Among the many new provisions the American Recovery and Reinvestment Act (ARRA), is federal funding for electronic medical records. Known as HITECH, the law gives incentives to healthcare organizations to digitize personal health information before 2020. Lost in the rush, however, are the details.
"I look forward to medical records going electronic," said Howard Schmidt, the former White House cybersecurity czar, "but I have a tremendous amount of concern about building a really, really good healthcare infrastructure … and then securing it later." Schmidt spoke with PCWorld at RSA 2009.
The law, which also updates parts of HIPAA, gives the Secretary of Health and Human Services until mid-August to define what constitutes an electronic medical record. In Schmidt's view initial requirements should start with strong authentication and encryption, and so far, the Secretary has done just that. Citing existing NIST and FIPS standards, HHS guidance includes healthcare data at rest, data in motion, as well as the proper destruction of Protected Health Information. Unfortunately, some health practitioners have begun purchasing e-health systems before the full complement of standards is known.
Schmidt recalled how people faulted Microsoft, where he worked in the late 1990s, for delaying Windows Vista many times. "We would criticize [Microsoft] if they shipped [Vista] and it had more problems than it does now. So we have to remember that having a timetable is nice," but he cautioned that any timetable should also have some built-in limits and safeguards. That currently isn't the case with HITECH, which awards the bulk of its financial incentives within the first few years.
In March, Schmidt and Fortify's Brian Chess addressed Congress on the need for a secure software lifecycle. Their proposal called for, among other things, creating the position of "Gate Keeper," someone with the power to say a project's timetable will slip if the product doesn't meet this particular privacy or security requirement.
HITECH does include the nation's first data breach notification law, one that says all healthcare providers, be it a two person doctor's office or large HMO, must notify all affected patients of any breach or risk large fines. The idea is to prevent healthcare providers from simply collecting the HITECH incentive money to "build a really cool healthcare system so a doctor can pick up his blackberry and say 'Yes, Howard Schmidt. Here's his patient data.'" On this the government apparently agrees with Schmidt and would rather see healtcare organizations get e-health right from the outset, although they differ on the means to accomplish this.
Schmidt says he has a personal interest in e-health. He spends about 300 days a year flying and could be in Singapore, San Francisco, or anywhere when he might need medical attention. "Maybe I'm a plane somewhere; I don't want them to say 'Oh, wait. Where can we find this guy's medical record?' I want them to be able to pull it up in a truly authenticated method that's relevant to the situation I'm in. It could save my life."
Robert Vamosi is a risk, fraud, and security analyst for Javelin Strategy & Research and an independent computer security writer covering criminal hackers and malware threats.