Internet offers efficiency, but is it secure enough?
Experts disagree on practical applications
The Internet is a giant resource that virtually begs for hospital access managers to effortlessly and cheaply transfer information among hospitals, doctors, payers, and just about everyone else involved in health care.
Problem is, along with its great potential comes nagging doubts about its security. So the debate over using the Internet for confidential transactions usually boils down to one question: Is it safe?
Depending on whom you talk to, the answer can be:
1. Not now, but soon.
2. For some uses.
3. Absolutely.
4. Absolutely not.
Making appointments on-line
Some health systems and managed care organizations, including Kaiser Permanente in Northern California, are using the Internet for access management allowing customers to make appointments, obtain information on their medical conditions, or consult an advice nurse.
Group Health Cooperative of Puget Sound, in Seattle, is developing an intranet that will be used for insurance verification. It will allow doctors and hospitals to determine on-line whether patients are covered by certain insurance companies.
But transmission of clinical information currently is limited because of security concerns, says Janis Leonard, manager of the Center for Healthcare Emerging Technologies for Ernst & Young consultants in Atlanta. There already is a tremendous store of information available on the Internet, but most of it is medical, such as reference material, she says.
One hope for the future is the development of encryption technology to protect private information. Basically, encryption is done through a program that uses a formula to assign either symbols or codes to each character in the text and renders it illegible. A key usually a string of numbers is needed to decrypt the text, that is, tell the program that you are authorized to access it.
Encryption comes in commercial software packages such as Eudora, Pegasus Mail and Lotus Notes which allow users to have the equivalent of a "secured envelope," says John Hoben, principal at Hoben Associates in Hamlin, NY, and editor and co-author of Faulkner and Gray’s Guide to Health Care Resources on the Internet.
Information protected by such programs can’t be "opened" in transit by anyone who doesn’t have the encryption "key," as it’s usually referred to, he says. Encryption provides what is known in the field as "PGP" pretty good privacy, he says. Hoben adds, however, that encrypting e-mail can be cumbersome for those who don’t do it regularly.
Encryption not fail-safe
While encryption will deter the casual Internet user, "there are people who could get in, who have the technological expertise," says Brenda Siewicki, principal at Ernst & Young, and the firm’s national service line leader for computer-based patient records. She further points out that an e-mail message is a far cry from a file containing 10 years of a patient’s clinical data, with lab information, images, radiology results, and wave forms, such as an electrocardiogram.
Confidential information "is not something I would place on the Internet today," Siewicki adds.
Administrative information is another matter. Some payers provide physician directories, and allow members to change primary care physicians, for example, over the Internet, Leonard notes.
Encryption is recommended for transitory or short-term uses, says John O’Brien, CRM, president of Interactive Strategies in Victoria, British Columbia.
"Medical records can be secured through encryption, but once they’re secure, it’s totally a matter of administering that at each end," he says.
The problem, O’Brien explains, is that people store the encrypted files, and then forget what they are or how important they are. "If information is stored in encrypted form, you run the risk of not being able to retrieve it. It should be decrypted [immediately] at the other end."
It’s important that staff be trained to name and organize files properly, avoiding the tendency to leave them encrypted. Usually the security is needed during the transmission, more than after the document arrives at its destination, O’Brien points out.
Consider document management
Organizations that make use of encryption should make sure they’re developing a document management program that tracks transmission of documents, or a record classification system that identifies where the information is, he advises. "For instance, if you’re sending material to me and I’m keeping it encrypted, I should use a naming [system] that allows me to know what I’ve kept. If I’ve done that, my supervisor can decide about its value, whether it’s worth decrypting."
While Internet security problems continue to be addressed, more health systems are using intranet systems, which are essentially private Internets. The Internet and intranet use the same tools primarily a browser that allows easy, inexpensive access, Leonard says.
Intranet is more secure
While the Internet is a public network to which anyone has access, an intranet has several layers of security, Leonard explains. "You log onto the network, onto the specific application, and authenticate who you are there are several layers [to get through] to actually access information."
"Intranets make a lot of sense for integrated delivery systems," adds Siewicki. "These organizations have their own policies and procedures so that if someone accesses information inappropriately, they can be fired."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.