February 6, 2012
Networking Your Health Care
By Michael D. Shaw
The dawn of the 21st century saw an explosion in the use of the Internet. Not a single industry would be unaffected. But if this new superhighway could speed the flow of information, it could also jump-start the flow of malware, and computer viruses of all sorts. Likewise, this same information could now more easily flow into the wrong hands.
At first, cyber security tended to focus on the obvious: Financial and military data. Before long though, concerns would rise over the protection of health care information. Title II of The Health Insurance Portability and Accountability Act of 1996 (HIPAA) would codify matters related to security and privacy of health data. These provisions were further extended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, which addresses electronic health records.
Complicating these efforts is the sobering reality that health care—perhaps more than any other field of endeavor—can benefit dramatically from the free exchange of information. Moreover, as with nearly all aspects of the healing arts, the way this concern for privacy and security of patient data plays out is based largely on fad and fashion.
Up until the AIDS crisis of the 1980s, the primary goal of privacy and security was to keep important data from the patient himself. Almost every Baby Boomer has memories of such practices, as they applied to older relatives: Why bother dear old Aunt Sally with the details of her condition? It’s more important that her heirs be kept informed. Let the old broad die in peace.
Ironically, it would be the fear of discrimination against AIDS patients, as well as the leaking of positive HIV results of famous people to the media—in some cases even before the celebrity himself was aware of the findings—that would turn the tide on privacy and security.
Predictably, the next focus of attention became electronic health records, and this really took off once a financial component came to light—in the guise of medical identity theft.
With the rise of the Internet in the early 2000s also came the emergence of Virtual Private Networks (VPNs). A VPN is a private network application that utilizes the public Internet as a wide area network (WAN) backbone. Because all connections to the Internet-based VPN are local, leased line charges—formerly the single largest operating cost of private networks—could be eliminated. As such, VPNs were able to slash remote networking costs, and rapidly became quite popular.
Once sufficient security protocols were in place, the health care industry became an avid user of VPNs. This would expand into so-called “extranets,” whereby certain outside parties such as insurance companies and medical researchers would have limited access to hospital records.
HIPAA requires health care organizations to implement strict access control, authentication, data encryption, and accountability practices on all networks, including VPNs. With violation penalties reaching a maximum of $50,000 per incident or $1.5 million annually, IT professionals are under the gun to keep their networks HIPAA compliant. In the wake of these developments, as well as the 2014 goal for full transition to electronic health records, health care IT has been touted as a significant source of new jobs.
As health care becomes increasingly consolidated, the big health care players tend to work with the big networking companies. Fortunately, there are also capable players who cater to smaller clients, including PureVPN, based in Hong Kong, offering servers in 14 countries. The company has customers in more than 100 countries, many of whom take advantage of a VPN to overcome pitfalls and restrictions in their local Internet connectivity.
Sadly, no matter how robust the security, the most likely source of breaches tends to be from the inside, and not all of them are necessarily malicious. Two years ago, Palo Alto Networks published a study examining traffic assessments for 41 different health care organizations around the world. Among the findings…
- Applications that enable users to bypass controls are common
- Peer-to-peer file sharing applications (enabling inadvertent transfer of records) were found in more than 90% of the organizations
- Browser-based file sharing applications are also in use
- Entertainment oriented activities (social networking, media, file sharing and web browsing) consumed an astonishing 44% of the total bandwidth utilized
To quote Pogo, “We have met the enemy, and he is us.”