How Secure Is Digital Hospital?

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,42656,00.html

by Michelle Delio
2:00 a.m. Mar. 28, 2001 PST

Not content to merely make healthcare history with its all-digital,
completely automated hospital, HealthSouth also hopes the Alabama
facility it will build is going to encourage all medical institutions
to improve patient care by using cutting-edge technology.

The digital hospital, a joint project between HealthSouth and Oracle,
will offer Internet access from every patient bed, electronic
medical-record databases, digital imaging instead of traditional
X-rays, and a hospital-wide wireless network that will allow
portable-computer-packing medical workers to update and access patient
records from anywhere.

"What we're doing now is making a reality out of something that many
people have talked about, but no one has attempted," said HealthSouth
CEO Richard Scrushy.

"I'm envious of anyone who will work in this new facility," said Sahid
Samir, a resident intern at New York's Bellevue hospital. "Bellevue is
an excellent hospital, but I think that a first-rate communications
system would really enhance our ability to do our work. It just takes
too long to get the data we need sometimes."

Many doctors and other healthcare professionals feel they are working
in one of the last pre-digital industries, Samir said. But while they
welcome advances in medical science, some are in no rush to adopt
high-tech ways of handling medical records and other sensitive
information.

Health care analyst Peter Emch of Credit Suisse First Boston said
digital record-keeping should speed up doctors' rounds by making it
easier for them to access patient documents.

"Certainly the hospital industry could use modernization," Emch said.

But the biggest barrier to high-tech healthcare is doctors' concerns
about the security of computer systems.

"With all of the stories we hear about how this website and that
government computer system was hacked into, how can I feel good about
putting my patients' medical records online?" said Henry Vitelle, a
Manhattan obstetrician and avid computer user.

"When computer systems are completely safe, then I will feel safe
about using them for critical data," he added. "I don't feel
comfortable about having records somewhere that they could be tampered
with by some joyriding hacker with no sense of the havoc he could
cause."

Vitelle also said he discussed the dangers of wireless transmission
with other doctors and hospital administrators at a recent medical
conference in New Orleans. He said he was troubled at the news of
HealthSouth's planned wireless network, since recent reports have
indicated that wireless networks aren't completely secure.

Wireless networks use shared radio frequencies to move data, so
security concerns about this method of information transmission have
always been high. The IEEE 802.11 standard -- also known as Wired
Equivalent Privacy (WEP) protocol -- was meant to be a crack-proof
method of securing data that was being transmitted using wireless
devices by encrypting the data.

But WEP has "major security flaws," according to the Internet
Security, Applications, Authentication and Cryptography (ISSAC)
research group at the University of California in Berkeley.

A cracker just needs some easily obtained equipment to be able to
intercept wireless transmissions, change the data contained in those
transmissions, and access the contents of a wireless network.


The flaw "seriously undermines the security claims of the system,"
according to the ISAAC group.  The group recommends that anyone who is
using an 802.11 wireless network not rely on WEP for security, but
instead employ other security measures to protect their wireless
network.

HealthSouth's Scrushy said that the hospital will utilize strong
encryption and other methods to protect data, but said that the actual
technology that will be used is still under discussion and
development.

He also pointed out that the hospital has already made patient records
available to doctors and patients via the Internet on the HealthSouth
website and hasn't had any security or privacy problems.

"It has always amazed me that so many doctors are loath to explore new
ways of doing their jobs," said Toronto Globe medical writer Richard
Mackenzie. "Typically, those involved in research welcome technology
with open arms, those who work directly with patients shy away from
it. They say they are worried about security and it impacting patient
care, but I think a lot of them are conservative techno-phobes."

But according to a recent study by Cyber Dialogue, doctors do not fear
and loathe technology.

Ninety percent of the surveyed physicians accessed the Web in the past
year, and 55 percent are daily users, with about 24 percent of
physicians being "professional users," which the study defined as
spending at least three-quarters of their online time for professional
purposes.

But most of those physicians were not actively using the Internet for
clinical or administrative purposes, citing those pesky security and
privacy concerns as the primary reasons keeping them from making
medical records available online or communicating with patients via
e-mail.

Most felt that the technology that would enable them to do this
securely wouldn't be available for at least five years.

"Despite the belief that physicians are techno-phobes, their personal
use of the Internet has already reached critical mass," said Thaddeus
Grimes-Gruczka, vice president of Cyber Dialogue's Health Practice.

"Vital factors essential for making the jump from personal usage to
clinical use include integrating technology into workflow at the point
of care, addressing privacy and security concerns, and demonstrating
how online technologies will help physicians practice medicine more
efficiently and effectively," he said.

And that's exactly what HealthSouth plans to do.

"This will be the hospital model for the entire world," Scrushy said.
"We will demonstrate how technology can lower healthcare costs,
greatly reduce human errors and provide patients with the best medical
care available."

The 500,000-square-foot, 219-bed digital hospital will be built in
suburban Birmingham, Alabama. Construction is scheduled to begin in
the first quarter of 2002 and is expected to be completed by mid to
late 2003.

HealthSouth already is looking at 10 more cities where similar
hospitals could be built.

The hospitals will be designed so that they can be upgraded easily,
and automation will reduce human errors such as providing incorrect
medication to patients. It also will reduce time spent on such labor-
and time-intensive tasks as admissions, thus giving healthcare
professionals more time to spend with patients, Scrushy said.

"Our automated hospital isn't just about technology; it's about using
the best technology available to provide the best medical care to
patients. People deserve the highest level of care we can provide,"
Scrushy said.

Swaid N. Swaid, a neurosurgeon who is working as a consultant to
HealthSouth, said the e-hospital should provide safer, more efficient
care.

"To marry technology with medicine is exciting," he said. "I think
it's going to be a tremendous way to provide patient care that is
superior to anything we have seen."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".