How secure is secure? - protecting patient-information specific data on intranets

Healthcare Financial Management, Nov, 1996 by Edward Fotsch

As the use of Internet-based communication systems in the healthcare industry has expanded, concerns about data security have grown. One recent article states that "by far the biggest concern about implementing intranets is privacy."(a) Given the array of medical intranets that communicate with the many disparate legacy systems that litter the healthcare IS landscape, this is a powerful statement indeed.

So, what information on healthcare intranets creates this intense concern with security issues? It cannot be the management, financial, or strategic information found in these systems? They are commonplace on any corporate intranet. Clearly, the issue of singular focus is medical information, or more precisely, patient-specific data on intranets that creates the greatest security concerns.

The possibility that patient-specific data in an electronic format could be retrieved from a medical institution, clinic, or physician's office by an unauthorized individual or group frightens some people so much that it would probably shock them to learn that the biggest data problem facing the healthcare industry is not in securing patient-specific data, but rather in locating the data in the first place. There are few healthcare providers indeed who do not hear the words "we can't find the chart" on an all-too-frequent basis.

Nonetheless, data security is important. Accreditation bodies such as JCAHO and NCQA have struggled to adapt print and broadcast guidelines to govern healthcare-related data in an increasingly online world. The Federal government has also stepped up activity related to electronic patient data. With the recent signing of the Health Insurance Portability and Accountability Act, the movement of patient records between health plans will likely increase. The act calls for increased, but as yet unspecified, regulation for patient data security. U.S. Congressman Jim McDermott (D-Washington) has sponsored a bill, "Privacy of Health Information in the Age of New Technologies" (H.R.3482), that calls for increased regulation of electronic patient-specific data; the bill includes a provision for a mandatory audit function that would chronicle user-specific entry and access to electronic patient data.

Healthcare providers, therefore, are being put on notice to find solutions to data security breaches. Such solutions can be pursued by performing an analysis of security measures currently in use for patient records, searching for security gaps, and looking for practical and technical solutions so that data will be accessed appropriately and only by authorized personnel.

Inpatient records are traditionally stored in the medical record departments of hospitals and medical centers, with the staff of these departments physically limiting access to the records. To obtain a copy of a patient's medical record, it is necessary to present medical record staff with an authorization form signed by the patient. When the department is closed, records are locked behind a conventional door, and access is limited to "authorized personnel" and housekeeping staff. Overall, security in medical record departments is moderate, but appropriate, given the departments' historic risk profile.

Securing Online Data

Unfortunately, electronic patient-specific data cannot simply be kept under lock and key. Hackers, a technically gifted if perhaps socially challenged group, make a habit of getting into and messing with electronic spaces where they are neither invited nor welcome. One strategy that can help reduce the risk posed by hackers is to keep a low profile on electronic networks and security measures. Nothing seems to motivate hackers more than some technical type announcing the creation of a bulletproof security system.

Of course, there are technical solutions that can add to the security - and cost - of the network. These applications fall into two broad categories: 1) enroute data security and 2) access authorization security.

Enroute data security normally employs an encryption application. The 128-bit encryption application used by the Netscape Navigator, for example, is a free feature on the browser and would appear to be more than sufficient to safeguard patient-specific data enroute.

Access authorization protection is much more complex and has inspired a host of application solutions that [TABULAR DATA FOR EXHIBIT 1 OMITTED] vary in complexity, cost, and efficacy (see Exhibit 1).

A few guidelines that can help healthcare organizations safely and effectively navigate the sometimes murky waters of Internet security are:

* Formalize a fact-based security protocol or methodology to apply to healthcare intranets after performing a cost/benefit analysis.

* Define specific categories of data to be secured, and identify measures already in place to protect these data.

* Keep the organization's intranet activities, especially those related to security, out of public view.

* Use technical security solutions, as needed, to appropriately protect data. New applications are coming on the market all the time; outside organizations can be a valuable resource.