Who should be at the root of protecting the nation's healthcare data?
Greg Machler explains why there's a need for a root key for the national healthcare database
CSO - What are CISOs working in healthcare concerned about when it comes to protecting medical data in the future? There are a variety of concerns associated with who should and shouldn't be able to access your individual medical record. This is both a policy issue and a technology issue for the CISO.
If the United States moves to a national healthcare database, medical information will need to be accessed by hospitals, medical clinics, mental health clinics, pharmacies, medical researchers, government health care organizations and other medical institutions. The real question is: Who will decide what information should be accessed? Once the policy decision is made, how will the CISO enforce it?
There are some technological complications related to protecting the data. If the government opts to let the user manage who has access to data, how is that process enabled via technology? Would there be a national health care portal that allows an individual to define who can access certain portions of their data or would the national, state, and/or health care institution negotiate that access?
Data protection of the medical information requires use of encryption and a key or keys. All encryption that is used to protect data requires a root key. In the financial-services industry, many banks have their own root key so there is no national financial services root key. But a national database of individual medical data would require a root at the national level and potentially even globally. The root has the ability to access all information, thus giving the institution that owns the root great power.
A national database of medical data requires policy decisions and then technology the enable that policy. It will be difficult to determine who has access to different portions of health care data. Once the health care data access policies are complete, access rules will be created to enforce who has access to the data and encryption will be used to protect the data. But, because encryption with certificates requires a root key, the institution owning the key will have great power.
Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline.
- IT Security - Fighting the Silent Threat "IT Security - Fighting the Silent Threat" is a global report into business attitudes and opinions on IT security. Download the report now...
- Cutting Complexity - Simplifying Security This white paper looks at how the latest IT Systems Management solutions can simplify and automate a vast range of routine IT management...
- Your Data under Siege: Defeating the Enemy of Complexity Even if you have adequate antivirus protection, are there still holes in your IT security armor? Is lack of bandwidth to manage the...
- Build Your IT Security Business Case In this latest whitepaper from Kaspersky Lab, you'll find useful facts, examples and business case arguments to help you get buy-in and commitment...
- Pre-Engineered solutions from VCE Simplify Core Infrastructure Implementation In this video, the CTO of Purdue Pharma, a privately held pharmaceutical company explains how Purdue transformed their data center infrastructure with VCE.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now All Disaster Recovery White Papers | Webcasts