Attack points to need for standards for medical records

Computer World –

The recent hacking of 5,000 administrative patient files from one of the country's top hospitals underscores the lack of firm, clear, universal standards to ensure the security of online medical records. But although officials are crafting regulations governing electronic patient records for the health care industry, some analysts and industry players are skeptical about how effective these specifications will be.

In an attempt to remedy the situation, the U.S. government is finalizing and releasing the security and privacy portions of the Health Insurance Portability and Accountability Act (HIPAA), which will define interface and security standards and policies. Unless it is derailed by the new administration, the HIPAA privacy regulations will be enforced by both the regulatory commissions that accredit hospitals and the federal agencies that receive complaints.

Bumpy Road Ahead

But the industry has a long way to go.

"The privacy provisions are a quagmire," said Peter Tippett, chief technology officer at TruSecure Corp., an Internet security consultancy in Reston, Va. "A lot of it is onerous and expensive, and a lot of it hard to interpret."

One of the problems is that the HIPAA is supposed to offer specifications to cover all privacy implementations, from one-doctor offices to giant health care organizations. It's too strict in many respects and too loose in others to offer adequate regulations across the board, Tippett said.

Privacy Protection

Originally signed into law by President Clinton to protect health insurance coverage for people who change or lose their jobs, HIPAA legislation contains provisions governing how health care institutions must protect patients’ health records online.

It remains uncertain when the final privacy specifications will be issued, but they’re expected to by released by year’s end.

After they’re issued, there will be a 60-day comment period.

Once the HIPAA rules are finalized, health care organizations will have up to two years to comply with the HIPAA; otherwise, they will face penalties.

Nevertheless, some health organizations are already prepared for the HIPAA. One such organization is CareGroup Healthcare System, a Boston-based health provider network that includes Beth Israel Deaconess Medical Center.

For security, "128-bit Secure Sockets Layer [Web encryption] is fine, along with auditing, strong authentication and role-based access control," said CareGroup CIO John Halamka. His firm has two full-time employees who monitor the security and confidentiality of patients' online medical records. CareGroup also lets patients access their medical records through secure e-mail messages.

Lessons to Learn

However, there are a whole range of institutions that must be educated on any guidelines to be implemented, including third-party companies that offer electronic patient-record hosting or storage.

For instance, MOMR Inc. in Darien, Ill., offers patients access to their own records via its secured Web site. It has yet to sign on any institutional customers, but it claims that it will be compliant with the HIPAA.

But with start-ups, patients face the risk that companies that store their records online will go out of business, according to Zoe Hudson, a senior policy analyst at the Health Privacy Project at Georgetown University in Washington. A bankrupt company could sell its data to a company with a different privacy policy, Hudson said.

However, one security professional who stores his private health data online indicated that the security problem is really more a perception than a reality.

Bill Schneider, director of business development at Presideo Inc., a biometric authentication company in St. Louis, uses MOMR to store his own health data and is confident that the company has adequate security. MOMR requires users to sign in with a password, and it transmits data with 128-bit encryption.

On the other hand, there are companies like PointShare Corp., a Bellevue, Ore.-based firm that handles networking services for medical providers, including the transmission of patient data, but only over secure private lines.

"We are not comfortable using the public Internet, although there has been a lot of good work with [virtual private network] and public-key infrastructure technology," said Rick Rubin, a vice president at PointShare.

Despite the obstacles, Schneider said he believes that online medical records will eventually gain more general acceptance.

"The biggest resistance is fear," he said. "Once fear is behind us, it can really take off."

Insider: How the basic tech behind the Internet works
Don't miss
Join the discussion
Be the first to comment on this article. Our Commenting Policies