THE NEW ORDER AND STATE MEDICAL ID CARDS

The recent hacking of 6,000 administrative patient files from one of the country’s top hospitals underscores the lack of firm, clear, universal standards to ensure the security of on-line medical records (see sidebar, “Patient Files Copied by Hacker”). But although officials are crafting regulations governing electronic patient records for the health care industry, some analysts and industry players are skeptical about how effective these specifications will be.

A major university hospital in Seattle recently confirmed that a hacker penetrated its computer network in 2000 and made off with files containing information about 6,000 patients. Officials at the University of Washington Medical Center indicated the hacker (who calls himself “Kane”) stole user passwords and copied thousands of files while he had access to the hospital’s systems. The hacker slipped into the network through a server in the hospital’s pathology department.

The medical center suspected at the time that its network had been infiltrated and took steps to cut off the hacker’s access. But the hospital was unaware that the files had been pilfered until Kane provided information about the intrusion

to SecurityFocus.com, a San Mateo, California-based Web site that focuses on security issues.

Kane, who indicated he lives in the Netherlands, shared some of the copied files with SecurityFocus.com to verify that he had accessed the sensitive data. Kane views himself as an ethical hacker and indicated that he simply wanted to expose the vulnerability of the hospital’s network. He portrays himself as more of a whistle-blower than an outlaw.

But after being informed of the file copying, officials at the medical center reported the hacking incident to the FBI for investigation The hospital also beefed up its firewalls in an effort to better protect its network, and it began notifying all of the patients whose personal information was in the files copied by Kane.

In a statement, the hospital indicated the copied information wasn’t directly related to the delivery of care to its patients. Instead, it added, the information was stored in administrative databases and was used for patient tracking and for following up on research studies.

The hospital indicated that there is no evidence that anyone has breached their main electronic medical records system. They have assured patients and the public that this system remains fully protected by the highest levels of security possible.

Kane used sniffer software to steal the electronic identifications of a number of hospital employees from an exposed server and then used those credentials to access thousands of files related to patients in the medical center’s cardiology and rehabilitation departments. The hospital plans to comply with the Health Insurance Portability and Accountability Act (HIPAA), a set of privacy and security guidelines that the federal government is close to finalizing.

The hacking incident wasn’t that unusual and appears to have been relatively minor compared with the amount of damage that a malicious attacker could have inflicted. Kane’s intrusion is a classic penetration of a secondary system that was running a personal application with collected data, rather than an attack on the hospital’s main database server.

Academic medical centers are prone to this, as part of the spirit of academic freedom that creates pressure for open access. The only major impact from the hacking incident might be to get policymakers in Washington to push through the HIPAA as quickly as possible.

In an attempt to remedy the situation, the U.S. government is finalizing and releasing the security and privacy portions of the Health Insurance Portability and Accountability Act (HIPAA), which will define interface and security standards and policies. Unless it is derailed by the new administration, both the regulatory commissions that accredit hospitals and the federal agencies that receive complaints will enforce the HIPAA privacy regulations.

Bumpy Road Ahead

But the industry has a long way to go. The privacy provisions are a quagmire. A lot of it is onerous and expensive, and a lot of it hard to interpret (see sidebar, “New Medical Privacy Rules”).

Before President Clinton left office, he announced a sweeping set of federal rules aimed at protecting the privacy of medical records and other personal health information, establishing the potential for penalties to be imposed on executives at health care businesses that breach the new standards.

The regulations, which were prepared by the U.S. Department of Health and Human Services (HHS), are the final version of proposed rules that were issued in 1999 after Congress failed to pass comprehensive medical privacy legislation as required by the 1996 Health Insurance Portability and Accountability Act (HIPAA).

Oral, paper-based, and electronic communications are all covered by the measures. That casts a wider net than the original proposal, which applied to electronic records and to paper ones that at some point had existed in electronic form.

Under the regulations, health care providers are prohibited from releasing most information about individual patients without getting their consent in advance. But in another change from the proposed rules, HHS indicates doctors and hospitals will be given full discretion in determining what personal health information to include when sending patients’ medical records to other providers for treatment purposes.

However, the final rules also tighten the consent requirement, mandating that approval be secured from patients for even routine use and disclosure of health records for purposes such as bill payments. Patients also must be given detailed written information about their privacy rights and any planned use of their personal information.

In addition, HHS is calling on hospitals, health insurers, and health care clearinghouses to establish procedures for protecting the privacy of patients, including the appointment of executives to oversee their internal privacy procedures. And companies are prohibited from accessing health records for employment purposes.

Under the HIPAA, civil fines of $100 per violation can be imposed, up to a total of $25,000 per year. Criminal penalties of up to $250,000 and 10 years in prison could also be targeted at individuals who try to profit from the sale of health information. Most health care companies will be given two years to comply with the regulations.

Nothing is more private than someone’s medical or psychiatric record. And, therefore, if the government is to make freedom fully meaningful in the Information Age, when most of the stuff is on some computer somewhere, then the government has to protect the privacy of individual health records. The regulations were made necessary by the great tides of technological and economic change that have swept through the medical profession over the last few years.

HHS estimates that complying with the HIPAA rules will cost the health care industry $17.6 billion. But in the long run, government officials claim, the regulations will help achieve savings of almost $30 billion over the next 10 years, as a result of related rules that eliminate paperwork by issuing standards for electronic communication of health insurance claims.

The government is expected to receive a lot of backlash regarding the inclusion of paper and oral communications in the new rules. Originally, the HIPAA was intended to apply solely to electronic communications. It could be virtually impossible to monitor written and oral messages.

One of the problems is that the HIPAA is supposed to offer specifications to cover all privacy implementations, from one-doctor offices to giant health care organizations. It’s too strict in many respects and too loose in others to offer adequate regulations across the board.

Nevertheless, some health organizations are already prepared for the HIPAA. One such organization is CareGroup Healthcare System, a Boston-based health provider network that includes Beth Israel Deaconess Medical Center.

For security, 128-bit Secure Sockets Layer (Web encryption) is fine, along with auditing, strong authentication, and role-based access. CareGroup has two full-time employees who monitor the security and confidentiality of patients’ on-line medical records. CareGroup also lets patients access their medical records through secure e-mail messages.

Lessons to Learn

However, there is a whole range of institutions that must be educated on any guidelines to be implemented, including third-party companies that offer electronic patient-record hosting or storage.^[iv] For instance, MOMR Inc. in Darien, Illinois, offers patients access to their own records via its secured Web site. It has yet to sign on any institutional customers, but it claims that it will be compliant with the HIPAA.

But, with start-ups, patients face the risk that companies that store their records on-line will go out of business. A bankrupt company could sell its data to a company with a different privacy policy.

However, one security professional who stores his private health data on-line indicated that the security problem is really more a perception than a reality. Bill Schneider, director of business development at Presideo Inc., a biometric authentication company in St. Louis, uses MOMR to store his own health data and is confident that the company has adequate security. MOMR requires users to sign-in with a password, and it transmits data with 128-bit encryption.

On the other hand, there are companies such as PointShare Corp., a Bellevue, Oregon based firm that handles networking services for medical providers, including the transmission of patient data, but only over secure private lines. The company is not comfortable using the public Internet, although there has been a lot of good work with virtual private networks and public-key infrastructure technology.

Despite the obstacles, on-line medical records will eventually gain more general acceptance. The biggest resistance is fear. Once fear is behind the patients and the companies that store their records, on-line medical records can really take off.

For privacy experts, the beginning of the 21^st century is looking more like 1984. Big Brother is watching and listening, and he won’t go away anytime soon.

^[iv]John R. Vacca, The Essential Guide to Storage Area Networks, Prentice Hall, 2002.