Final federal privacy rules expected later this year will set new protections for personal medical information that is transmitted electronically. But the rules will not set security standards to prove that high-tech information systems preserve privacy.
That raises some troubling possibilities. Testimony from Gregory Hedges, an Arthur Andersen technology risk consultant, recalls that a "dot com" music retailer recently had 500,000 credit card numbers stolen from its system. "If 500,000 medical records were stolen ... and that information was disclosed to the public, it would forever be publicly known and potentially abused no matter how much money was used to try to correct the problem."
NIST and various information firms are researching new technology for scrambling access codes that is likely to be prominent in whatever security standard emerges. But health information companies are calling for additional government guidance to help them agree on security standards, saying they can't go it alone. "Only the federal government has enough influence to organize the efforts," Lorton says.
"It does not appear that competition in these various areas will allow the health care industry to solve its security problems without significant confusion and false starts," says Jeffery Hodge, vice president of health initiatives at DataCert.com, an electronic data security firm based in Houston.
The industry's plea got a sympathetic listen from the subcommittee. "These problems are solvable," says Rep. Gil Gutknecht (R-Minn.). Rep. Connie Morella (R-Md.), chair of the panel, is asking that firms help her write a letter to the Department of Health and Human Services for assistance in crafting security standards to implement the new privacy rules.
How tight should security standards be, before they impose serious costs or inconveniences? Rep. Roscoe Bartlett (R-Md.) likened this consideration to automobile safety, where additional highway deaths are tolerated as a trade-off against the added expense of steel cages to protect occupants from crashes.
According to Hodge, it may be security breaches that will drive demand for tighter standards. "The public has already decided" that it wants the Internet, he says. "The public will tell us what we need to do."