The trusted source for
healthcare information and
The good news is that wireless computer networks allow physicians to rapidly access and update medical data while standing at the patient’s bedside. The bad news is that they are the least secure information systems of all.
Wireless networks actually decrease security as they speed up information sharing, says attorney Michael Brian Scher. Scher, director of Chicago-based Neohapsis Labs, a small information security firm that assesses computer systems and applications for security, tests for compliance and helps clients develop information management policies that keep privileged information secure from prying eyes. "Wireless is a high-risk endeavor," Scher says. "I don’t recommend that medical institutions use them except with the greatest caution."
Scher says that wireless networks should be set up to treat all users as if they are hostile, and carry added encryption even though this adds complexity and cost. Layer on authentication and encryption, Scher counsels, and don’t rely on the "built-in" security functions of wireless networks because they’re seriously deficient. "They don’t encrypt heavily enough. Anyone can walk in with a pocket computer device, record traffic on the network, and figure out the encryption key."
Sometimes this even happens unintentionally, as Avi Rubin, a security expert at AT&T Laboratories discovered last July when he inadvertently accessed a wireless computer network at New Jersey’s Morristown Memorial Hospital while waiting for his wife to come out of surgery. The hospital used the popular network standard, known as 802.11b or Wi-Fi. The network, evidently set to the most welcoming mode of operation, automatically opened its doors to Rubin’s laptop machine.
Even had the network been encrypting, Scher says, a determined attacker could have "sniffed the traffic" for a while, analyzed the encrypted data and easily hacked into the system within a week. "Basically, you need to run your network as if it were the Internet and the virtual private networks it runs are hostile," Scher says. Borders that authenticate data movement: Sharing data with groups affiliated with but not a part of the main system need to have an exchange point that audits and records who requested and received what information.
To keep data private, hospitals need to cover their computer system’s borders—the dial-up, wireless access points, Internet connections, and private connections with vendors and other facilities. All of these need to be audited and secured, Scher notes, because any hospital can be a target for hackers, especially if there’s a celebrity patient on the premises.
Scher cautions that today’s systems are built on platforms never designed to sustain the kind of heavy audit that complying with the Health Insurance Portability and Accountability Act (HIPAA) will require. Ironically, most hospitals got rid of the old mainframe computers with hardwired terminals because they were designed with that kind of audit trail in mind. "They couldn’t share information between different parts of the same system, let alone with another institution, but they were a lot easier to secure," he says.
Most hospitals have numerous disparate systems, which makes coming up with one product that will make everything HIPAA-compliant almost impossible, Scher observes. There are patient check-in databases, specific medial data from nursing stations, repositories, imaging systems, records shared with other institutions, and legacy data.
Though the HIPAA Privacy Rule, which created national standards that protect patients’ medical and personal information, became effective on April 14, 2001, most providers don’t have to comply with the new requirements until April 2003. Some products are available for the high-audit environment, but until there are sufficient numbers to create a good market, Scher doesn’t think there’s going to be a huge buy-in.
Much of the audit trail solution lies in design and methodology, not product per se. Scher says management steps hospitals can take right now include not allowing shared logins and shutting down untended terminals. One product Scher likes for medical facilities is a proximity badge—essentially an employee’s hospital photo ID badge that issues a "challenge response" that automatically logs the user on and off a terminal. "Combined with a password it becomes a strong authentication system that allows rapid access to terminals anywhere in the same system, and the monitor screen goes blank when not in use," Scher says.
Five years ago, a system that provided end-to-end encryption based on who the user was probably 100 times more expensive than today’s models. "There were plenty of ways to do high-level encryption one off, but complete solutions weren’t there," Scher says. "Now it’s a matter of virtual private networking based on gateways, routing, or firewalls."
As the demand for compliance and security rises, so does the willingness to pay for products that provide both security and convenience. And the price point for those kinds of systems is coming down even as the focus on securing medical data goes up, Scher adds.
Regardless of how good products become, patient information security is only as good as the people using the system, Scher says. He points to an embarrassing incident at a University of North Carolina medical facility in which the printout of an entire day’s surgery roster wound up posted in a cafeteria in downtown Chapel Hill, and to 5000 patient records lifted from University of Washington’s medical center earlier this year. "No product can stop that," Scher notes. "It’s a practice issue, and systems need to be set up to encourage proper practice." For more information contact Michael Scher at (773) 394-8310.