My country introduced what is called EPD (Electronic Patient File) a while ago by law. It is a huge system where all medical information is to be stored, so that when for instance, somebody is brought into a hospital after a car crash, their medical records can be retrieved. All medical providers are supposed to be be hooked up soon. Sounds pretty state-of-the-art huh? Well, apart from that bratty privacy thingy of course that not many of my countrymen care about, but “that has been taken care of very well”.

Yeah, well, the truth is that all users can get access to all medical records of all people and the only safeguard is hindsight: everything is logged and users can be held accounted for what they retrieve. The statement about that was that “Generally, doctors will use the EPD in an honorable way, and logging will have a dampening effect”. B.T.W., even I fully admit there is some sense in this methodology, as you can never know who will be rolled in where and when.

But then who are the users of the EPD and thus have that access?

  • doctors
  • specialists
  • nurses
  • doctors-assistants
  • physiotherapists
  • MD’s
  • pathologists
  • pharmacists
  • co-assitants
  • medical students
  • biochemists
  • physics
  • paramedics
  • dietists
  • their sub’s
  • ICT staff
  • police and secret service (in “special circumstances”)

Does this suddenly sounds less interesting? Not done yet: the law did not regulate who is responsible for the supervision of the EPD and how it should be done. Nor is there any budget for supervision allotted. Let alone who’s head will roll when the inevitable data leak is discovered. With a widely distributed system as the EPD and the nature of it (spotlight please!) hackers cannot wait to get their hands on it. As there is no such supervision, MD’s see dark clouds rolling in above their heads: they will be in the front line and patients will call on them first.

The responsible administration stated that misuse will be prevented through “the coherency between laws, security, supervision (?), communication and the chain of identification, authenticity, authorization and logging”. Riiiight. So I used the one escape left: send in a form that forbids the use of the EPD for my personal data.

How are things working on your end of the pond?