Don't Break a HIPAA
The future of healthcare privacy rests squarely with better data safeguards
THE
privacy of healthcare information has recently received much attention. HIPAA defines national standards for medical records and other personal health information, and the government’s vision of a National Health Information Infrastructure includes better safeguards for privacy, confidentiality and security.
But while the goal of protecting healthcare information is admirable, there are market forces making it more difficult to realize the goal. Fortunately, there also are new technologies available that promise to make privacy more obtainable.
Scott McNeally, the former CEO of Sun Microsystems, caused a firestorm of controversy in 1999 when he claimed privacy had disappeared.
“You already have zero privacy,” McNeally said at the time. “Get over it.”
His comment was widely criticized, yet there seemed to be little argument with the fundamental premise. Web sites track every click of a mouse and page viewed by customers. Credit card companies know the details of each transaction made. Phone companies know the details of each call, and because people seem willing to give personal information to anonymous strangers on the Internet, perhaps in return for being e-mailed a daily cartoon, they seem to put little value on this information.
No Time for Traditional
At the same time, many businesses have become tightly integrated with business partners to increase efficiency and reduce costs. Wireless networks now broadcast all of the information carried to anyone within range of the transmitters. The combination of these developments makes it difficult to clearly define where a network begins and ends, which makes using some traditional security architectures difficult.
For example, firewalls define a security perimeter. There is a secure area inside the perimeter, but outside, the perimeter is not secured. When networks are tightly integrated or when wireless devices broadcast information in all directions, implementing such a security perimeter becomes problematic—yet this is the security architecture that most existing networks use. This makes it difficult to realize the high levels of privacy, confidentiality and security.
Fortunately, there will soon be solutions available for the problem. This technology will protect data instead of the network where the data resides. So maintaining a strong security perimeter will no longer be necessary because the data itself will be protected. Data protection will happen with encryption.
Looking Into Encryption
Encryption has traditionally been both difficult to use and expensive to support because of the difficulties of managing cryptographic keys—the secret information that unlocks encrypted data. Key management is difficult for both users and administrators, causing high support costs that make it difficult to justify investing in the technology. The high cost of using encryption for either access control or transmission security leads many HIPAA-covered entities to decide implementation is not reasonable and appropriate, thus accepting the risks that come with not using the technology.
Newer encryption technologies, however, have managed to solve the usability problems suffered by predecessors. These technologies promise to make implementing a data-centric, perimeterless security architecture possible. Encryption also allows for the current trends in business and technology to continue. So, encryption allows businesses to achieve cost savings through use of integrated networks and still allows users to realize additional convenience from wireless networks. Technologies also allow implementation of fine-grained security policies that were impractical to implement in the past.
The New Generation
Identity-based encryption is one example of the next generation of encryption technologies. The technology allows an encryption key to be calculated directly from a user’s identity instead of being generated randomly. To get the corresponding decryption key, a user needs to authenticate to a secure key server. The technology eliminates some of the practical difficulties that have made other technologies difficult to use—like distributing keys to users. Because any encryption key can be calculated as needed, there is no need to distribute keys. The technology also allows for easy implementation of encryption-based access control.
An identity can be anything that lets you separate one user from another. In particular, an identity can be a role, like a doctor. So using identity-based encryption, it is easy to encrypt information to anyone with the role of doctor. It also is simple to use an existing identity management infrastructure to verify a user has the role before granting the necessary decryption key.
Using the newer encryption technologies makes protecting data, instead of the network in which it resides, feasible. It is simple to encrypt information so only authorized users can decrypt. If data is protected in this way, a strong network perimeter is no longer as important. If a hacker manages to obtain information from a network that uses a data-centric security architecture, they will be unable to decrypt the data. Data-centric security provides desired privacy, confidentiality and security of healthcare information in a way that does not interfere with current business and technology trends.
While traditional encryption technologies earned the reputation of being expensive and difficult to use, newer technologies provide solutions that avoid the issues. The use of new technologies provide a way to move to security architectures that future networks may require. HIPAA requires covered entities to perform a periodic review of security measures used to comply with the security rule and to modify measures implemented as deemed appropriate. These next-generation encryption technologies deserve consideration in this process and may provide a way to protect EPHI. So some personal information, like your use of the Internet, your phone or credit cards, may have absolutely no privacy, but there is no reason why this has to happen with healthcare information.
This article originally appeared in the May 2007 issue of Security Products.
About the Author
Luther Martin is chief security architect at Palo Alto, Calif.-based Voltage Security Inc.