If congressman Patrick Kennedy (D-Rhode Island) and former congressman Newt Gingrich (R-Georgia) have their way
, all U.S. hospitals will have patient records online by 2015. Representative Kennedy will soon introduce a bill to Congress that would create a paperless hospital system at a cost of $5 billion. From a security perspective, of course, this has its relative pros and cons.
Kennedy and Gingrich argue that patients suffer from mistakes as a result of an antiquated paper record system. That's true; life-and-death decisions are still made without access to relevant patient records that are often locked in a file cabinet down the hall. So, on the surface, the ability for a doctor to instantly call up a patient's medical history from a single database sounds like a good thing. Or does it?
Hospitals as medical malls
At this year's RSA Conference in San Francisco, Wayne Haber, a security expert from Secure Works, a network security services company, said that hospitals are a hodgepodge of health information systems (HIS), ranging from mainframes to relational databases, sometimes centralized, sometimes not. He likened modern hospitals to "medical malls," because the pharmacy is often a separate business from the emergency room or the cafeteria or the radiology lab. Add them together, and you get one-stop medical shopping, but with patient information stored by dozens of different, proprietary software apps running across a broad range of operating systems.
Homogenized data systems will make it easier for U.S. patient information to fall within reach of a criminal hacker (cracker) with just one vulnerability.
From your doctor's perspective, not having a common database to report recent prescriptions, radiology results, and patient history greatly complicates treatment. Unfortunately, however, homogenized data systems will make it easier for U.S. patient information to fall within reach of a criminal hacker (cracker
) with just one vulnerability. Ironically, the current, scattered "system" is a bit more secure; for example, it's possible to keep snoopers out of a test-result database if the data storage system substantially differs from the hospital's billing database.
Access is inevitable
Short of fixing the back-end systems to make information accessible across different computing platforms, hospitals are embracing new technologies to enhance current access across multiple medical systems--unfortunately, often without considering their downsides. Ceding to doctors' wishes, more and more hospitals are using wireless networks to provide patient information remotely via PDA or tablet PC. Sadly, many hospitals set up these Wi-Fi networks with default security settings (using default passwords familiar and available to anyone who's bought the same networking equipment). And, even if they are turning on security tools such as Wireless Equivalent Protection (WEP), they're not also enabling encryption. WEP alone can be broken, while additional encryption takes more time to crack, thus adding a layer of protection.
For many hospitals, upgrading their computer systems is a lower priority than obtaining the latest Magnetic Response Imaging (MRI) device.
The real problem, though, is the lack of resident computer staff. At the Black Hat Briefings USA 2002
, I asked a security consultant if he had seen an increase in business because of the then-pending implementation--it went into effect in 2003--of the Health Insurance Portability Accessibility Act (HIPAA) of 1996
. He said no. For many hospitals, he explained, upgrading their computer system is a lower priority than obtaining the latest Magnetic Response Imaging (MRI) device.
You'd think a law like HIPAA would address computer security of patient records. It doesn't. While HIPAA seeks to create paperless health-care offices by standardizing the way in which patient information is digitally stored and shared electronically among health organizations, including insurers, 80 percent of the legislation is focused on administrative changes and only 20 percent is technical, mostly new file formats and data exchange standards. It does not, for example, require the use of encryption when storing or transmitting patient information (it does, however, strongly recommend it).
Worse, HIPAA has no teeth. Since HIPAA's implementation on April 13, 2003, the Department of Health and Human Services (HHS), which has jurisdiction over HIPAA, has not fined or cited any health-care institution for violations. Additionally, many health-care organizations petitioned for waivers to delay compliance with HIPAA by several years, resulting in a rather feckless Congressional law.
Wither HIPAA, viva JCAHO
Hospitals do, however, take another set of standards more seriously. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO, pronounced "jay-co") surveys hospitals annually, and a failure to achieve current JCAHO accreditation is a black mark against most health-care institutions. JCAHO guidelines, which are exhaustive, include whether or not bed linens are clean and how sterile surgical implements should be kept. Such basics may seem obvious, yet modern institutions do fail and often have to pay fines in order to come into compliance. JCAHO has yet to establish guidelines for the computer security of patient records; however, there are plans to do so in the near future.
Understand that I'm not against modernization of hospital records; I would, however, like to see its implementation progress securely. Hospitals, like other businesses, often see the benefits of new technology but overlook the risks and dangers or dismiss them entirely. I only hope that Congressman Kennedy considers the security aspects when he finally presents his bill.
Got a security question? Let me hear about it!