Safe and secure: with HIPAA deadlines looming and a prolific number of security choices on the horizon, healthcare organizations face a challenging future – Security Authentication – Health Insurance Portability and Accountab

Safe and secure: with HIPAA deadlines looming and a prolific number of security choices on the horizon, healthcare organizations face a challenging future – Security Authentication – Health Insurance Portability and Accountability Act – Industry Overview

Richard R. Rogoski

Gone are the days when firewalls alone could foil a hacker. While firewalls remain a major component of network security, threats of cyberterrorism, retaliation by current or former employees, and HIPAA regulations call for a more robust solution consisting of multiple layers of security-related technologies.

While the Health Insurance Portability and Accountability Act (HIPAA) has been a major driver in healthcare, increased use of the Internet and the attacks of last September have sparked a renewed and worldwide interest in computer security. “I believe 9/11 definitely brought an awareness to the world about security,” says Vincent Hren, president and CEO of Minneapolis, MN-based BioconX Inc. “It opened people’s eyes.”

Federal regulations similar to those mandated under HIPAA are forcing the financial sector to find better ways to protect client information, he says. Moreover, reports issued by the FBI show that 70 percent of corporate network breaches are internal. “That’s a shocking number,” says Hren. “Your intellectual property is at the mercy of the people who work with it every day.”

Threats from within are also changing the way organizations view their networks, says John Worrall, vice president of worldwide marketing for RSA Security, a Bedford, MA-based company that provides e-security products and services. Instead of just securing the perimeter, Worrall says his customers are now “treating their entire network as a hostile environment.”

Letter of the Law

Given this new mindset, Worrall says healthcare organizations must put in place a security policy tailored to their individual needs. “Each hospital needs to determine what level of access control it needs,” he notes. “There are two powerful drivers in healthcare: the desire/need to use automation and the HIPAA legislation itself.”

With the industry in the midst of re-engineering itself to better use information technology to improve patient care and reduce medical errors, too many people are focusing on the legislation without looking at the bigger picture, he says.

Mark Tuomenoksa, founder and chairman of Woburn, MA-based OpenReach Inc., agrees. He says that given the timeline for HIPAA security compliance, many healthcare organizations are taking a short-sighted view. He sees it coming down to the “letter of the law” vs. the “spirit” of the law. “Our first question to a client is, `Are you concerned with satisfying the regulations or is your concern security?'”

Keep It Simple

According to Tuomenoksa, meeting the letter of the law means you have met federally mandated requirements. But that doesn’t necessarily mean you now have the tightest security you need. With more information being put online, healthcare organizations need the same or a greater level of security than they had in a mostly paper-based environment.

Too often, IT departments focus on individual security components rather than taking a holistic approach to implement an enterprise-wide security solution. Given that a mix of technologies affords the highest level of security, deciding which technologies should be combined depends on three factors: the level of security required by the organization, ease of use, and total cost.

When it comes to cost, Tuomenoksa says most IT departments only look at capital costs and overlook the long-term labor costs involved in managing and maintaining a network security system.

Usability–ease of use–is another consideration. Traditionally, adding more layers of security has led to more passwords, multiple sign-on procedures and more frustration when access is temporarily blocked. But the move toward a fully integrated, single sign-on system has now made network security easier for IT personnel to set and for hospital staff to use.

Healthcare practitioners just want to get their work done, says Tuomenoksa. They have little tolerance for sophisticated passwords and authentication procedures that get in the way of productivity. Unfortunately, many of the easy-to-use solutions have not been all that secure.

For a system to be secure, Tuomenoksa says all three of the “triple A’s” must be in place: authentication, authorization and accounting. Authentication is the method used to prove that the person accessing the network is who he says he is. Authorization limits access to where and when he can go, how he gets there, and how long he can stay. Accounting provides an audit trail or record of who connected, when they connected, and what they are connected to. “Tracking this information is vital to ensure the security of your network,” he adds.

Large enterprises and application service providers that serve a number of hospitals often add an additional layer of security by implementing an intrusion detection system. By regularly scanning the network for anomalies, the system can readily detect a security breach and, with the more sophisticated intrusion management systems, can take action.

If, for example, the system detects someone logging on from New York and five minutes later the same ID logs on from Boston, it can automatically shut down the network or close the ports that may be under attack.

Laying the Groundwork

Unquestionably, virtual private networks (VPNs) with integrated firewalls are fast becoming a mainstay of network security. “The VPN builds security into the infrastructure,” says Tuomenoksa, whose company provides managed VPN services. “It becomes the foundation of the network and the foundation of who gets in, what they can get into and what they can do with the data once they’re in.”

Because VPNs work at the network level, healthcare organizations that are moving away from legacy systems and frame relay technology do not have to add additional security at the application level. By using a browser-based VPN, all networks can be consolidated through a common Internet connection. Plus, a VPN can normally provide a return on investment within 12 months, he notes.

Advancements in encryption and VPN technologies not only have made VPNs easier to install and use, but they can now accommodate a number of authentication methods including passwords, biometrics and digital certificates. Newer VPNs can provide secure access to patients, allowing them to access their personal medical records, he says.

Biometric Choices

When it comes to authentication, not everyone agrees which technology is the best. While using login names and passwords is still the most commonly used procedure, they can be forgotten or stolen if written down. A digital certificate, which relies on a data record of personal information accompanied by a digital signature, is considered by some as the best form of authentication available today. But there are drawbacks. First, digital certificates are tied to specific devices, plus there is an expense involved in setting up and maintaining a certificate authority.

At the center of a larger debate, however, is biometrics, which provides a unique form of identification through fingerprint or iris scans or voice recognition. Hren, whose authentication company specializes in biometrics, says that the beginning of the 21st centry will herald the wide scale adoption of biometrics, just as the 1990s saw acceptance and adoption of smart cards and tokens. “It’s only a matter of time before biometrics augments passwords or replaces passwords,” he predicts.

Skeptics point to biometric shortcomings and question whether the technology is advanced enough to make it plausible for both clinical workstations and mobile use. “Biometrics is not widely deployed today for information security,” says RSA Security’s Worrall. “Mostly it’s being used for physical security. A robust management structure for managing biometrics is not there yet.”

Still, Worrall says his company has begun to offer biometrics, mainly as a substitute for the personal identification number (PIN) required to unlock smart cards. He admits that biometrics is “a very good password replacement,” but says it would be better used in combination with other forms of authentication.

Of the major biometric scan options, Hren says the easiest to implement and the least expensive is the fingerprint scan. Iris scans and voice recognition have more work ahead of them, especially in the enterprise networking environment, he says.

Because biometric silicon chips are small, it has been easy for manufacturers to embed fingerprint readers in mice and keyboards. Unfortunately, those who work while traveling usually must rely on a password to access their network. “As time goes on, you’ll see these product extensions being offered. You’ll see biometrics embedded into laptops,” says Hren.

Gummy Bears

Unlike latent fingerprints lifted at crime scenes that are checked against the FBI’s database, the basic fingerprint scan used in biometrics uses only seven to 10 characteristics of a print, notes Worrall. “In biometrics, there’s the case of `close enough is good enough.’ But if I cut my finger, it won’t match until it heals.”

Critics of fingerprint scans also point to a report that came out of Japan that chronicled the exploits of a man who ingeniously fooled a fingerprint reader. Referred to as the “Gummy Bear” caper, it told of how a fingerprint embedded into a gel could fool the sensor into believing it was a print on a real finger.

But Hren says, “People are always looking for ways to beat the system. Biometric technology will only improve and become more impervious to attacks. Many of the biometric sensors today take pulse and temperature readings which defeat the gummy bear experiment.”

Worrall points out that biometrics, especially when it involves fingerprints, has raised some questions about privacy. “Who’s storing my biometric template and who’s able to access it?” he asks. “Are they sharing it with anyone?”

The Wireless Challenge

Wireless devices and wireless networks pose a whole new set of security problems. Although ease of use and functionality have made wireless devices popular, some organizations outside of the healthcare field have banned wireless networks that use radio frequencies because of how easy they are to hack. Since wireless technology is relatively new, security solutions are still in the evolutionary stage.

Most wireless devices use a built-in default wireless encryption protocol to secure airborne data. However, a certain amount of predictability in the keys used to encrypt data has made it easy to break the encryption. Work on a new encryption protocol, based on a new set of algorithms, is now underway. In the meantime, manufacturers of wireless devices have begun using IPsec (Internet Protocol Security).

When connecting a wireless network to a VPN, the networking industry appears to be split between using IPsec or SSL (secure sockets layer) technologies. But enterprises don’t have to choose, Tuomenoksa says. They can use both. IPsec provides security for IP traffic at the network level with up to 256-bit encryption. SSL secures Web-based communications over the Internet at the application level with a maximum of 128-bit encryption, he explains.

While both have strengths and weaknesses, Tuomenoksa says IPsec is best suited for those requiring access to applications as if they were physically connected to a local area network. On the other hand, SSL is best suited to those who need mobile access to applications like e-mail and file sharing or for those who want to safeguard their extranets. He adds, “If the VPN has SSL, it’s device-independent because of using Web technology.” IPsec, however, requires the installation of special software for each workstation.

Encryption of data is only one aspect of wireless security. With the growing popularity of handheld devices among physicians, Worrall raises the question of authentication–specifically, authenticating to the device itself. “Who is actually holding that handheld device?” he asks, and what happens if that device is lost or stolen? “What happens if there’s patient information on it?”

Worrall says a password or a smart card with a PIN would be one option. But a better solution would be a combination of smart card with PIN plus biometrics. Doctors seem iii! to prefer the convenience of fingerprint scans, he says, so getting them to use a combination of authentication procedures will take time. “You have a clash of cultures. Technology is going to get more convenient, but doctors are going to have to give a little on their part.”

Adds Tuomenoksa: “The good news is that there are a lot of options right now for healthcare organizations. The bad news is–there are a lot of options right now for healthcare organizations.”

For more information about the services of OpenReach,

For more information about security and biometrics from BioconX,

For more information about security products from RSA Security,

Richard R. Rogoski is a free-lance writer and a contributing editor to HMT. Contact him at

COPYRIGHT 2002 Nelson Publishing

COPYRIGHT 2003 Gale Group