Summary: A lecture by Miriam Meckel reminded me of the importance of reciprocity in healthcare relationships.
The lecture by Miriam Meckel presented results of a study on building trust on internet. They picked ten realistic things that are part of establishing trust. Then they examined surveys over 1 year for a variety of B2B and consumer organizations. These were studied for primacy component analysis to see what drives trust the most.
Biggest factor is "reciprocity". This is the agreement by both sides that their expected actions make sense and are appropriate for the nature of the relationship. A very simple example is that customers expect to pay for goods delivered. This reciprocity is a factor independent of contract or other terms. It applies to later discoveries, undisclosed activity, etc.
Reciprocity was 1/3 of the determination of trust.
Also noted was the penalty for violating reciprocity expectations. A slimey crook who presents as a crook is not trusted to begin with. A trusted relationship that then has a reciprocity failure is treated as a major betrayal. The betrayer becomes much worse than an untrusted crook. They are an enemy to society.
Three factors are responsible for the next 1/3 of establishing trust:
- Technical reliability. This means all aspects of the relationship work smoothly and without problems. It's much more than just web site stabiltiy.
- Customer control. The more that the customer determines the relationship and activities, the greater the trust.
- 3rd party recommendations.
So, with four reasonably well defined areas you get 2/3 of the trust establishment, and reciprocity is the dominating factor.
This has some relevance to healthcare and its security. The trust relationship is important to most aspects of healthcare.
One result is that the risk assessment priorities for security analysis need reconsideration. It's true that inappropriate disclosure is a risk. I would consider that a technical reliability problem. But, reciprocity, patient control, and 3rd party recommendations are also assets to be protected.
This also points to a flaw in an argument that I hear often regarding data losses. The many disclosures due to stolen laptops are discounted because the data is rarely actually disclosed. In practice the laptop is wiped, because the thief stole it for resale. Wiped laptops are easier to sell. That's an argument dealing with the 10% factor of technical reliability failure. This argument ignores the reciprocity failure, and leaves the vendor open to enemy of society treatment. That's a big loss of an important asset.
The solution to the reciprocity failure is some mix of
- have the customer accept that the loss is reasonable. This is the rather unpopular "there is no privacy any more" argument.
- make sure the customer knows that you cannot be trusted with their data. This downgrades you from enemy of society to merely not trustworthy.
- don't lose data on laptops
We need to add the assets of reciprocity, reliability, customer control, and 3rd party assessment to the risk analysis mix. It's more than loss of data and data disclosure.
I've seen two other related problems in healthcare.
- "Consent"s, which are important but generally bungled. Reciprocity does not mean that you told me something would happen. Reciprocity means that when I later learn about it I agree that it was appropriate. Consent is only part of reciprocity to the extent that it ensures that the customer understands the other side and knows who not to trust.
- The "patient control" implementations that I've seen have generally asked the patient to do the impossible. The patient is expected to make an agreement while under extreme stress, inadequately informed, and with no time to get proper advice or more information. Then the agreement is used to rationalize all kinds of reciprocity failures. They would do better to deal with the reciprocity failures in most cases, and concentrate patient control on situations where the patient is not under stress, has adequate information, and the time to make an informed decision (including getting 3rd party advice).