As a medical doctor I extensively use digital voice recorders to document my work. My secretary does the transcription. As a cost saving measure the process is soon intended to be replaced by AI-powered transcription, trained on each doctor’s voice. As I understand it the model created is not being stored locally and I have no control over it what so ever.

I see many dangers as the data model is trained on biometric data and possibly could be used to recreate my voice. Of course I understand that there probably are other recordings on the Internet of me, enough to recreate my voice, but that’s beside the point. Also the question is about educating them, not a legal one.

How do I present my case? I’m not willing to use a non local AI transcribing my voice. I don’t want to be percieved as a paranoid nut case. Preferravly I want my bosses and collegues to understand the privacy concerns and dangers of using a “cloud sollution”. Unfortunately thay are totally ignorant to the field of technology and the explanation/examples need to translate to the lay person.

  • privsecfoss@feddit.dk
    link
    fedilink
    arrow-up
    49
    ·
    edit-2
    9 months ago

    I don’t where you live. But almost all of bigtech US cloud is problematic (Read: Illegal to use) for storing or processing of Personal information according to the GDPR if you’re based in the EU. Don’t know about HIPPA and other non-EU legislation. But almost all cloudservices use US bigtech as a subprocessor under the hood. Which means that the use of AI and cloud is most likely not GDPR-complaint. Which you could mention to the right people and hope they listen.

    Edit: It’s illegal to use for the processing of the patients PII, because of transfer to insecure third countries and because bigtech uses the data for their own purposes without any legal basis.

    Edit 2: The same is the case with your, and your colleagues PII.

    In my opinion privacy and GDPR is the same in this case. I think most public authorities is required to have a DPO, fx hospitals or the relevant health authority. The DPO can help answer your and your bosses questions on the mentioned questions.

    Hope you figure it out.

    • FlappyBubble@lemmy.mlOP
      link
      fedilink
      arrow-up
      36
      ·
      9 months ago

      I agree and I suspect this planned system might get scuttled before release due to legal problems. That’s why I framed it in a non legal way. I want my bosses to understand the privacy issue, both in this particular case but also in future cases.

    • pearsaltchocolatebar@discuss.online
      link
      fedilink
      arrow-up
      17
      ·
      edit-2
      9 months ago

      You don’t have to use a cloud service to do AI transcription. You don’t even need to use AI. Speech to text has been a thing for like 30+ years.

      Also, AWS has a FedRAMP authorized Gov Cloud that’s almost certainly HIPAA (and it’s non-us counterparts) compliant.

      Also also, there are plenty of cloud based services that are HIPAA compliant.

  • Spyder@lemmy.ml
    link
    fedilink
    arrow-up
    43
    ·
    edit-2
    9 months ago

    Do your patients know that their information is being transcribed in the cloud, which means it could potentially be hacked, leaked, tracked, and sold? How does this foster a sense of distrust, and harm the patients progress?

    Could you leverage this information and the possibility of being sued if information is leaked with the bureaucrats?

  • macniel@feddit.de
    link
    fedilink
    arrow-up
    16
    arrow-down
    3
    ·
    9 months ago

    Shouldn’t that be a HIPAA violation? Like you can’t in good conscious guarantee that the patient data isn’t being used for anything but the healthcare.

    • FlappyBubble@lemmy.mlOP
      link
      fedilink
      arrow-up
      13
      ·
      edit-2
      9 months ago

      My question is not a legal one. There probably are legal obstacles for my hospital in this case but HIPAA is not applicable in my country.

      I’d primarily like to get your opinions of how to effectively present my case for my bosses against using a non local model for this.

    • Szymon@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      9 months ago

      It is until they prove it isn’t, which they might not be able to do. Many trusted 23andme only to see private data stolen. Make the company prove the security in place and the methods ensuring privacy, because you’ll essentially be liable for any failures of the system from a lack of due diligence.

      • lewdian69@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        6
        ·
        edit-2
        9 months ago

        Voice recognition dictation has been used in the medical field for over a decade, probably even longer. My regional health system of multiple hospitals and clinics has been using an electronic based, like Dragon dictation, solution since at least 2012. Unfortunately in this case op is being overly paranoid and behind the times. I’m all for privacy but the HIPAA implications have already been well sorted out. They need to either learn to type faster or use the system provided that will increase their productivity and save the health system an fte that used to be used on their transcriptionist which can not be used more directly to care for patients.

        • BearOfaTime@lemm.ee
          link
          fedilink
          arrow-up
          9
          arrow-down
          1
          ·
          edit-2
          9 months ago

          “Overly paranoid”, with the practically-daily breaches of cloud-based systems today?

        • Boozilla@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          9 months ago

          It is true that Dragon and similar apps have been used for years. But I don’t think it’s fair to say OP is being paranoid and a luddite. Data breaches in the cloud are a weekly occurrence, and OP wanting to protect their voice / biometrics is not foolish it’s smarter than the average bear. You can change a compromised password. You can’t change your biometrics or voice.

          Also, those products were used on local networks for many years before they entered the cloud. They gradually reduce our privacy over time, getting people numb to it.

  • Boozilla@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    9 months ago

    Will they allow you to use your own non-cloud solution? As long as you turn in text documents and they don’t have to pay a person to transcribe, they should be happy. There are a number of speech to text apps you can run locally on a laptop, phone, or tablet.

    But of course, it’s sometimes about control and exercising their corporate authority over you. Bosses get off on that shit.

    Not sure which type of doctor you are, but there’s a general shortage of NPI people. I hope you can fight back with some leverage. Best of luck.

    • FlappyBubble@lemmy.mlOP
      link
      fedilink
      arrow-up
      11
      ·
      edit-2
      9 months ago

      It will not be possible to use my own software. The computer environment is tightly controlled. If this is implemented my only input device to the medical records will be the AI transcriber (stupidity).

      I’m a psychiatrist in the field of substance abuse and withdrawal. Sure there’s a shortage of us too but I want the hospital to understand the problem, not just me getting to use a old school secretary by threatening going to another hospital.

      • Boozilla@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        9 months ago

        I was afraid that might be the case. Was hoping they would let you upload the files as if you had typed them yourself.

        Maybe find some studies / articles on transcription bots getting medical terminology and drug names wrong. I’m sure that happens. AI is getting scary-good, but it’s far from perfect, and this is potentially a low-possibility-but-dangerous-consequences kind of scenario. Unfortunately the marketers of their software probably have canned responses to these types of concerns. Management is going to hear what they want to hear.

        • FlappyBubble@lemmy.mlOP
          link
          fedilink
          arrow-up
          4
          ·
          9 months ago

          Thaks fot he advice but I’m not against using AI-models transcribing me, just not a cloud model specifically trained on my voice without any control by me. A local model or more preferrably a general local model woulf be fine. What makes me sad is that the persons behind this are totally ignorant to the problem.

          • Boozilla@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            9 months ago

            I understand, and we’re basically on the same page. I’m not fully anti-AI, either. Like any tool, it can be used for good or evil. And you are right to have concerns about data stored in the cloud. The tech bros will mock you for it and then… oh look, another data breach has it been five minutes already. :)

            • FlappyBubble@lemmy.mlOP
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              Yes I agree. Broadening the scope a little, I frankly just wait for a big leak of medical records. The system we use is a birds nest of different softwares, countless API:s, all sorts of database backends. Many systems syem from MS-DOS, just embedded in a bit more modern integrated environment. There are just so many flaws and I’m amazed a leak hasn’t happened (or at least surfaced) yet.

      • wizardbeard@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        my only input device to the medical records will be the AI transcriber

        I understand that you keep steering away from legal arguments, but that can’t be legal either. How could a doctor not have direct, manual access to patient records?

        Anyway, practical issues:

        You need some way to manually interact with patient records in the inevitable event the AI transcription gets it wrong. It only takes one time messing up transcription on something critical and you have a fucking body on your hands. Is your hospital prepared to give patients the wrong dosages because background noise or someone else speaking makes the AI mishear? Who would be held responsible in the case of mistreatment due to mistranscription? Is your hospital willing to be one of the first to try and tackle that legal rats nest?

        A secretary is able to do a sanity check that what they heard make sense. AI transcription will have no such logic behind it. It will turn what it thinks it heard into text and chuck it wherever it logs to. It thinks you’ve called for leeches when you said something about lesions? Have fun.

        Whenever there’s an issue with the transcription service you’d be screwed too. That could mean network outage, power outage, microphone breaks, any part of this equipment breaks, and this whole system falls apart.

        • FlappyBubble@lemmy.mlOP
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          The problem with incorrect transceiption exists with my secretary too. In the system I work in the secretary write my recordibg, sends it to me, I read it. I can edit the text at this point and then digitally sign it with a personal private key. This usually happens at least a day after being recorded. All perscriptions or orders to my nurses are given inannother system besides the raw text in the medical records. I can’t easily explain the practical workings but I really don’t see that the AI system will introduce more errors.

          But I agree that in the event of a system failure, there will be a catastrophic situation.

  • 7heo@lemmy.ml
    link
    fedilink
    arrow-up
    12
    ·
    9 months ago

    I would have work sign a legal discharge that from the moment I use the technology, none of the recordings or transcription of me can be used to incriminate me in case of an alleged malpractice.

    In fact, since both are generated or can be generated in a way that both sounds very assertive but also can be adding incredibly wild mistakes, in a potentially life and death situation, they legally recognise potentially nullifying my work, and taking the entire legal responsibility for it.

    As you can see in the most recent example involving Air Canada, a policy has been invented out of thin air. Such policy is costing the company. In the case of a doctor, if the administration of the wrong sedative, the wrong medication, or if the wrong diagnosis was communicated to the patient, etc; all that could have serious consequences.

    All sounding (using your phrasings, etc) like you, being extremely assertive, etc.

    A human doing that job will know not to derive from the recording. An AI? “antihistaminic” and “anti asthmatic” aren’t too far off, and that is just one example off of the top of my head.

  • Bobby Turkalino@lemmy.yachts
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    9 months ago

    It would be worth finding out more about how exactly the training process works, namely whether or not the AI company stores the training audio clips after training has been completed. If not, then I would say you don’t have anything to worry about, because the model itself can’t be used to clone your voice to any useful extent. Deep neural networks aren’t reversible like that. Even if they were, it’s not just trained on you, it’s trained on hundreds of thousands of people then fine-tuned to you.

    If they do store the clips though, then maybe show them this article about GitHub to prove to them that there is precedence for private companies using people’s data to train AI without their explicit consent.

    • Adalast@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      To expound on this, AI models are extremely narrow in scope. One which reproduces audio it is trained on is entirely different from one that understands what is being said. As Mr. Turkalino mentioned, the transcription AIs are built on a combination of speech recognition and incredibly specialized text data that is narrowly defined by your industry (medical in this case). In fact, they may have tuned specific models for separate disciplines. This included thousands of documents ranging from textbooks to scholarly journals along with thousands of recordings of professionals saying the words in a variety of accents and dialects so it can understand the difference between very important and very different sounding words, my wife is pregnant, so amnioitis and amniocentesis come to mind. They are close enough sounding that a general model might mistake them, and that being transcribed wrong could spell real problems when others may look at the patients chart if there are complications.

      Also, most models are run in the cloud because the calculations can he very taxing. I run Stable Diffusion and other AIs locally on my beast of a machine and it struggles at times. Realistically, the cloud machines are just bugger than you can get as a desktop. Also, under the most ideal circumstances, the audio of your notes does not live in the servers, it is transmitted, stored on a virtual machine (VM) while it is being processed, then after the results are completed the VM is destroyed and the audio recording goes with it. Nothing is kept. Of course, that is where you need to be sure to do the work, making sure that your situation is “ideal”. One of the biggest controversies in with AI right now is that data is being stored for doing reinforcement training on the AI models. Example, you send your recordings and the AI returns the transcript. You mark any corrections and go on with your day. The company takes those recordings and feeds them back into the general model with the corrections you made and tries to tell the AI what it got wrong. You are going to want to be sure that you are allowed to opt-out of your data being allowed to be used as training data (beyond the fine-tuning to help it learn your voice).

  • BurningRiver@beehaw.org
    link
    fedilink
    arrow-up
    9
    ·
    9 months ago

    I would suggest that that first action item would be is to ask for (in writing) are 1) data protection and 2) privacy policies. I would then either pick it apart, or find someone who works in cybersecurity (or the right lawyer) to do that. I’ve done it a few times and talked my employer out of a few dodgy products, because the policies clearly try to absolve the vendor of any potential liability. Now, whether the policies truly limit liability would have to be tested in court.

    You could also talk about how data protection, encryption, identity and access management, and governance is actually really expensive, but I’d first start poking holes in the actual policies to create doubt.

  • MajorHavoc@programming.dev
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    9 months ago

    Your voice-print is worth protecting.

    There’s already retirement funds activating “my voice is my password” by default, now. (You can, and absolutely should opt-out, if yours does.) And you can’t change your voice-print if it gets leaked. (Maybe with a professional voice coach, you could…)

    Personally, I would change employers over this, if I had the option.

    I think we’re heading towards having a group of citizens with compromised voice-prints leaked to the dark web, who have a harder time day to day through no fault of their own. Like the early SSN breach sufferers, history tells us that society says “it’s a shame”, and tries to protect the next generation properly, but doesn’t recompense those hurt by the early bullshit.

    While job searching, I would also request an accomodation, and not use the voice system. It’s much easier for the employer to retain a secretary for you, than to deal with the legal hassles that will come up if they try to fire you for not using their legal-gray-area solution.

    Even granted the accommodation, I would be looking for my next job though.

    • PM_me_trebuchets@lemm.ee
      link
      fedilink
      arrow-up
      5
      ·
      9 months ago

      Most places use this sort of software (at least, larger companies). I have worked with doctors who refused to use it and instead developed templates for common items they copied + pasted into the MAR software / PACS, etc., and they just type what they need. That’s what they did before dictation software existed anyway. It’s not as efficient, but it’s basically the only way to avoid this.

  • tonyn@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    9 months ago

    Stop using the digital voice recorder and type everything yourself. This is the best way to protect your voice print in this situation. It doesn’t work well as a protest or to educate your colleagues, but I suppose that’s one thing you can use your voice for. Since AI transcription is a cost saving measure, there will be nothing you can do to stop its use. No decision maker will choose the more expensive option with a higher error rate on morals alone.

    • FlappyBubble@lemmy.mlOP
      link
      fedilink
      arrow-up
      7
      ·
      9 months ago

      Unfortunately the interface of the medical records system will be changed when this is implemented. The keyboard input method will be entirely removed.

      • ubergeek77@lemmy.ubergeek77.chat
        link
        fedilink
        arrow-up
        10
        ·
        9 months ago

        Even if this gets implemented, I can’t imagine it will last very long with something as completely ridiculous as removing the keyboard. One AI API outage and the entire office completely shuts down. Someone’s head will roll when that inevitably happens.

        • FlappyBubble@lemmy.mlOP
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          Ah sorry, I mean removing the option of using the keyboard as an input method in the medical records system. The keyboard itself isn’t physically removed from the computer clients.

          But I agree that in the event of a system failure the hospital will halt.

          • ubergeek77@lemmy.ubergeek77.chat
            link
            fedilink
            arrow-up
            4
            ·
            9 months ago

            Also, if you get the permission of someone in leadership to clone their voice, one angle could be to voice clone someone on ElevenLabs and make the voice say something particularly problematic, just to stress how easily voice data can be misused.

            If this AI vendor is ever breached, all they have to do is robocall patients pretending to be a real doctor they know. I don’t think I need to spell out how poorly that would go.

  • The Doctor@beehaw.org
    link
    fedilink
    English
    arrow-up
    6
    ·
    9 months ago

    The personalized data model will be trained on your voice. That means that it’s going to be trained on a great deal of patient medical history data (including PII). That means it’s covered by HIPAA.

    I strongly doubt the service in question meets even the most minimal of requirements.

  • small_crow@lemmy.ca
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    9 months ago

    I assume you’ll be using Dragon Medical One. Nuance is a well established organization, with users in a broad range of professions, and their medical product is extensively used by many specialists. The health system where I live has been in the process of phasing out transcriptionists in favor of it for a decade or so.

    The only potential privacy concerns a hospital would care about would be if they are storing your transcripts on their servers, because that will contain sensitive information about patients. It will be impossible to get any administrator to care about your voice data.

    This tide is unlikely one you will be able to stem, but you could stop dictating and type it yourself.

    • FlappyBubble@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      I’m not sure what exact service will be used. I won’t be able to type as the IT environment is tightly controlled and they will even remove the keyboard as an input device for the medical records.

      • wizardbeard@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I see that lasting until the first time some record ends up reading “backspace backspace backspace! No you stupid delete! Delete. Dee feet delete”.

  • InEnduringGrowStrong@sh.itjust.works@sh.itjust.works
    link
    fedilink
    arrow-up
    6
    arrow-down
    3
    ·
    9 months ago

    Ironically, GPT can kinda get you started here…

    To present your case effectively to your bosses and colleagues, focus on simplifying the technical aspects and emphasizing the potential risks associated with using a cloud-based AI transcription service:

    1. Privacy Concerns: Explain that using a cloud-based solution means entrusting sensitive biometric data (your voice) to a third-party provider. Emphasize that this data could potentially be accessed or misused without your consent.

    2. Security Risks: Highlight the risks of data breaches and unauthorized access to your voice recordings stored in the cloud. Mention recent high-profile cases of data breaches to illustrate the potential consequences.

    3. Voice Cloning: Explain the concept of voice cloning and how AI algorithms can be trained to mimic your voice using the data stored in the cloud. Use simple examples or analogies to illustrate how this could be used for malicious purposes, such as impersonation or fraud.

    4. Lack of Control: Stress that you have no control over how your voice data is used or stored once it’s uploaded to the cloud. Unlike a local solution where you have more oversight and control, a cloud-based service leaves you vulnerable to the policies and practices of the provider.

    5. Legal and Ethical Implications: While you acknowledge that there may be existing recordings of your voice online, emphasize that knowingly contributing to the creation of a database that could potentially be used for unethical or illegal purposes raises serious concerns about professional ethics and personal privacy.

    6. Alternative Solutions: Suggest alternative solutions that prioritize privacy and security, such as using local AI transcription software that does not upload data to the cloud or implementing stricter data protection policies within your organization.

    By framing your concerns in terms of privacy, security, and ethical considerations, you can help your bosses and colleagues understand the potential risks associated with using a cloud-based AI transcription service without coming across as paranoid. Highlighting the importance of protecting sensitive data and maintaining control over personal information should resonate with individuals regardless of their level of technical expertise.

  • umami_wasabi@lemmy.ml
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    9 months ago

    So what’s your concern? I’m a bit confused.

    1. Using cloud to process patient data? Or,
    2. Collecting your voice to train a model?
  • stevedidwhat_infosec@infosec.pub
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    9 months ago

    Simple jobs are going to continue to go away in favor of more efficient spending.

    You’re not going to get around the removal of simple jobs from the market in favor of newer concepts and more complex operations.

    All these people that said going to college to further your education was stupid and a waste of money are going to be the first to bitch and moan because the rest of us who spent the time and money to better ourselves would like to reciprocate that same logic into the world so you don’t have to worry about things like underpaid fast food workers spitting in your food, delivery drivers stealing your food, etc.

    Some people who can only do “simple” tasks are the ones who stand the most to be hurt by the world moving forward and becoming more advanced and complex, but I’m not sure what we can do to help them outside of seriously considering UBI. The wealth we are generating and saving through automation deserves to be equally spread amongst the people it replaced. That’s fair.

    • off_brand_@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      I think it was pretty clear the issue was one of privacy requirements and not any qualms with losing jobs, which isn’t even happening here.

      • stevedidwhat_infosec@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        They do pretty specifically mention the using their own voice thing, good point.

        However I’d like to remind everyone that recording you while in public is done and done so very frequently (look at all the whistle blower docs) so it’s really moot imo whether or not there exists recordings of your voice.

        And everything else I said still stands. Idgaf about the doctor who still goes home with some of the highest salaries in the public. Personally, I think medical practitioners should be a part of working for the state or the govt, and you basically become a servant to the public. Imo doctors should be held to the same public scrutiny but that’s a diff topic.

        • off_brand_@beehaw.org
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Not in public. This is a conversation with the healthcare provider, not with your partner while you’re at the grocery store. You have a legally recognized right to privacy (at least in the US) when it comes to your health details.

          Which is an unequivocally good thing.

          • stevedidwhat_infosec@infosec.pub
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            You’re mixing up topics. The doctor doesn’t want a voice model made after their own likeness based off these private recordings, but I’m saying there’s already a plethora of ways to record you in public that have been around since at least 9/11 in the US.

            It’s a moot thing to be trying to dodge/keep private from my perspective. If anyone can record you while you’re speaking in public, you’re not going to convince anyone that you shouldn’t be able to do it in private with consent forms, terms and service, etc.

      • FlappyBubble@lemmy.mlOP
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        That’s correct! I’m not againt using technology to cut costs or providing better healthcare. My question is entirely about the privacy implications.

  • Boozilla@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    I had another idea. You might be able to use something that distorts your voice so that it doesn’t sound anything like you, but the AI can still transcribe it to text. There are some cheap novelty devices on amazon that do this, and also some more expensive pro audio gear that does the same thing. Just a thought.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      Voice cloning is the least of your concerns honestly as you are sending people private information to the cloud.

      • FlappyBubble@lemmy.mlOP
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Sure that’s another problem but this data is already sent beyond the hospital. We have a national system in place gatjering all medical records.

    • FlappyBubble@lemmy.mlOP
      link
      fedilink
      arrow-up
      5
      ·
      9 months ago

      Sure but what about my peers? I want to get the point across and the understanding of privacy implications. I’m certain that this is just the first of many reforms without proper analysis of privacy implications.

      • Boozilla@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I agree that getting the point across and having them rethink this whole thing is a much better way of handling this than using a tech solution. I am just pessimistic you can change their minds and you might need a plan B.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        9 months ago

        Honestly I would be way more concerned about your patients privacy. You shouldn’t just ship medical data to some third party. That leads to massive data breaches.

        • Boozilla@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          9 months ago

          I agree with you but that ship has sailed. I work with big medical data and it’s shocking the stuff that gets stored and passed around. The really big players like PBMs and major insurance providers are supposed to abide by HIPAA but they do not fear enforcement at all. Only the small fish like doctors, etc, need fear HIPAA.