Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/27/2009
03:03 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Panel Speaks On Need For Privacy, Access, Identity For Healthcare Information

Event co-hosted by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition

PRINCETON JUNCTION, N.J., May 26, 2009 " Privacy, access and identity are vital to the Obama administration's effort to modernize the nation's healthcare information infrastructure, a panel of policy and technology experts told healthcare industry leaders, public policy makers and policy-influencing organizations at a National Press Club briefing in Washington, D.C. last week. The event was co-hosted by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition. A video of all of the presentations from the healthcare identity and privacy briefing is available online. The topic is timely because healthcare IT is getting nearly a $19 billion boost from the American Recovery and Reinvestment Act of 2009. The speakers agreed the sense of urgency and massive investment are good news, but that time pressure might also cause problems. "There is a risk we will focus too much on standards for electronic health records (EHRs) and ways to exchange them at the expense of sound privacy and identity models," said Randy Vanderhoof, executive director of the Smart Card Alliance. "The critical issues are getting control over who has access to healthcare information, and correctly tying the right individual to his or her health records. That means identity management and access authentication security have to be baked-in from the start, not tacked on at the end." Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions, according to a leading practitioner and specialist on the subject, Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. He cautioned that identity management must be addressed correctly up front or "we're going to have problems with the linkages of electronic medical records" on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records. Hospitals and other stakeholders also face significantly stronger privacy and security rules along with new financial penalties for violators, according to Richard D. Marks, co-founder and president, Patient Command, Inc. Marks said the healthcare "HITECH Act of 2009" provisions in the American Recovery and Reinvestment Act are a direct effort by the new administration to extend and enforce HIPAA (Health Insurance Portability and Accountability Act) regulations that were largely ignored until now. To put teeth in the enforcement effort, the new legislation has created health record data breach notification rules, fines for failure to protect personal health information and rights for complainants to share in civil monetary penalties levied on offenders, providing a big incentive for whistleblowers. The civil and criminal penalties are not limited only to institutions, but apply equally to negligent CEOs, CFOs, CIOs and board members, including possible jail time, Marks said. In this new environment, authentication becomes the biggest business process issue facing industry stakeholders. "What we need is something that is easy for the public to use for authentication so we can tell who they are precisely," Marks said. Another panel member raised the issue of empowering people to manage their own personal healthcare information. Dr. William Yasnoff, MD, PhD, chair, Health Record Banking Alliance and managing partner, NHII Advisors asked the audience, "Who at this moment has a complete copy of your medical records? For the overwhelming majority of people, the answer is no one." Yasnoff argues that the current model—keeping medical records at the place they are created and somehow assembling the information later when you need it—is flawed. He envisions a health record bank, essentially an electronic safe deposit box that provides a secure repository for an individual's comprehensive health record. The patient would strictly control access to the information, guaranteeing both privacy and consent. Whether personal healthcare information is stored centrally or at the place it is created, its security is far more critical than even other types of personal information such as credit card accounts, in the opinion of Michael Magrath, director, Healthcare and Government for Gemalto. Magrath points out that if someone steals your credit card number and starts using it online, the bank will replace your financial losses and just give you a new card; however, there is no single issuer there to protect you in the case of healthcare information. "If my personal healthcare records are compromised there's no recourse. It's out there and it's out there forever," he said. Lisa Gallagher, senior director, privacy and security, HIMSS, summed up the panel's main message to industry stakeholders and policy makers. "It's vital that the entire healthcare community understand the relationship between security controls and the privacy policies that we are trying to implement at the national level," she said. "It doesn't matter what the privacy policy says, or how strongly or how often a company promises to meet it, it cannot do so without implementing proper security controls." More information is available in Smart Card Alliance publications. "Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems" explains the current problems with identity management in healthcare and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs. The newly published "Smart Card Technology in Healthcare" frequently asked questions document outlines how the technology is used to manage patient identity and protect a healthcare consumer's personal information. About the Secure ID Coalition The Secure ID Coalition is an affiliation of companies advocating for secure identification (ID) technology standards to protect the privacy of citizens. The Secure ID Coalition is a resource to policy makers and its members work with public and private entities to design secure solutions in identity management that also address the importance of protecting privacy.

About the Smart Card Alliance Healthcare Council The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on the how smart cards can be used for healthcare identity management and to work on issues inhibiting the industry.

Healthcare Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.

About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.