Security vendors hawk wares as customer demand grows

Security vendors hawk wares as customer demand grows

HIPAA deadlines and EMRs drive adoption

Now that Y2K concerns are nearly ancient history, the healthcare industry is turning its attention to the next hurdle—HIPAA. Luckily, Y2K drove providers to update, test, and certify their computing equipment, which provides at least some of the infrastructure necessary to implement systems that will comply with the final HIPAA regulations.

In order to meet HIPAA requirements, providers will have to demonstrate that their systems afford individual security and privacy. Also, before electronic medical records can be implemented on a widespread basis, end users must have faith in the privacy of the data. As a result, security vendors are popping out of the woodwork these days, all promising the highest security that money can buy. Analysts are estimating the dollar potential of HIPAA implementation at over $40 billion in the next few years, much of which will be spent on security-related products.

“As healthcare tries to move into the world of digital efficiency, it must grapple with 80-plus years of rules, procedures, policies, and processes,” said Phil Ruenhorst, director of ChimeNet, a national private healthcare information network, and ChimeTrust, ChimeNet’s security arm. “HIPAA requires user authentication, portable and individual, and logging of individual access to systems.”

So, what’s out there for the security-conscious client? The latest and HIPAAest solutions seem to congregate into two camps: those based primarily on public key infrastructure (PKI) and those based primarily on biometrics.

PKI uses encryption, which has been around ever since the first spy sent the first encoded message. But unlike symmetric encryption, which uses the same key to both encrypt and decrypt information, PKI relies on asymmetric encryption, which uses a key pair to secure data. The private key is owned by the individual and remains private, while the public key is “published” and thus available to outsiders. A message encrypted with the public key can only be decrypted by the private and vice versa; thus, if Dr. X sends a message to Dr. Y using Dr. Y’s public key to encrypt the confidential patient data, Dr. Y must use her or his private key to access the information.

“For PKI to be successful, it relies on the fact that a user’s or machine’s private key is held secure and private. It can be stored on a hard drive, floppy disk, or smart card. If you want to ensure security, you put it on something like a floppy or a smart card,” said Martin Hummel, practice manager of IT Security for Internosis, a software developer and Microsoft Certified Solution Provider that specializes in e-business consulting. Hummel is heading up the new Security Practice Group formed by Internosis specifically to address the growing demand for security consulting.

An essential element of PKI is having a certificate authority. CAs provide the digital certification that the certificate and key holders are who they claim to be. At this time, just as there is no one public key infrastructure, there is no one national CA for healthcare. Not surprisingly, vendors are rushing to fill this vacuum.

For example, Intel has joined with the American Medical Association to provide digital certificates for doctors, a service scheduled for commercial availability this summer (HNN 5/3/00). Intel has similar ventures with the American Pharmaceutical Association to provide digital identification cards for pharmacists and with Experian, an international information technology company that specializes in consumer database mining (e.g., consumer credit reporting), to do the same for consumers.

ChimeNet has rolled out its own CA called ChimeTrust, which is currently providing digital CA services in the Connecticut area. The organization is talking with various providers to expand this offering to other regions. ChimeTrust is an infrastructure that gives facilities a toolkit to grapple with the fundamentals, according to Ruenhorst. It operates as a trusted third party using a token-based approach—smart cards.

“What separates us from the pack is our enrollment process,” he said. “For example, we can make HR departments trusted agents of our system. Unlike other entities, our system is grassroots—enrollment facilities are stakeholders.”

Biometrics is another security approach with strong market potential. Large vendors such as Sony and Philips have introduced products based on biometric technology, and Microsoft has a joint venture with I/O Software to implement biometric authentication in future releases of Windows 2000 (HNN 5/17/00).

Presideo is the largest supplier and user of biometrics in the U.S., according to CEO Sheila Schweitzer. The firm offers subscription-based security programs that cost $8 to $12 per user per month, with volume discounts available. Presideo combines biometric technology with other security methods, such as digital certificates, depending on customers’ requirements.

“We are an Internet infrastructure services company,” Schweitzer said. “Basically, we identify human beings, move them into the digital world, and equip them with the tools they need to move safely through a very complex environment. We stay agnostic to digital certificate vendors and biometric vendors because we work with all of them.”

Several lesser known companies are hoping to make their mark in biometrics as well. Ensure Technologies’ XyLocMD security system (HNN 5/3/00) will eventually have fingerprint identification on the XyLoc key as an additional layer of authentication, according to George Brostoff, president of Ensure. Although most vendors appear to be focusing on fingerprints, one of the more interesting biometric identifiers is the pattern of the iris, which is the measurement used by IriScan in its product suite.

Despite the proliferation of biometrics-based products, adoption is low at this point. According to the 2000 Computer Security Institute/FBI Computer Crime and Security Survey, only 8% of the survey respondents use biometrics, compared to 50% using encrypted log-ins and 36% using digital identification.

“Biometrics are a good means for identification, but not for authentication,” Hummel said. “The purpose of HIPAA is to protect personal, private information, and biometrics can be considered personal and private data, so there may be resistance to large deployments. What will happen when companies want to store fingerprints or DNA samples?”

Although many vendors are currently focused on developing PKI and biometrics products, these technologies work alongside and on top of other security components such as firewalls, smart cards, and Internet security protocols, including secure sockets layer (SSL) protocol and Internet protocol security (IPSec). As virtual private networks and wireless communication become more common, security technologies, just like Internet-resident applications, will have to be portable and scalable to meet the ever-widening need for verified information. The security procedures that win universal adoption within healthcare will be the ones that users implement instead of circumvent.