The Internet: An attractive but risky place for data
The Internet: An attractive but risky place for data
Experts disagree on security measures
There’s a giant resource out there waiting for health information managers to use. It virtually begs for you to effortlessly and cheaply transfer your information to other hospitals, doctors, payers, and just about everyone else involved in health care.
Problem is, it’s the Internet, and along with its great potential come nagging doubts about its security. So the debate over whether it’s wise to use the Internet for confidential transactions usually boils down to one question: Is it safe?
Depending on whom you talk to, the answer can be:
1. Not now, but soon.
2. For some uses.
3. Absolutely.
4. Absolutely not.
Transmission of clinical information is very limited currently because of security concerns, says Janis Leonard, manager at the Ernst & Young Center for Healthcare Emerging Technologies in Atlanta. There already is a tremendous store of information available on the Internet, but most of it is medical, such as reference material, she says.
But others say the recent development of encryption technology is proving incredibly effective in protecting information privacy. Commercial software packages used to transmit encrypted material such as Eudora, Pegasus Mail, and Lotus Notes allow users to have the equivalent of a "secured envelope," says John Hoben, principal at Hoben Associates in Hamlin, NY, and editor and co-author of Faulkner and Gray’s Guide to Health Care Resources on the Internet.
Information protected by such programs can’t be "opened" in transit by anyone who doesn’t have the code, or "encryption key" as it’s called. Encryption provides what is known in the field as "PGP" pretty good privacy, he says. Hoben adds, however, that encrypting e-mail can be a cumbersome process for those who are not doing it on a regular basis.
That’s because the older e-mail software programs don’t have the encryption function built in, so users have to exit and specially prepare the file before it’s sent, Hoben explains. Most of the new programs do build it in and aren’t a problem, he adds.
"It takes significant resources huge amounts of machinery to decode these programs, Hoben says, adding that the federal government has tried to prohibit export of encryption technology because they are so effective.
While encryption will deter the casual Internet user, "there are people who could get in, who have the technological expertise," says Brenda Siewicki, principal at Ernst & Young and an authority on computer-based patient records. She points out that an e-mail message is a far cry from a file containing 10 years of a patient’s clinical data, with lab information, images, radiology results, and wave forms, such as an electrocardiogram.
Confidential patient information "is not something I would place on the Internet today," Siewicki adds, noting that there are also problems with timeliness and with data ending up in places it should not be.
Administrative information is another matter. Some payers provide physician directories, and allow members to change primary care physicians, for example, over the Internet, Leonard notes.
Encryption is recommended for transitory or short-term uses, says John O’Brien, CRM, president of Interactive Strategies, in Victoria, British Columbia.
"I believe medical records can be secured through encryption, but once they’re secure, it’s totally a matter of administering that at each end," he says. The problems on the receiving end include people who don’t know where to store that data, which could mean others won’t be able to retrieve it. Since the privacy issue is most critical during the transmission stage, once data has arrived at its destination it should be decrypted immediately, he says.
The danger is that employees receiving the data thinking that data important enough to be encrypted should not be available in the system tend to leave it encrypted, building a collection of encrypted documents that are unmanaged in an organizational sense, O’Brien explains. "As technology changes, as staff change, you may lose the capacity to retrieve that information. You have a lot of information and don’t know what it is."
Organizations that use encryption should make sure they’re developing an electronic trail that identifies where the information is, he advises. For instance, if someone sends material that should not be decrypted, the person receiving it should have a systematic means to name and store those files, he says. "If I’ve done that, my supervisor can decide about its value, whether it’s worth decrypting." (See related story, p. 44.)
Meanwhile, virtually every large health system has some type of private computer network with the ability to exchange more sensitive health care information among its own members, she says. "Most are taking the position that they want physicians to have access to patient histories, test results, but right now the majority of that exchange is taking place over private networks."
Other health systems are taking that exchange a step further but stopping short of using the Internet by using an intranet to allow access to clinical information, she notes. The Internet and intranet use the same tools primarily a browser that allows easy, inexpensive access through America On-line, for example, Leonard says. The same technologies can run on private or public networks, she says.
While the Internet is a public network everyone has access to, an intranet has several layers of security, Leonard explains. "You log onto the network, onto the specific application and authenticate who you are there are several layers [to get through] to actually access information."
"Intranets make a lot of sense for integrated delivery systems," adds Siewicki. "These organizations have their own policies and procedures so that if someone accesses information inappropriately, they can be fired."
At present, O’Brien notes, legislation regarding the transmitting of data varies from state to state and from country to country. British Columbia, where he lives, has a law restricting the degree to which patient information can be shared. "Usually it’s not yes’ or no,’ but what information and why do you want to do it,’" he says.
"If you’re sharing critical health information and time is of the essence, that is a legitimate reason," O’Brien adds. "But if a reasonable observer might suspect I could have gone to a patient [in advance] and said, I need to share this information and get advice from a colleague,’ then [by not doing so], I’ve breached confidentiality."
The advantage of Internet over an intranet is the building of critical mass so many more destinations with which to communicate. "It’s really exploded in the last couple of years," notes Leonard, "and the area of security is the one people are working the most rapidly on."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.