place when breaches like this could happen frequently and the consequences were damning. Overhaul of the process is required. Just keep paying the Ransom/Hackers is not the only and meaningful solution.

[rebuilder]

>Doctor can keep records under a unique ID which patient is given at the start of sessions and the patient presents it at each session to validate the relationship.

Now the doctor is unable to verify the identity of the patient.

[chrisseaton]

> but these PII can in turn be depersonalised

It turns out this is not as easy as you think it is.

[astura]

Medical records are PII themselves.

[rebuilder]

It does seem a little more complex than just issuing unique IDs. The therapist must be able to tie that ID to the patient. The healthcare provider sending the patient to the therapy provider needs to be able to do the same. How does that happen?