Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:03 PM
Dark Reading
Dark Reading
Products and Releases

Panel Speaks On Need For Privacy, Access, Identity For Healthcare Information

Event co-hosted by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition

PRINCETON JUNCTION, N.J., May 26, 2009 " Privacy, access and identity are vital to the Obama administration's effort to modernize the nation's healthcare information infrastructure, a panel of policy and technology experts told healthcare industry leaders, public policy makers and policy-influencing organizations at a National Press Club briefing in Washington, D.C. last week. The event was co-hosted by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition. A video of all of the presentations from the healthcare identity and privacy briefing is available online. The topic is timely because healthcare IT is getting nearly a $19 billion boost from the American Recovery and Reinvestment Act of 2009. The speakers agreed the sense of urgency and massive investment are good news, but that time pressure might also cause problems. "There is a risk we will focus too much on standards for electronic health records (EHRs) and ways to exchange them at the expense of sound privacy and identity models," said Randy Vanderhoof, executive director of the Smart Card Alliance. "The critical issues are getting control over who has access to healthcare information, and correctly tying the right individual to his or her health records. That means identity management and access authentication security have to be baked-in from the start, not tacked on at the end." Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions, according to a leading practitioner and specialist on the subject, Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. He cautioned that identity management must be addressed correctly up front or "we're going to have problems with the linkages of electronic medical records" on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records. Hospitals and other stakeholders also face significantly stronger privacy and security rules along with new financial penalties for violators, according to Richard D. Marks, co-founder and president, Patient Command, Inc. Marks said the healthcare "HITECH Act of 2009" provisions in the American Recovery and Reinvestment Act are a direct effort by the new administration to extend and enforce HIPAA (Health Insurance Portability and Accountability Act) regulations that were largely ignored until now. To put teeth in the enforcement effort, the new legislation has created health record data breach notification rules, fines for failure to protect personal health information and rights for complainants to share in civil monetary penalties levied on offenders, providing a big incentive for whistleblowers. The civil and criminal penalties are not limited only to institutions, but apply equally to negligent CEOs, CFOs, CIOs and board members, including possible jail time, Marks said. In this new environment, authentication becomes the biggest business process issue facing industry stakeholders. "What we need is something that is easy for the public to use for authentication so we can tell who they are precisely," Marks said. Another panel member raised the issue of empowering people to manage their own personal healthcare information. Dr. William Yasnoff, MD, PhD, chair, Health Record Banking Alliance and managing partner, NHII Advisors asked the audience, "Who at this moment has a complete copy of your medical records? For the overwhelming majority of people, the answer is no one." Yasnoff argues that the current model—keeping medical records at the place they are created and somehow assembling the information later when you need it—is flawed. He envisions a health record bank, essentially an electronic safe deposit box that provides a secure repository for an individual's comprehensive health record. The patient would strictly control access to the information, guaranteeing both privacy and consent. Whether personal healthcare information is stored centrally or at the place it is created, its security is far more critical than even other types of personal information such as credit card accounts, in the opinion of Michael Magrath, director, Healthcare and Government for Gemalto. Magrath points out that if someone steals your credit card number and starts using it online, the bank will replace your financial losses and just give you a new card; however, there is no single issuer there to protect you in the case of healthcare information. "If my personal healthcare records are compromised there's no recourse. It's out there and it's out there forever," he said. Lisa Gallagher, senior director, privacy and security, HIMSS, summed up the panel's main message to industry stakeholders and policy makers. "It's vital that the entire healthcare community understand the relationship between security controls and the privacy policies that we are trying to implement at the national level," she said. "It doesn't matter what the privacy policy says, or how strongly or how often a company promises to meet it, it cannot do so without implementing proper security controls." More information is available in Smart Card Alliance publications. "Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems" explains the current problems with identity management in healthcare and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs. The newly published "Smart Card Technology in Healthcare" frequently asked questions document outlines how the technology is used to manage patient identity and protect a healthcare consumer's personal information. About the Secure ID Coalition The Secure ID Coalition is an affiliation of companies advocating for secure identification (ID) technology standards to protect the privacy of citizens. The Secure ID Coalition is a resource to policy makers and its members work with public and private entities to design secure solutions in identity management that also address the importance of protecting privacy.

About the Smart Card Alliance Healthcare Council The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on the how smart cards can be used for healthcare identity management and to work on issues inhibiting the industry.

Healthcare Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.

About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions,,, and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, to corr...
PUBLISHED: 2020-08-13
An issue was discovered on Spirent TestCenter and Avalanche appliance admin interface firmware. An attacker, who already has access to an SSH restricted shell, can achieve root access via shell metacharacters. The attacker can then, for example, read sensitive files such as appliance admin configura...
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
PUBLISHED: 2020-08-13
A SQL injection vulnerability at a tpf URI in Loway QueueMetrics before 19.10.21 allows remote authenticated attackers to execute arbitrary SQL commands via the TPF_XPAR1 parameter.