Attack points to need for standards for medical records

Computerworld - The recent hacking of 5,000 administrative patient files from one of the country's top hospitals underscores the lack of firm, clear, universal standards to ensure the security of online medical records. But although officials are crafting regulations governing electronic patient records for the health care industry, some analysts and industry players are skeptical about how effective these specifications will be.

In an attempt to remedy the situation, the U.S. government is finalizing and releasing the security and privacy portions of the Health Insurance Portability and Accountability Act (HIPAA), which will define interface and security standards and policies. Unless it is derailed by the new administration, the HIPAA privacy regulations will be enforced by both the regulatory commissions that accredit hospitals and the federal agencies that receive complaints.

Bumpy Road Ahead

But the industry has a long way to go.

"The privacy provisions are a quagmire," said Peter Tippett, chief technology officer at TruSecure Corp., an Internet security consultancy in Reston, Va. "A lot of it is onerous and expensive, and a lot of it hard to interpret."

One of the problems is that the HIPAA is supposed to offer specifications to cover all privacy implementations, from one-doctor offices to giant health care organizations. It's too strict in many respects and too loose in others to offer adequate regulations across the board, Tippett said.

Nevertheless, some health organizations are already prepared for the HIPAA. One such organization is CareGroup Healthcare System, a Boston-based health provider network that includes Beth Israel Deaconess Medical Center.

For security, "128-bit Secure Sockets Layer [Web encryption] is fine, along with auditing, strong authentication and role-based access control," said CareGroup CIO John Halamka. His firm has two full-time employees who monitor the security and confidentiality of patients' online medical records. CareGroup also lets patients access their medical records through secure e-mail messages.

Lessons to Learn

However, there are a whole range of institutions that must be educated on any guidelines to be implemented, including third-party companies that offer electronic patient-record hosting or storage.

For instance, MOMR Inc. in Darien, Ill., offers patients access to their own records via its secured Web site. It has yet to sign on any institutional customers, but it claims that it will be compliant with the HIPAA.

But with start-ups, patients face the risk that companies that store their records online will go out of business, according to Zoe Hudson, a senior policy analyst at the Health Privacy Project at Georgetown University in Washington. A bankrupt company could sell its data to a company with a different privacy policy, Hudson said.

However, one security professional who stores his private health data online indicated that the security problem is really more a perception than a reality.