Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RFID: A prescription for privacy


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

RFID: A prescription for privacy

  1. 1. RFID: A prescription for privacy RFID has enormous potential to improve patient care and reduce health-care costs. It’s also become a lightning rod for patient privacy concerns. How do you move forward with this vital technology? Radio Frequency Identification (RFID) plays a broad and rapidly growing role in the digital transformation of the health-care sector. But the technology’s ability to transmit and receive data from a distance and track the physical location—potentially without an individual’s knowledge or consent—has also raised privacy concerns. Is there a way for health-care providers to move forward to leverage the enormous potential of RFID to improve quality of care and reduce costs, yet also protect patient privacy? The answer, according to Ontario’s Information and Privacy Commissioner and HP Canada, is an emphatic yes. In fact, Ann Cavoukian, Ph.D., Information and Privacy Commissioner (IPC) of Ontario and Victor Garcia, Chief Technology Officer for HP Canada, recently co-authored a 37-page white paper to promote responsible adoption of RFID technology in health care. RFID and Privacy- Guidance for Health-Care Providers explains how the technology works; describes the ways in which it is already being used by providers around the world; and offers expert guidance to health-care officials. Important and controversial Invented more than 60 years ago as a way to distinguish friendly from enemy aircraft in World War II, RFID is a radio-based system that essentially still consists of a radio transmitter and read-able tag—although with increasingly sophisticated capabilities that enable it to be used in ever more innovative ways. “RFID is a very important and controversial topic,” says Commissioner Cavoukian, one of the world’s leading privacy experts. “One of the things that we do in the white paper is to clarify and debunk many of the myths associated with it.” She and Victor Garcia served together on the working group for RFID and Privacy for EPCGlobal, an industry-driven standards body for the Electronic Product Code™ (EPC). Both were concerned that unaddressed privacy concerns could slow realization of the considerable health and cost benefits RFID solutions promise. “HP is very conscious of the need for privacy as we work with the health- care sector to apply RFID and other technologies to enhance the quality
  2. 2. of care,” says Garcia. “We understand the healthcare sector, and the technology. HP has been using RFID in its operations longer than many others.” “When HP approached us to work on privacy issues with RFID in healthcare, we were delighted, “says Dr. Cavoukian. A firm believer in the role that technology can play in protecting privacy, the commissioner was impressed by the HP commitment to privacy, its use of the EPCGlobal logo to alert consumers to product packages with an RFID tag and a policy of always informing individuals about RFID use. Assess the risk For many RFID health-care applications, there is actually very little privacy risk, because no personally identifiable information is involved. Some hospitals, for example, have begun using RFID-based systems to track the equipment, instruments and sponges used in surgery to ensure that these are not left behind inside a patient. “People die from this,” says Dr. Cavoukian. “It is such an easy thing to remedy. With an RFID tag on every piece of equipment, it could take a few seconds, as compared to 20 minutes, to do an accurate inventory.” Privacy by design When RFID applications link to data that identifies an individual—either directly, say, with a hospital ID bracelet, or indirectly, through a package of prescription medicine—precautions must be taken. The answer is to holistically and proactively assess and address privacy and the application of technology from start to end—an approach that the IPC calls “privacy by design” and HP refers to as “architected IT.” Encryption, coding information, the appropriate security technology and severing personal identifiers from transactional data are just some of the ways privacy can be embedded in the design of an RFID solution. It’s a mistake, however, to think of privacy only from a technological point of view, says Garcia. “In a way, RFID has been a lightning rod for privacy concerns, but the fact is you can walk into many nurses’ stations today and find private patient information. In fact, RFID can enhance privacy because information is accessible using special devices, rather than it being just written down. So, it’s not just technology, but policy, governance and process issues.” Another misconception that Dr. Cavoukian’s office works hard to overcome, is that privacy is a “zero-sum” game—in which more privacy necessarily means less of something else. A classic example is the argument that people must give up personal privacy in exchange for greater security. “We couldn’t disagree with that more,” she says. “Privacy doesn’t have to be adversarial. It can be designed into a system in a positive sum or
  3. 3. win/win way, in which one catalyst builds on the other. So, for example, the more privacy you have, the more security you have—and the greater the protection in the whole.” Follow the personal information lifecycle Health-care providers must also avoid the tendency to focus narrowly on the interaction between tag and a reader. Instead, they must see RFID as part of a larger system—and map the flow of personally identifiable information throughout that system. “We’ve seen it with wireless technology, with mobility, with rich media and now, with RFID. When new technologies emerge, so do the experts,” says Garcia. “People learn about the specific technology, but they don’t understand all of the implications, or take the care needed to protect privacy.” “Anytime you interface with identifiable individuals and their information is captured in any capacity, then you have privacy interests,” says Dr. Cavoukian. “The proper governance structure is essential to control how this information is collected, retained, used, and who has access to it.” Develop a culture of privacy Given the sensitivity of personal health-care information, it’s especially important for providers to develop a culture in which privacy is top of mind for everyone in an organization. “Privacy starts from the top, with the Board of Directors and senior executives. It is not just the responsibility of one group or a chief privacy officer,” says Dr. Cavoukian. “A culture of privacy must be infused throughout the entire organization, so that everyone understands that protecting patient information is part of your core business.” As RFID technology continues to develop, with the prices dropping on ever more miniature and active tags, able to incorporate more sensors, hold more data, and exchange information over greater distances, the possibilities and the challenges grow. “You can’t think you’re going to retrofit it or re-engineer privacy after the fact,” says Dr. Cavoukian. “You have to architect it in from the start.” Start now To help organizations get started, the IPC and HP have worked together to develop a Privacy Impact Assessment (PIA) for RFID in heath-care applications. “Our office can offer tools like PIAs, advice and training,” says Dr. Cavoukian, “but we don’t have the resources HP does to help design and roll out solutions.” “We use the tool to help assess potential issues in privacy, just like we use security, network intrusion and other assessments to identify risk—
  4. 4. and recommend actions that may or may not include technology,” says Garcia. RFID can save lives the co-authors agree, but only if healthcare organizations proactively address RFID privacy concerns. “How sad would it be if a technology that could save your life is not used because it is misunderstood or wrongly implemented?” asks Mr. Garcia. Download the white paper: RFID and Privacy- Guidance for Health-Care. Visit the Ontario Information and Privacy Commissioner (IPC) website.