CTVotersCount has addressed the reasons why our trust in ATM’s cannot be translated into trusting electronic voting <read>. We have also compared evoting to supermaket scanning, gambling machines, and eletric meters.
In a recent blog post Avi Rubin compares the security risks of electronic medical records vs. electronic voting: A vote in favor of electronic medical records (with caution) <read>
We should be concerned:
amid this rush toward new technology, some doctors and several organizations such as Patient Privacy Rights have raised a yellow flag of caution. In this age of Internet hackers and lost laptops, just how secure, they ask, will these computerized medical records be? After all, it’s a lot easier for someone to waltz out of a hospital with a USB stick in their pocket containing 5,000 patient records, than with many boxes containing the equivalent paper records. Moving electronic records online can make them particularly vulnerable.
To some extent, these fears are justified.
But there is a difference. The challenges and risks of electronic voting and electronic medical records are different:
Yet what is true for voting systems is not necessarily true for electronic medical records. The adversarial model in these two applications is completely different. In a voting system, all parties should be viewed as adversarial. Everyone has a stake in the outcome, and there is no reason to believe every software developer, election official, poll worker or voter will refrain from tampering with the process. That doesn’t mean these people are malicious. It just means that we need voting systems that can be trusted, even when the people associated with the process are corrupt.
Contrast that with the medical records scenario. Computerized system designers and builders have every reason to want their technology to be secure, and little or no incentive to undercut this. Vendors will sell more systems if their technology is highly secure. Hospital administrators will seek the safest systems to protect patient privacy and keep their institutions off the front pages and out of the courtroom. For patients, the benefits are obvious.
There are many benefits yet the history of government programs such as the Help America Vote Act provide instructive cautions. We are concerned that money will be thrown at untested software, hardware, and procedures under the cover of a jobs stimulus program, yet provide few U.S. jobs and large profits. We need to look and evaluate cautiously before we leap. As Prof. Rubin says:
Still, we need to be careful. There are many wrong ways to make this transition. If history is any indicator, unless a concerted effort is made to require proper protection, the new medical systems will be no better than the insecure voting machines that many states have purchased. When money flows from Washington, vendors tend to spring up out of nowhere. The ones who gain traction are the ones with the best sales teams, the glossiest brochures and the best connections, but not necessarily the most secure systems. This has happened over and over again in every industry.
We need to make sure that security standards, including evaluation and testing procedures, are established before the billions are spent. Computer security experts in academia, government and industry should all be engaged to establish criteria and evaluation methodologies. We need support from all of the relevant stakeholders, including privacy advocates, the medical establishment, vendors and the technical security community.
Prof. Rubin’s conclusion:
We are facing a golden opportunity to improve the lives of millions of Americans by providing computerized storage and access for medical records. We can reduce or eliminate redundancy, waste, unnecessary exams and procedures, and medical errors. And, we can do it without inordinate risks to individual privacy. Nevertheless, while electronic records appear to be our destiny, the privacy of those records will only be preserved if we are careful and do this right. There will be no second chances.
We would go further outlining the necessary cautionw. In addition to “the privacy of those records will only be preserved if we are careful and do this right.” We can also only “reduce or eliminate redundancy, waste, unnecessary exams and procedures, and medical errors” if we are “careful and do this right”, evaluating the total system. We must be careful that the system actually reduces medical errors. We could have a system that is costly, insecure, useless, and perhaps deadly. Yet, with caution and care we could have a system that is efficient, effective, secure, and life enhancing.
This is out of CTVotersCount’s realm to take a position. Perhaps nobody should be for or against a national program for electronic medial records. Instead either “conditionally for” the concept, yet witholding complete endorsement awaiting a comprehensive, thorougly evaluated plan. Or “conditionally against”, skeptical of past rushed plans, yet open to the possiblity of an effective plan being proposed. In any case, there are significant analogies between electrion medical records and electronic voting, yet also critical differences.
