And so insecure too, my fax machine's number used to be 1 digit off from a pharmacy's .... I used to get more faxes of other people's private prescriptions than genuine faxes intended for me
Point taken, but given the hacks I'm almost certain that while fax machines are insecure, at least the damage is very limited /targeted. Now just imagine an EquiHealth hack...AIDs diagnoses, other STD, infertility, etc etc records out there--forever.
You're being downvoted but I think you have a point. A lot of the old tech is not secure per-se but doesn't concentrate data in one system. Most newer systems have a single point from where you can access all data. If Equifax had been based on paper and Fax, no one would've been able to steal 150mn records.
I don't care about downvotes. Most of the time I don't write a lot so most is left to be processed. So, many times, even if I'm right, I could downvotes for that ;).
But yeah, since we can't secure anything connected to the internet (a lot of big boys got hacked) or to a central db, we have to go to plan B.
America's infrastructure is behind other developed countries because once upon a time it was AHEAD of it's time. When you have a legacy infrastructure that is good enough it is harder to justify the cost of replacing it with something else. African countries, or Eastern European ones didn't have this dillema because they didn't have a legacy infrastructure to deal with.
All western countries had faxes, magnetic strip cards, paper check payments, etc. And most of them have no traces of that.
I think there must be some other element to it as well, and it's probably not only "well US is big". I think one is the diversity of states and companies. Having tons of systems and businesses communicating over several state borders with varying regulations, it's very easy to just settle with the lowest common denominator which might be faxes, cash etc.
Second I think it's a big cultural difference. In the EU for example (Which is looked on with at least as much suspicion as "federal government" in the US) we see it as an important job of central government to put agressive timelines for introduction of modern tech. Because things like this (chip + pin) for example is a herd immunity thing where the cost to upgrade is only motivated if customers actually have the cards etc - so we are very happy to see legislation requiring non-chip credit cards to be phased out, for example. Technological advance like this, or environment rules etc., is NOT seen as overreach, where a lot of other laws would be.
Third it's the power of corporations in relation to government. If corporate lobbyists see that a regulation will affect their bottom line (such as all of retail having to buy chip+pin equipment within 3 years) they protest. In the EU, there is just no chance that a retail lobby would be able to resist EU legislation that was advertised as good for consumers.
> America's infrastructure is behind other developed countries because once upon a time it was AHEAD of it's time
This is ludicrous. Look at this timeline[0]:
2008 SEPA pan-European payment instruments become operational (parallel to domestic instruments)
2010 SEPA payments become dominant form of electronic payments
2011 SEPA payments replace national payments in the Eurozone
2014 SEPA becomes fully operational in all Eurozone countries.
2017 Instant SEPA payments of up to 15,000 euros within 10 seconds, starting 21 November
And that's not counting national norms like RIB[1] that have allowed for trivial domestic next-day transfers since even before I opened my first bank account like 20 years ago. Same goes for chip and pin, which was basically ubiquitous even then. Now NFC payment terminals have basically been deployed everywhere over here across a couple of years, which means things like Apple Pay just works (and Android Pay if Google cared enough about non-US/UK/Canada/Australia markets).
So the argument is "US was so advanced multiple decades ago that it rather stood still despite massive inconveniences to the end user". Breaking news: it wasn't ahead of its time at all even 20 years ago, and free market competition didn't do squat to make the situation change; policies enacted in the interest of the consumer do.
At least part of it is that no one has come up with a document format that suits everyone. Doctors want to scribble notes with a stylus but when you digitize that you don't really gain anything, other systems don't know how to interpret those scribbles. Suggesting doctors enter fields into a form instead of scribbling notes will get you no where, doctors are the stupidest and most stubborn smart people you will come across. Not that this is perfect anyway, sometimes you really do just need those random notes that don't really fit anywhere else. Some of the younger ones will type instead of scribble, but it's still mostly free form text and not data. The industry is still stuck on the idea that one doctor visit == one patient record as well, the thought that doctors could input blood pressure readings in their own section and have it display the history as a spreadsheet (or even a graph) has not gained any acceptance.
So it's not just about how we transfer information but how it's created as well, we haven't invented the right set of primitives to store it in the first place. I've spent a bit of time thinking about how I'd improve things and think things need to be more like emacs org mode or a jupyter notebook than any current EMRS, but even that might have to wait for a generation of scribblers to die.
> Suggesting doctors enter fields into a form instead of scribbling notes will get you no where,
Maybe in the US, but in the UK and Ireland, all my doctors notes have been typed into a system that is shared among all the doctors in the practice. Last time I went for for an MRI i was given a CD with the mri on it, and I brought it with me to my next appointments.
> doctors are the stupidest and most stubborn people you will come across
That’s not fair. When I was in university most of the old professors still used overhead projectors and taught the same course from 20 years ago. When I bought my house my solicitor faxed everything, and posted me out the originals of the documents I needed, which took up an entire a4 binder. Developers seem almost bipolar; on one hand you have the “must use shiny new tech” and on the other hand, you have people who won’t update third party libraries ever. We’re still stuck with the same representations of data that we had 40 years ago, and broadly the same basic tools. C and C++ still literally copy and paste header files when including them, all in the name of backwards compatibility.
My (long winded) point being, all professions have their own stubborn qualities, and pinning it on old people or a specific profession is wrong
From working with a variety of ticketing systems, any veteran dev will be able to tell you just how painful it is to work with multiple fields. Entry is never zippy. The more fields you have, the more painful it is. Most devs, given the choice, will use a ticketing system that is basically free text + a ticket title. If devs, who live and breathe tech, can't comfortably handle the idea of splitting information over various fields (for superior tracking and analysis), why should doctors be any different?
How else would they be transferred? E-mail isn't secure enough.
Perhaps a partial answer to the question is, 'because the IT industry hasn't provided the world with a secure, widespread, public communication medium" (by public, I mean one not controlled by a private company). The IT industry gets a lot of praise, but there are a lot of gaps in performance that we have become accustomed to overlooking.
I am not sure if fax is more secure than E-mail. When I still had my machine I usually received several faxes per year with confidential information. It was always lawyers who had mistyped the fax number. And most of them used redial so they kept sending stuff until I told them they had the wrong number.
There's much more to security than misaddressed messages. Email is sent over the Internet, often in the clear, exposing it to many intermediaries, including to both business and government which use mass surveillance of email to collect data on users. Email ends up on many devices, from multiple servers to multiple endpoints (sender's and recipients laptops, phones, etc.) to backups. Email security is so hard to achieve that many security professionals have given up, and design new messaging systems such as Signal.
> I am not sure if fax is more secure than E-mail
However, I do agree that the difference isn't great because many fax systems, sending and receiving, utilize email anyway.
The answer is simple. Regarding technology, _most_ people are still in the 1980s.
More than anything, this is proof that tech industry salaries are on average _way too low_. Stop working for peanuts. Let them go back to pen and paper. Let their corporations collapse. Demand to be paid what you're all worth.
Create a protocol or API spec on top of HTTPS or something else and use it. I don't know where you ar at but surely the government can just say "hey guys support this secure protocol before 2022 or you're out".
I can log on and read any of my medical records at any time and the information is aggregated from multiple sources. What's the issue?
If you use fax you won't even be able to see some kind of central audit log for your data. That's pretty crazy.
> Create a protocol or API spec on top of HTTPS or something else and use it.
This is basically what they've done with EDI/X12 over AS2, which was also mandated by HIPAA. The problem is that EDI is a pain to work with as a data format and hooking up to other trading partners can take weeks of coordination between IT teams (sending "implementation guidelines" back and forth). When EDI is the alternative it's not hard to see how the fax machine survives.
It's a big and still-unsolved problem, but it's more than just TLS - need a proper set of APIs and platforms. We happen to be working on this, but it's not done yet... :-)
>The clinic has digitized its own patient data. But its electronic system can’t connect with other clinics’ records. So when doctors want to retrieve records from another office — an ultrasound for a pregnant patient, for example — they have to turn to the fax
They've heard of it, but aren't going to use it. Email is generally not encrypted when stored at rest in many hops along the way, which should be considered insecure.
While fax is unencrypted, it's generally not stored in any intermediate systems and has established history of being considered HIPAA compliant.
Email actually generally isn't encrypted. Sure, you can do things like PGP encryption, but not even some of it's formerly strongest advocates bother anymore. Consider email open to anyone between you and the recipient.
It's a bit more complicated than that. The real story is a combination of:
1. US health care privacy law (primarily HIPAA) has an "analog hole" of sorts. Basically, the security rules around phone/fax communications are far simpler and easier (and thus cheaper!) to comply with than the rules around things like digital networking. So people look at this, see that faxing things and then scanning them (or even paying people to do manual data entry) is cheaper than using more modern techniques and incurring compliance costs for the stricter security rules.
2. Doctors don't upgrade technology unless they have to. New systems cost money, and they don't want to spend money. Fax machines are established, understood, cheap. And they are actually one of the least scary things about the health system -- you don't want to know how many doctors are managing their records and interacting with insurance websites through IE on Windows XP, or even worse setups.
3. For all the crap you might throw at faxing as a way to do things, you have to admit it's easy. Electronic health record systems are a nightmare of badly-specified, horrendously complicated formats that no two vendors ever implement the same way. When consumers of electronic records, like insurers, sign up for clearing-house services a good bit of what they're paying for is getting to make this someone else's problem.
Sure, but it's incredibly rare that such a neat dichotomy exists. In reality, there are plenty of alternatives, yet we stick to ones we perceive as more secure. I've heard the argument that fax is preferred over email because "you can just edit an email", and this highlights the issue. The difficulty bar is raised just a tiny bit for fax, yet the scrutiny is dropped right down.
Most modern copiers have the ability to encrypt PDF files. The password is the problem. There are also some email providers who serve healthcare that offer security that abides by HIPAA rules. The solution is there. It's mandating a standard that facilitates the flow of data that is not.
old tech like fax will die when the independent Doctor's practice as a viable business model dies...within fifteen years. Most of us already see physicians through network orgs like PAMF in the Bay Area, who migrated to digital tech internally long ago and are slowly replacing independent practices. I have never seen a physician use paper for any reason in PAMF
My city has a large, world-class Children's Hospital, but the administration there is ridiculously political, and the doctors will change nothing to make things more efficient.
A colleague of mine had a son who needed to get seen there. They asked him to fax in the admissions forms. Who has a fax machine? He found somewhere and faxed them in, in a couple of jobs. Nope, can he fax them so they all come through in one continuous job. So he goes back and faxes them again. Nope, can he fax them so that the documents arrive in the right order? So he decides to go to a different children's hospital in the city.
I had a friend who worked in the QA dept of that hospital and tried to get processes improved. He said that any time you tried anything, the relevant head of department would say "If we make this change, children will die". Everyone around the table would know the lie for what it was, but the head of dept had the final say if it involved child health.
In short, faxes will still be going strong there for a while yet, and they're a big hospital. :)
Faxes are considered the only secure communication channel by medical companies. Email is not secure. The Vatican has the same stance. They pope communicates via fax the majority of the time, per 60 minutes.
Which is utterly insane, because faxes aren't encrypted. All anyone would have to do is tap into the phone line and copy the signals and they could print out any fax that was sent over the wire.
I mean they have a few niceties like having to physically be in the same spot to interact with it and lacking any sort of central discoverability. There’s not really an equivalent to email:francis@aol.com password:p0p3 and having anybody with a computer getting a copy.
