June 30 2005

Straight from the Shoulder
John Halamka, M.D.

When I was a resident in emergency medicine, I spent many hours uncovering the identities of John Doe and Jane Doe patients who were unconscious, disoriented, or mute. I searched their belongings for receipts that included an address or scanned their clothing labels for a clue. Sometimes this worked. Often, hours or days passed before a family member was found who knew the patient’s medical history and health care preferences. By that time, substantial worry had been endured, and often possibly unwanted medical interventions had occurred.

Today, I lead the informationtechnology efforts at an academic health center, and I have recently encountered an innovative use of technology that could minimize such difficulties. The Food and Drug Administration has approved an implantable device that can store the medical identifier of a patient. Last December, one of these chips was placed in my right upper arm. Implantation was virtually painless — a few milliliters of local anesthesia and the insertion of a device about as large as a grain of rice (see photograph). It sits in the posterior aspect of my right arm, between the elbow and the shoulder. The days after the implantation were uneventful: no pain, no infection, and no restriction of activities. Now, when a scanner is passed within 6 in. (15 cm) of my arm, my medical identifier is displayed on the screen of a radiofrequency-identification (RFID) reader, and any authorized health care worker can turn to a secure Web site hosted by the manufacturer and retrieve information about my identity and the name of my primary care physician, who can then provide details of my medical history.

The chip consists of several small components enclosed in an unbreakable glass capsule that is partially surrounded by a coating that encourages body cells to adhere to the capsule and prevent it from moving. Although the device relies on the same technology that is used for implanted identification in animals, the frequencies used and the manufacturing standards are different. On the basis of experience with pets, the chips can be expected to last at least 10 years and probably much longer than the average human life span. They can safely undergo magnetic resonance imaging (MRI). The device does not generate harmful heat and will not be pulled from my body by an MRI magnet, nor will the magnetic field deactivate the chip. I have flown to several cities since the implantation and have not triggered airline security systems.

A handheld RFID reader scans the chip, which transmits to the reader my medical identifier, a 16-digit number. The chip does not contain demographic or medical data about me. No battery needs replacing. The chip is not an active RFID tag or global-positioning device transmitting information about my location. My identifier was set during the manufacturing process, and it cannot be altered externally.

The primary concern aroused by such technology is that of privacy. Some radiofrequency chips, such as those used at gasoline stations or in automobile-ignition keys, contain encrypted information about a user’s account number or information needed to start the car. Chips approved for implantation in humans are not encrypted and thus can be read by many radiofrequency readers.

Since my chip contains only my medical identifier, unauthorized reading would not disclose health information. But nothing is simple. In the film Minority Report, Tom Cruise’s character strolls by billboards at a shopping mall that change as he approaches in order to deliver customized advertising. Without any interest in who I am, a scanner in a mall could record my presence when I make a purchase and, on a later visit, display a personalized message on a large screen — “Hi, there! You were here three months ago and purchased a fountain pen. We’re having a special on ink today; would you prefer blue or black?” Such “spam,” generated by my chip, is a theoretical but possible violator of privacy. Today, no legislation would preclude the scanning of people for anonymous tracking, an activity analogous to what virus-like programs such as “spyware” and “adware” do when they infect our computers after we surf Internet sites. Such a concern is certainly real.

Although future chips may contain cryptographic identifiers that prevent their disclosure to unauthorized readers, hackers are already at work bypassing chip
security. This past January, industry experts announced that they had broken the encryption of the Mobil Speedpass and automobilekey security.1 Using an ordinary personal computer, they “bought” gasoline and started a car without needing the actual chip. Clearly, the technology will improve, but so will the ingenuity of hackers.

Currently, my identifier is listed as one of my medical-record numbers in the computer system of Beth Israel Deaconess Medical Center, which has internal security controls. When a credentialed clinician enters the information read from my chip into the system and retrieves my medical history, that lookup is audited.
Inappropriate peeks — which can be monitored by the patient as well as by our privacy officer — result in firing.

For some, implanted health care identifiers might quickly prove useful. For patients with Alzheimer’s disease who wander away from home, an identifier that enables caregivers to identify nonverbal or confused patients and determine their health care preferences could be very desirable. However, inserting a chip into a patient who is incapable of giving consent raises ethical issues. Presumably, the patient would have to consent at an early stage of such a disease.

A few emergency departments now have RFID readers that can scan these chips. Since currently very few people (all of them healthy volunteers) have such chips implanted, it is too early to assume that the average caregiver’s office will be capable of retrieving patients’ information. The technology is not cheap: although the cost of implantation will vary from practice to practice, each chip costs $200 and a reader costs $650. But I believe that patients and their caregivers should discuss the risks and benefits of implanted tags in order to make an informed decision about their appropriateness.

After months of living with the device, I have had no side effects, no pain, no change in muscle function, and no migration of the chip. I have exposed myself to extremes of temperature, wind, water, and several physical impacts while rock and ice climbing; the chip is working fine. If I want to “upgrade” my chip — replace it with a future version that uses more advanced and detailed industry standards or enhancements — removing it will require only minor surgery.

As I researched implantable identifiers, I found substantial controversy about the notion of being “chipped.” A Google search for “RFID implant” yields thousands of pages about Big Brother and 1984 as well as The X-Files and the idea of alien abduction. It is clear that there are philosophical consequences to having a lifelong implanted identifier. Friends and associates have commented that I am now “marked” and have lost my anonymity. Several colleagues find the notion of a device implanted under the skin to be dehumanizing. I have not investigated these or other moral, religious, or political implications of having an implanted identifier. I was chipped in order to evaluate the technologic, privacy-related, and medical issues as they affect the provision of patient care. On the basis of my unscientific study with a sample of one, I conclude that there may be appropriate uses, that there are privacy implications that must be accepted by the implantee, and that we need to establish standards that permit seamless, secure access to information.

Dr. Halamka is the chief information officer at the CareGroup Healthcare System and an emergency physician at the Beth Israel Deaconess Medical Center, Boston.
Bono S, Green M, Stubblefield A, Rubin A, Juels A, Szydlo M. Analysis of the Texas Instruments DST RFID. (Accessed June 30, 2005)