Hospital hack points to need for standards

From...

by Marc L. Songini and Julekha Dash

(IDG) -- The recent hacking of 5,000 administrative patient files from one of the country's top hospitals underscores the lack of firm, clear, universal standards to ensure the security of online medical records. Although officials are crafting regulations governing electronic patient records for the health care industry, some analysts and industry players are skeptical about how effective these specifications will be.

In an attempt to remedy the situation, the U.S. government is finalizing and releasing the security and privacy portions of the Health Insurance Portability and Accountability Act (HIPAA), which will define interface and security standards and policies. Unless it is derailed by the new administration, the HIPAA privacy regulations will be enforced by both the regulatory commissions that accredit hospitals and the federal agencies that receive complaints.

Bumpy road ahead

But the industry has a long way to go.

"The privacy provisions are a quagmire," said Peter Tippett, chief technology officer at TruSecure Corp., an Internet security consultancy in Reston, Va. "A lot of it is onerous and expensive, and a lot of it hard to interpret."

One of the problems is that the HIPAA is supposed to offer specifications to cover all privacy implementations, from one-doctor offices to giant health care organizations. It's too strict in many respects and too loose in others to offer adequate regulations across the board, Tippett said.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Medical insurers develop online transaction system Health care industry grapples with security Protect yourself when buying health insurance Features Cool gifts for cool nerds Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com SunWorld IDG.net search

Nevertheless, some health organizations are already prepared for the HIPAA. One such organization is CareGroup Healthcare System, a Boston-based health provider network that includes Beth Israel Deaconess Medical Center.

For security, "128-bit Secure Sockets Layer [Web encryption] is fine, along with auditing, strong authentication and role-based access control," said CareGroup CIO John Halamka. His firm has two full-time employees who monitor the security and confidentiality of patients' online medical records. CareGroup also lets patients access their medical records through secure e-mail messages.

Lessons to learn

However, there are a whole range of institutions that must be educated on any guidelines to be implemented, including third-party companies that offer electronic patient-record hosting or storage.

For instance, MOMR Inc. in Darien, Ill., offers patients access to their own records via its secured Web site. It has yet to sign on any institutional customers, but it claims that it will be compliant with the HIPAA.

But with start-ups, patients face the risk that companies that store their records online will go out of business, according to Zoe Hudson, a senior policy analyst at the Health Privacy Project at Georgetown University in Washington. A bankrupt company could sell its data to a company with a different privacy policy, Hudson said.

However, one security professional who stores his private health data online indicated that the security problem is really more a perception than a reality.

Bill Schneider, director of business development at Presideo Inc., a biometric authentication company in St. Louis, uses MOMR to store his own health data and is confident that the company has adequate security. MOMR requires users to sign in with a password, and it transmits data with 128-bit encryption.

On the other hand, there are companies like PointShare Corp., a Bellevue, Ore.-based firm that handles networking services for medical providers, including the transmission of patient data, but only over secure private lines.

"We are not comfortable using the public Internet, although there has been a lot of good work with [virtual private network] and public-key infrastructure technology," said Rick Rubin, a vice president at PointShare.

Despite the obstacles, Schneider said he believes that online medical records will eventually gain more general acceptance.

"The biggest resistance is fear," he said. "Once fear is behind us, it can really take off."

Hospital confirms copying of patient files by hacker
December 15, 2000
Sites for movers, shakers and hackers
December 14, 2000
Hacker steals huge credit card database
December 13, 2000
NASA hacker pleads guilty
December 6, 2000
Analysis: Home workers can imperil systems
November 7, 2000

Medical insurers develop online transaction system
(Computerworld)
Health care industry grapples with security
(Computerworld)
Protect yourself when buying health insurance
(ITWorld.com)
Why health care desperately needs IT
(CIO)
Hospital confirms copying of patient files by hacker
(Computerworld)
The Rx files
(CIO)
Health care slowly adopting e-procurement
(Computerworld)
Internet use increases among U.S. doctors
(IDG.net)

Presideo Inc.
PointShare Corp.
Health Insurance Portability and Accountability Act

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.