Information Security News mailing list archives
How Secure Is Digital Hospital?
From: InfoSec News <isn () C4I ORG>
Date: Wed, 28 Mar 2001 23:53:35 -0600
http://www.wired.com/news/technology/0,1282,42656,00.html by Michelle Delio 2:00 a.m. Mar. 28, 2001 PST Not content to merely make healthcare history with its all-digital, completely automated hospital, HealthSouth also hopes the Alabama facility it will build is going to encourage all medical institutions to improve patient care by using cutting-edge technology. The digital hospital, a joint project between HealthSouth and Oracle, will offer Internet access from every patient bed, electronic medical-record databases, digital imaging instead of traditional X-rays, and a hospital-wide wireless network that will allow portable-computer-packing medical workers to update and access patient records from anywhere. "What we're doing now is making a reality out of something that many people have talked about, but no one has attempted," said HealthSouth CEO Richard Scrushy. "I'm envious of anyone who will work in this new facility," said Sahid Samir, a resident intern at New York's Bellevue hospital. "Bellevue is an excellent hospital, but I think that a first-rate communications system would really enhance our ability to do our work. It just takes too long to get the data we need sometimes." Many doctors and other healthcare professionals feel they are working in one of the last pre-digital industries, Samir said. But while they welcome advances in medical science, some are in no rush to adopt high-tech ways of handling medical records and other sensitive information. Health care analyst Peter Emch of Credit Suisse First Boston said digital record-keeping should speed up doctors' rounds by making it easier for them to access patient documents. "Certainly the hospital industry could use modernization," Emch said. But the biggest barrier to high-tech healthcare is doctors' concerns about the security of computer systems. "With all of the stories we hear about how this website and that government computer system was hacked into, how can I feel good about putting my patients' medical records online?" said Henry Vitelle, a Manhattan obstetrician and avid computer user. "When computer systems are completely safe, then I will feel safe about using them for critical data," he added. "I don't feel comfortable about having records somewhere that they could be tampered with by some joyriding hacker with no sense of the havoc he could cause." Vitelle also said he discussed the dangers of wireless transmission with other doctors and hospital administrators at a recent medical conference in New Orleans. He said he was troubled at the news of HealthSouth's planned wireless network, since recent reports have indicated that wireless networks aren't completely secure. Wireless networks use shared radio frequencies to move data, so security concerns about this method of information transmission have always been high. The IEEE 802.11 standard -- also known as Wired Equivalent Privacy (WEP) protocol -- was meant to be a crack-proof method of securing data that was being transmitted using wireless devices by encrypting the data. But WEP has "major security flaws," according to the Internet Security, Applications, Authentication and Cryptography (ISSAC) research group at the University of California in Berkeley. A cracker just needs some easily obtained equipment to be able to intercept wireless transmissions, change the data contained in those transmissions, and access the contents of a wireless network. The flaw "seriously undermines the security claims of the system," according to the ISAAC group. The group recommends that anyone who is using an 802.11 wireless network not rely on WEP for security, but instead employ other security measures to protect their wireless network. HealthSouth's Scrushy said that the hospital will utilize strong encryption and other methods to protect data, but said that the actual technology that will be used is still under discussion and development. He also pointed out that the hospital has already made patient records available to doctors and patients via the Internet on the HealthSouth website and hasn't had any security or privacy problems. "It has always amazed me that so many doctors are loath to explore new ways of doing their jobs," said Toronto Globe medical writer Richard Mackenzie. "Typically, those involved in research welcome technology with open arms, those who work directly with patients shy away from it. They say they are worried about security and it impacting patient care, but I think a lot of them are conservative techno-phobes." But according to a recent study by Cyber Dialogue, doctors do not fear and loathe technology. Ninety percent of the surveyed physicians accessed the Web in the past year, and 55 percent are daily users, with about 24 percent of physicians being "professional users," which the study defined as spending at least three-quarters of their online time for professional purposes. But most of those physicians were not actively using the Internet for clinical or administrative purposes, citing those pesky security and privacy concerns as the primary reasons keeping them from making medical records available online or communicating with patients via e-mail. Most felt that the technology that would enable them to do this securely wouldn't be available for at least five years. "Despite the belief that physicians are techno-phobes, their personal use of the Internet has already reached critical mass," said Thaddeus Grimes-Gruczka, vice president of Cyber Dialogue's Health Practice. "Vital factors essential for making the jump from personal usage to clinical use include integrating technology into workflow at the point of care, addressing privacy and security concerns, and demonstrating how online technologies will help physicians practice medicine more efficiently and effectively," he said. And that's exactly what HealthSouth plans to do. "This will be the hospital model for the entire world," Scrushy said. "We will demonstrate how technology can lower healthcare costs, greatly reduce human errors and provide patients with the best medical care available." The 500,000-square-foot, 219-bed digital hospital will be built in suburban Birmingham, Alabama. Construction is scheduled to begin in the first quarter of 2002 and is expected to be completed by mid to late 2003. HealthSouth already is looking at 10 more cities where similar hospitals could be built. The hospitals will be designed so that they can be upgraded easily, and automation will reduce human errors such as providing incorrect medication to patients. It also will reduce time spent on such labor- and time-intensive tasks as admissions, thus giving healthcare professionals more time to spend with patients, Scrushy said. "Our automated hospital isn't just about technology; it's about using the best technology available to provide the best medical care to patients. People deserve the highest level of care we can provide," Scrushy said. Swaid N. Swaid, a neurosurgeon who is working as a consultant to HealthSouth, said the e-hospital should provide safer, more efficient care. "To marry technology with medicine is exciting," he said. "I think it's going to be a tremendous way to provide patient care that is superior to anything we have seen." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- How Secure Is Digital Hospital? InfoSec News (Mar 29)