How safe are your health records?

We don’t look at our health records with the same sense of urgency, even though they contain very personal information.

James Turner, industry analyst at IBRS pointed out that when you look at the ABS figures on private health cover in Australia, the single largest reason for taking up private cover, at 43 percent, is because the person wants the “security/protection or peace of mind” that comes with private health insurance.

Peace of mind

Health is to do with a person’s own body, and people can become very sensitive to intrusion when it relates so intimately to them. Insurance can only work if a number of people take up the option — if only one person takes insurance, then the insurance company has to charge them a massive premium.

When the insurance company can get thousands of people to defray the costs of a few, then the entire scheme becomes sustainable.

It is in the interest of the healthcare system for the maximum amount of people to get involved in private health cover, therefore doctors, emergency centres and hospitals across the nation need to be doing as much as possible to protect their patients’ security.

“The implications for the healthcare industry are therefore to offer a service which focuses on providing peace of mind,” said Turner.

“And this is exactly what you see in the marketing message for private health cover. The focus is on peace of mind. This is indicative of a fundamentally risk-averse characteristic of these consumers. They don’t like exposure.”

Just how secure are our records?

Healthcare is an interesting area because it involves very sensitive personal information, big sums of money, and drugs. Large healthcare organisations are aware of the threats and most have their own IT departments and standards.

According to Turner, an area of concern is the IT security of small healthcare providers working in the suburbs including doctors, dentists, physiotherapists, and alternative healthcare providers.

Geoff Quinn, business manager Northern Region at TPP Group specialises in securing corporate networks and data and finds his customers within the healthcare sector technology-savvy.

“I am typically dealing with larger medical centres with either in-house IT teams or technology advisers. Generally, I find there is a good understanding of privacy and security issues,” he explained.

“Clearly, the need to share information between practices, between hospitals etc, is increasing and this sharing will lead to improved healthcare.

"In turn, the need to guard the privacy of individuals becomes paramount and that’s why strong gateway and authentication solutions are necessary.”

Hacker threat

Taking this into account, what could potentially happen if someone hacked into the database of a major healthcare organisation? Hackers are resourceful people and have broken into some of the world’s most highly protected areas and well-resourced companies.

In 1999, British hackers seized control of a British military communications satellite from their home computer, triggering a frenetic security alert.

Hackers have also reportedly broken into NASA, Boeing and the US military as well. “The bottom line is that if a hacker wants to get in badly enough, they will find a way. Knowing this, IT security groups structure their defences accordingly,” said Turner.

According to Quinn, the IT security requirements in the healthcare sector are not unique, but all evidence points to the fact that the privacy of information is the principle driver for the adoption of robust security policies and practices in the sector.

“For our company, healthcare presents good opportunities for Secure Computing’s Web gateway and authentication products.

"Through government-funded Practice Incentive Programs there is a push across the health industry to have the sector implement appropriate information security measures such as virus protection, firewalls, access control and authentication.”

Access Card

One option put forward by the government that will regulate the practices of healthcare providers is the Access Card. Tagged by the Australian Privacy Foundation (APF) as a National ID Card, the project, costing $1.1billion dollars, is receiving negative feedback from the APF, Australian Democrats as well as a host of other organisations.

The Australian Government’s Department of Human Services said that one of the primary reasons for introducing the card is to reduce fraud and concession leakage.

The Australian Federal Police commissioner has stated publicly that identity fraud costs Australians between $1billion and $4billion each year.

Medicare cards reportedly feature in approximately 70 percent of serious and organised crime identity investigations by the Australian Federal Police’s Identity Crime Task Force.

The Access Card will need to be presented at Medicare as well as any organisation that provides healthcare services including hospitals, doctors, clinics, physiotherapists and pharmacists and is set to grow.

“If we don’t get the Access Card deployed in Australia pretty soon then we’re going to have to confront some very nasty breaches and abuses of privacy,” said Turner.

Possible threats

Pacemakers are now being deployed remotely with home monitoring systems. The technology allows pacemakers to report wirelessly to a home Internet router, which then posts the information to a secure website which the cardiologist can view from anywhere in the world.

“In the industrial world, we’ve spent the past few years coming to grips with hackers playing around with SCADA systems — the electronic systems designed to control large utilities such as power generator facilities, water purification, sewerage processing, and oil refineries.

In 2000 a hacker broke into a sewerage processing plant in Queensland and released untreated water into the surrounding environment,” said Turner.

“If we’re plugging people’s hearts into the Internet, what is a hacker able to do which the system was never designed to do, but technically is completely capable of doing?”

Copyright © SC Magazine, US edition

arehealthhowrecordssafesecurityyour