Computer systems security now in the political, public limelight
July 1, 1998 7 minutes read
Computer systems security now in the political, public limelight
Increased demand for access requires tighter controls on records privacy
If you evaluated the security of your computer system, would you like what you found? The U.S. government evaluated its system and didn't like the results at all.
In reports to the Senate Committee on Governmental Affairs, the General Accounting Office (GAO) recently reviewed computer security measures at the Federal Aviation Administration (FAA) and the State Department and was shocked at the systems' vulnerability. According to the GAO, the State Department's information systems and the information contained within them are vulnerable to access, change, disclosure, disruption, or even denial of service by unauthorized individuals. In addition, a breach in security at the FAA could cause "nationwide disruption of air traffic or even loss of life due to collisions."1,2
"At risk are systems that control control things we use every day: power distribution and utilities, phones, air traffic, stock exchanges, the Federal Reserve, and taxpayers' credit and medical records," says committee chairman Sen. Fred Thompson (R-TN), after the report was published).
Hospitals are at risk
If the security of government computer networks is being compromised, should hospital administrators and health information managers be concerned about the security of their systems, as well? Yes and no, says Sandra R. Fuller, MA, RA, vice president of practice leadership for the American Health Information Management Association in Chicago. "Hospitals have a significant potential risk," she says.
Everyone wants access to patient information now from payers, providers, researchers, administrators, and patients, Fuller says. Also, she adds, "The increased demand for access has heightened the need for improved security measures. The focus for health care has been access to information. We're starting to see that pendulum swing back [toward security]. The demand for access drives the security problem."
Headlines from recent years show what can result from a compromised health care security system:
· A 13-year-old daughter of a hospital clerk calls patients from a hospital visit list and tells them they are HIV-positive.
· A celebrity finds news about her recent surgery on the cover of a tabloid.
· A woman has routine medical tests and later receives a letter from a pharmaceutical company offering treatment for her high cholesterol.
· A banker, who is also a member of a state health commission, prints out a list of local cancer patients, cross-references it with a list of bank customers with callable loans, and then calls in the patients' loans.
In comparison to security breaches at government agencies, though, the problems and lawsuits at hospitals have been limited.
"Hospitals haven't yet become exciting targets for people who are looking to maliciously disrupt data," Fuller explains. "There aren't the incentives for bad behavior that there may be in the banking industry or in some of the government agencies."
Factors that may impede electronic security problems include the significant amount of clinical information that is still captured in a paper format and the motives of the hospital workers themselves.
"Though the workers form the largest risk for security breaches, they also are primarily caring people who decided to go into health care to serve in health instead of to make millions," Fuller says.
Incentives for security are lacking
Electronic access facilitates data analysis and dissemination of patient information, but if security breaches begin to happen more frequently and publicly, both hospitals and patients may become fearful of unauthorized access. Hospitals may be less likely to use electronic technology and patients less likely to divulge private information.
This is unfortunate since many of the security breaches have to do with the failure to use available technological controls rather than inherent weaknesses in the technology, says Dale W. Miller, director of consulting services for Irongate Inc. in San Rafael, CA.
In response to these concerns about information security in health care organizations, the National Library of Medicine, together with the Warren Grant Magnuson Clinical Center of the National Institutes of Health, all located in Bethesda, MD, and the Massachusetts Health Data Consortium in Waltham, asked the Computer Science and Telecommunications Board (CSTB) of the National Research Council in Washington, DC, to initiate a study on maintaining privacy and security in health care applications.
As part of the research, CSTB assembled the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, comprised of 15 members and an advisor with expertise in computer and health information security. This committee was instructed to conduct visits to six health care organizations that were selected based on their "reputed leadership in the development of electronic medical records, networked clinical systems, and privacy and security policies."
The study is highlighted in For the Record: Protecting Electronic Health Information. This book examines the motives behind the health care industry's growing use of information technology. Related privacy and security concerns are identified, and assessed a variety of mechanisms for protecting privacy and security in the application of information technology.3
The study found that the organizations' increased effort to provide access had not always resulted in strengthened security controls, although the need to balance the two existed. For example, many of the organizations did not monitor the access of users to see if the users attempted to go into unauthorized areas. Also, most of the sites did not check for security breaches from outside attackers, such as through the Internet or network access. (For information on what to check in your system, see related story, p. 100.)
But health care organizations often don't have the incentives to improve their security measures since patients seldom hear about security breaches or choose their providers based on privacy concerns, the study says. "In the absence of a widespread public catastrophe regarding information security, many health care organizations reported that they believe the risk of a major breach of security is low and that they can survive a major event without significant consequences. Without strong legislation or enforceable industry standards, few penalties will exist for lax security."
The study found that the demand for access had been driving the computerization of information, Fuller says. "There weren't big enough risks to give the incentive to make the time and money commitment in security."
Requirements now on the books
There soon may be more risks, however. The Health Insurance Portability and Accountability Act of 1996 requires organizations to establish standards and requirements for electronically transmitting medical data.
The act gives Congress until August of 1999 to enact health privacy legislation. If it does not succeed, the Secretary of the Department of Health and Human Services has the responsibility to promulgate health privacy regulations by January 2000. The act will require penalties for failure to comply with requirements and standards. "The civil and criminal penalties spelled out in that act, once we actually have the rules, will be specific incentives," Fuller says.
Other proposals regarding medical privacy are pending in both the House of Representatives and the Senate. In the House, legislation includes the following:
· Consumer Protection and Medical Record Confidentiality Act of 1998, authored by Rep. Chris Shays (R-CT);
· Medical Privacy in the Age of New Technologies Act of 1997 (HR 1815), introduced by Rep. Jim McDermott (D-WA);
· Fair Health Information Practices Act of 1997 (HR 52), introduced by Rep. Gary Conduit (D-CA).
In the Senate, the proposals include:
· The Health Care Personal Information Nondisclosure Act of 1998 (SB 1921), co-authored by Sen. James Jeffords (R-VT) and Sen. Chris Dodd (D-CT);
· The Medical Information Protection Act of 1998, authored by Sen. Robert Bennett (R-UT);
· The Medical Information Protection Act of 1998 (SB 1368), introduced by Sen. Patrick Leahy (D-VT) and Sen. Edward Kennedy (D-MA).
Vice President Al Gore has even added a call for an initiative to protect access to medical records. (For more on the initiative, see related story, p. 100.)
Public opinion is changing
Also, polls are showing that people are becoming more concerned about the unauthorized use of their medical data. This may further drive the push for tighter security measures, Fuller says. "I think more and more patient concern and patient trust will become an incentive [for increased security]."
Health care organizations can't make a real commitment to establishing stronger security controls, though, without starting at the top, she says.
"It is the responsibility of the board and of the CEO of health care organizations to set up an infrastructure that secures the information, both from the patient advocacy and privacy point of view and from the risk of the loss of the information.
"You're not only protecting against people [viewing] the information, but you're protecting it from people getting in to damage it, lose it, erase it, or change it. That information itself is getting to be a valuable resource," Fuller explains.
References
1. General Accounting Office. Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations. Washington, DC: GAO/AIMD-98-145; May 1998.
2. General Accounting Office. Weak Computer Security Practices Jeopardize Flight Safety. Washington, DC: GAO/AIMD-98-155; May 1998.
3. Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. For the Record, Protecting Electronic Health Information. Washington, DC: National Academy Press; 1997.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content