U.S. hospitals are gearing up to scan unconscious and disoriented patients for implanted microchips. To encourage patients to get tagged, VeriChip, the chips maker, plans to give away scanning equipment to hospitals.
Because the chips could be scanned without peoples consent or knowledge, the news has sparked visions of a world where a Big Brother government (or employer) monitors peoples movements. The real danger is much more low-tech: the use and abuse of patients medical information.
According to the Washington Post, the chip maker plans to equip 200 hospitals by the end of the year. Doctors in some communities are already offering the procedure to patients.
If were lucky, this marketing strategy will spark a nationwide debate not about tracking technology but how individuals medical data should be shared and protected, and what should happen when such protections fail.
When the FDA approved this device in 2004, I shrugged. The microchip does not contain any information in itself, just a 16-digit number that could be used to pull up an electronic file in a database connected to the Internet.
Unless hospitals would scan for the chip, access the Web site, and trust the data it contains, the microchip would not help patients.
Quite frankly, I didnt see many takers. According to announcements around the time of the FDA approval, the chips dont come cheap.
Patients would pay between $150 and $200 for the implantation, and then about $120 a year to have their medical information stored in the Global VeriChip Subscriber Registry. This is more expensive than other emergency-access systems that use bracelets or ID cards. Plus, since patients have to create or maintain the records themselves, doctors might not trust them.
But the first hospital to begin routinely scanning patients, Hackensack University Medical Center in New Jersey, uses the identifier to access information in its own medical record system, says VeriChip spokesperson John Procter.
Applied Digital Solutions, VeriChips parent company, maintains a separate database, where patients enter their own medical information and specify which health care providers can have access to it.
If the Global VeriChip Subscriber Registry becomes widespread, it could be a treasure trove of data. In fact, it could become an access tool for the planned National Health Information Network, designed to make patients medical information available to providers anywhere in the country.
Just to entertain our own sci-fi scenario, Faculty of Sciences in Amsterdam gave evidence that hackers could infect RFID tags with a virus that could then infect the database storing information.
The researchers found 127 characters stored on a cheap RFID chip could launch attacks against and Oracle Database and an Apache Web server.
They did not, however, use commercially available software in their distribution. RFID vendors were quick to say such attacks are not feasible.
Of course, hackers need not be so sophisticated. Guessing or stealing passwords would work just as well to access or compromise information.
Indeed, such breaches have already happened. The more data collected in one place, the more attractive the target to hackers, and the more damaging a successful attack.
Having medical information pulled up through RFID may make the data slightly less secure because the 16-digit identifier could be obtained without patients permission, assuming that person got close enough with a scanner.
The underlying issues about medical privacy are exactly the same. The chip bit just makes the topic a bit more media friendly.
Lets hope it makes the nitty-gritty discussions about medical privacy more likely.
M.L. Baker is health IT and biotechnology editor for Ziff Davis Internets Enterprise Edit group. She can be reached at baker@ziffdavis.com.