Keep health records safe by putting them on the Internet

For those tormented by HIPAA-Internet security nightmares, a new, safer data storage idea has surfaced.

Researchers at Australia's Commonwealth Scientific and Industrial Research Organization (CSIRO) are developing a technology that, paradoxically, allows safe and secure storage of data on the Internet.

"Developments in Web services, grid computing, and advanced networking are turning the Internet into a worldwide platform for distributed applications, services, and information," said Paul Greenfield, research group leader in CSIRO's Network Applications and Technologies.

Now, businesses or hospitals can use the Internet to form virtual enterprises to meet project needs without compromising security.

Using this technology, enterprises use distributed computing and data storage resources to do business, while each organization retains absolute control of their data, according to the researchers.

Healthcare is a logical market.

"I think the secure distributed storage system we are developing would see the security, integrity, and confidentiality of patient records and associated diagnostic images a key market for the technology," said Paul Watters, Ph.D., a researcher engineer in CSIRO's Mathematical and Information Sciences division.

Given that most hospitals and physicians are connected to the Internet, it makes sense to use the medium for accessing logically centralized, secure stores of data that are actually highly distributed and resistant to accidental or malicious deletion or modification, Watters said.

Secure Internet storage works by breaking data into encrypted, erasure-resistant fragments that are replicated and stored randomly across a global server network. No single server keeps information about what original data it is holding or how to reconstruct it, safeguarding the data from malice.

Details about how fragments are stored are derived from a secure key given only to authorized users, who are then able to retrieve and decrypt the blocks making up the files.

The appropriate model for hospitals would be to form a virtual enterprise to share data storage resources, Watters said.

"Or they could contract one or more third parties to provide the service," he said. "Ultimately, the more parties involved in the storage, the more protection is afforded, because no one party retains control."

Watters believes hospitals should look to pool their resources in such a way that they can share data securely, with appropriate distributed security policies, and reduce costs by not having to maintain vast amounts of storage.

Making files tamper proof is an important feature for e-commerce and e-healthcare. Under current mandates of the Healthcare Insurance Portability and Accountability Act, the integrity of health records must be guaranteed.

The researchers claim distributed data are more tamper proof than data residing on disks. The system detects discrepancies between the original and the reconstructed files and traces any suspected tampering.

Watters invites inquiries (http://www.cmis.csiro.au/paul.watters/).