Connecting with Consumers: Web-based Health Technologies and Keeping Them Secure

Beth Friedman, RHIT, and Ed Pierson

Introduction

Do you remember the "good old days"--as in do you remember when all we had to worry about was modems.

In a recent article, Gary Hamel wrote, "The world is becoming turbulent faster than organizations are becoming resilient." And this affects both individuals and their organizations. In the "good old days," all that the IT security department had to worry about from a technology point of view was all those pesky modems that everyone wanted to attach to their workstations so that they could run PC Remote and control their machines from the house.

The implications of the increase in security changes for individuals and for their organizations can be extreme. It can result in a bunker mentality, in a sense of hopelessness, and, sometimes, in a very false sense of security. The common effect of all of the challenges is that senior management can develop an aversion to even wanting to hear about all the possible issues.

As we rush to apply technology solutions to deal with the wave of WORMS, viruses, and human-based attacks, we tend to view the effort only as a technical challenge of patches, firewalls, IDs, password rotations; we neglect the other side of the challenge--how do we build systems that are secure, but usable, to the intended audience.

Issues Facing IT Departments Today

Protecting patient health information (PHI) is a key objective of any healthcare security organization. The challenge continues to grow and expand as society becomes more mobile in nature and as technology continues to become more mobile. Consumer expectations of access from any platform at any time are increasing as we move to PDAs and Web-enabled cell phones and as access speeds for both land-based units and cellular- based units increase.   Consider the rate of change just in the past three years among the readership of PC Magazine (see the table below). Now granted, its audience is more technology saavy than the average consumer, but the trends also hold up in the general population.

Results from PC Magazine Readership Survey

As consumers of healthcare continue to connect to the Web in growing numbers, the demands for access to not only general information but to targeted information continue to grow for both physicians, hospitals, and insurance providers. The ability to move personal records between physicians, between a primary care provider and a specialist, and to resolve billing issues effectively, continue to become more important to the average consumer.

Security Issues Both Inside and Outside

The range of key issues facing IT departments and individual physician practices is large and growing exponentially. How do you address securing access to those machines you control and more importantly to those that you do not control?   How do you address all of the mobile devices (including cameras) that now wander the halls of the hospital or clinic?   Internal threats include disgruntled employees, back doors in coding done by contractors, wireless access, weak/shared passwords, and data that leaves your site by unsecured methods, such as e-mail. External threats include viruses, worms, Spyware, and identity theft.

The last point--identity theft--is perhaps the greatest risk.   As usual in a complex world, the easiest exploit is anything to do with the human side of the equation. Studies have shown that, especially now with the explosion of IDs and passwords, people are desensitized to the whole issue of security.   A recent study in Britain, done by Infosecurity Europe, revealed that more than 70 percent of the people questioned would hand over their most commonly used passwords in exchange for a bar of chocolate. Another survey found that 79 percent would indirectly give away their password by revealing how they chose it. SPSS surveyed online consumers, and 84 percent said they feel at least somewhat secure with their passwords online, but only 44 percent change them.

Not matter what the security system, somehow it has to believe that you are really you. Hence, the push for multifactor authentication, the combination of passwords and some other form of identification: biometric, secure cards, tokens, and optical.

The obvious challenge for any industry and for healthcare in particular is that all of these methods have serious limitations under certain conditions and operating environments.   It is easy to blame user acceptance as the driver for the slow implementation of additional security elements, but the factor most often cited is lack of executive sponsorship as the top barrier followed by a lack of a clear ROI for the necessary investments.

Where Are Some of the Weakest Links in Our Defenses?

Business continuity (BC) and disaster recovery (DR) represent two areas that are critical to all organizations and too often are overlooked in terms of the potential impact to our companies.   Building a resilient infrastructure both strengthens your day-to-day operations and reduces your exposure to unexpected events.

Even those organizations that prepare and practice BC and DR planning, often do not extend the plans to include key vendors and suppliers. So, when called upon to implement the plans, it works great until you realize that while you are up and running, key pieces of your systems are unusable because your partners and vendors are still down. As more key pieces of the environment are outsourced to partners and third-party groups, make sure that you include their plans into your plan.   Equally important to assessing cost and who to have as a partner is how much risk did you assume by linking them into your world.

Conclusion: What Is Here Now and What Is Coming in the Future?   

RFID, biometrics, optical, proximity cards, smart cards, tokens, PKI, encryption, secure messaging, etc.; most of these are here now, and all are implemented to some degree and with some level of success. The technologies will change, but all are built around one of three forms of authentication: something you know, something you have, or something you are.

Predicting the future is rarely something that most of us are good at, but if you listen to the consensus of "experts," what you hear reflects reality as much as it does hype. Most of the system security will still be password-based throughout 2005 with a steady growing acceptance and use of smart cards and tokens growing as the costs drop and technology improves. Already, many hospitals are working with single sign-on solutions that use tokens similar to those used to buy gas at the pump as ways to add on security and to grant multilayer access rights. Rights vary based on how much security you present. If you login with just an ID and password, then you get to view but not edit; if you login with an ID and a token, then you have full rights.

Beyond the issue of identity, the trend in security is also focused on how we secure the connected environment.

• How do you allow for wireless access, disconnected access, multiplatform access (one person, 3 platforms), and portable access (USB drives)?  
• Securing systems that you don't control is critical to being able to adapt to the new challenges.
• Being able to audit and verify that no one within your hospital or clinic is sending out information in a way that violates HIPAA standards is becoming a critical task.
• The need to have multilayer security to handle patient and nonpatient data access is essential.

References

1. Positive ID (November 2002). CIO. Available at www.cio.com/metrics/2002/ metric474.html
2. Forward Thinking   (September 2003). PC Magazine. Available at www.PCMag.com
3. Metrics (December 2003). CIO. Available at www.cio.com/metrics/2003/metric643.html
4. Infosecurity Europe (2003 tradeshow)