What are the risks?

In a computerized medical information system, we should be clear about what the risks are for the parties involved before we decide on an effective strategy to implement security. After weighing these risks, we can then assess the seriousness of these risks and the potential for these risks to be experienced. Only then can we design an appropriate security mechanism.

Risks that can be recognized immediately include:

• adverse health affects due to improper records, including possible loss of life. If a record contains incorrect information, then the patient may receive incorrect treatment and suffer ill health effects. This is a problem that exists already in paper-based systems, and it seems unlikely that it will be exacerbated by going to an electronic system.
• liability of providers. If incorrect records result in adverse health effects or other personal injury, then the party responsible for collecting, storing, and displaying this data may be held liable. When the medium of storage and delivery of medical information changes to electronic methods, there will be very little case law to guide liability decisions. This implies that computerized medical information will require much stronger methods of authentication and auditing than is currently used in practice.
• personal embarrassment. Our medical information is often some of the most sensitive information that exists about us. It can be an indicator of past or present behaviour that we might not like to be known widely. This is particularly true of celebrities, for whom there is a great deal of interest in medical details.
• loss of opportunity. As medical technology accelerates, we have observed that much more detailed and specific data collection is possible. At the same time, much more sophisticated (and some dubious) inferences can be drawn from this data. For example, a person's medical information may be used to make decisions about suitability for insurability, employment or promotion, political office, or even as a basis for investment decisions.