Security and the state of American healthcare
Jim Reavis
Network World on Security, 11/24/99
The many security implications of e-commerce are regularly reported, and the impact of cybercrime upon online transactions is extensively studied. However, the effects of poor security on the behemoth American healthcare system aren't ignored but certainly get much less attention.
If you look at the healthcare privacy issue, you quickly realize that many of the concerns dovetail general issues regarding network security, including how to prevent the divulging of personal data about individuals to sources that should not have access to that information, how secure the Internet is, and the use of encryption and digital certification.
Advertisement: |
So let's take a look at security and the state of healthcare.
First, on individual privacy - a single, accidental disclosure of a patient's health problems could create a greater financial liability and loss of institutional prestige than all but the very largest e-business transactions on the 'Net.
Any health maintenance organization taking an academic approach to risk management would probably agree that strong security measures could be cost-justified. But are the security problems of healthcare readily understood, and do we have a consensus of solutions?
The White House recently proposed the development of a set of national standards for the protection of medical record confidentiality. Improper disclosure could reportedly result in up to 10 years in prison, as well as a fine of up to $250,000. While hard time is always a deterrent to the people I hang around with, $250,000 would probably only cover the first month's legal fees for a liability suit against a large hospital that inappropriately divulged a list of HIV-positive patients.
The White House proposals also include an electronic-signature for verifying patient identity and medical record authenticity, as well as EDI standards for claims and reporting medical procedures. The need for these standards were mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Meanwhile, hospitals, HMOs and other groups seeking to dominate healthcare within their market develop their own closed networks for patient records, billing and claims processing. The combination of a fear of Internet security issues and the entrepreneurial urge to grow the business has led to multiple, proprietary networks within medical clinics and very complicated record-keeping procedures for traditionally resource-thin doctors' offices.
Beyond simply making today's environment more manageable, putting healthcare online promises to drastically change it - as a result of a more perfect pairing of buyers and sellers. Waiting three months to see a doctor could some day be a memory.
In short, the healthcare industry has a tremendous need for a simpler, standards-based extranet for connecting doctors, patients, hospitals and insurance companies.
The point to all this is that we will no doubt be seeing a lot of sensitive medical information on the Internet, coming from the traditional HMOs seeking to modernize and leverage the Internet, to new start-ups like Healtheon and WebMD, which seek to revolutionize the doctor-patient relationship. However, unless they are truly able to put security at the top of the list, I would prefer to use the Internet for medical research only, and keep my medical records offline.
What needs to be done to change my mind, and give many others peace of mind?
Strong encryption for Web transactions. 128-bit encryption should be required to transmit patient information, and servers should not allow weak 40-bit encryption. Healthcare organizations should emulate what many of the online banks are doing - that is, performing a browser test and informing the user of a required upgrade to perform 128-bit encryption. Even the U.S. Department of Commerce has understood the importance of security in the healthcare industry, exempting it from encryption export restrictions internationally. Yet 128-bit encryption is not mandated. Reviewing Healtheon's Web site, for example, the firm will only commit to "up to 128-bit encryption across the network." In other words, what should be the minimum is the stated maximum.
Digital Certificates. The use of certificates and public-key infrastructure provides a level of authenticity and nonrepudiation beyond user id/passwords.
Standards for anonymizing patient information. While personal information may be needed for paying the bills, it does not need to be transmitted along with diagnoses and treatment information - as long as we agree upon the standards for doing this.
Published practices by HMOs. Every consumer of healthcare services needs to know how his or her personal information is being protected during online communications.
As you might guess, there is an industry group seeking to address these issues. The appropriately named "Forum on Privacy and Security in Healthcare" is an organization that seeks to assist in developing security standards and encouraging an appropriate evolution of the HIPAA legislation.
Information security and its application to healthcare in the online world is an issue taken seriously by the industry. The most important missing element is the involvement of those of us outside the industry - the healthcare consumer.
RELATED LINKS
White House proposal for Medical Privacy Standards
Extranet services target healthcare
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
