NIST and various information firms are researching new technology for scrambling access codes that is likely to be prominent in whatever security standard emerges. But health information companies are calling for additional government guidance to help them agree on security standards, saying they can't go it alone. "Only the federal government has enough influence to organize the efforts," Lorton says.
"It does not appear that competition in these various areas will allow the health care industry to solve its security problems without significant confusion and false starts," says Jeffery Hodge, vice president of health initiatives at DataCert.com, an electronic data security firm based in Houston.
The industry's plea got a sympathetic listen from the subcommittee. "These problems are solvable," says Rep. Gil Gutknecht (R-Minn.). Rep. Connie Morella (R-Md.), chair of the panel, is asking that firms help her write a letter to the Department of Health and Human Services for assistance in crafting security standards to implement the new privacy rules.
How tight should security standards be, before they impose serious costs or inconveniences? Rep. Roscoe Bartlett (R-Md.) likened this consideration to automobile safety, where additional highway deaths are tolerated as a trade-off against the added expense of steel cages to protect occupants from crashes.
According to Hodge, it may be security breaches that will drive demand for tighter standards. "The public has already decided" that it wants the Internet, he says. "The public will tell us what we need to do."
For the moment, Kammer says, the public wants "security that is free and causes zero annoyance."