New Privacy Rules May Not Protect Your Electronic Health Info

From the WebMD Archives

April 3, 2000 (Washington) -- How's this for the future: Health care is tracked and coordinated through your own personal "smart card" that allows physicians anywhere in the world to access your medical record. Now flip the coin -- criminals electronically impersonate doctors to obtain and distribute drugs. Or worse.

Welcome to the e-health frontier.

Raymond Kammer, director of the National Institute of Standards and Technology (NIST), tells WebMD that in a perfect health care world, if you get sick out of town or out of the country, your smart card will allow "you [to] put your thumb up against a screen" for identification and then "all of your personal medical data is now available to [that] physician."

In the real world, there have been impressive advances. West Virginia's Charleston Area Medical Center now has a teleradiology network that can make links 24 hours a day, seven days a week between rural areas and board-certified radiologists. That has meant reducing the time it takes radiologists to read a patient's X-ray and send back an interpretation from about 10 hours to 15 minutes, in some cases. The network allows patients to stay closer to home during treatment, Kammer says, and "reduces the number of transfers and repeat exams required." The program is planning to expand to include cardiology and oncology services.

But there's a bit of a rub, which the House technology subcommittee examined in a hearing today. There aren't yet clear standards to make sure that this information is actually secure, or to prove the identity of the doctor and patient at each end of an electronic communication.

According to Lewis Lorton, acting administrator of the industry group Forum on Privacy and Security in Healthcare, there are some 1,600 health information technology firms, but "no underlying industry standard security requirements for their products."

The streets of the nation's capital are literally being torn up for fiber optic cables, and national demand has never been higher for Internet-based and other high-tech information systems. In health care, the money and time savings offered by these advances in information technology are enticing. About 20% of the nation's $1.1 trillion annual medical spending is paperwork-related, and the committee cited estimates that "health care providers spend nearly half of their time filling out forms rather than attending to additional patients."


Final federal privacy rules expected later this year will set new protections for personal medical information that is transmitted electronically. But the rules will not set security standards to prove that high-tech information systems preserve privacy.

That raises some troubling possibilities. Testimony from Gregory Hedges, an Arthur Andersen technology risk consultant, recalls that a "dot com" music retailer recently had 500,000 credit card numbers stolen from its system. "If 500,000 medical records were stolen ... and that information was disclosed to the public, it would forever be publicly known and potentially abused no matter how much money was used to try to correct the problem."

NIST and various information firms are researching new technology for scrambling access codes that is likely to be prominent in whatever security standard emerges. But health information companies are calling for additional government guidance to help them agree on security standards, saying they can't go it alone. "Only the federal government has enough influence to organize the efforts," Lorton says.

"It does not appear that competition in these various areas will allow the health care industry to solve its security problems without significant confusion and false starts," says Jeffery Hodge, vice president of health initiatives at, an electronic data security firm based in Houston.

The industry's plea got a sympathetic listen from the subcommittee. "These problems are solvable," says Rep. Gil Gutknecht (R-Minn.). Rep. Connie Morella (R-Md.), chair of the panel, is asking that firms help her write a letter to the Department of Health and Human Services for assistance in crafting security standards to implement the new privacy rules.

How tight should security standards be, before they impose serious costs or inconveniences? Rep. Roscoe Bartlett (R-Md.) likened this consideration to automobile safety, where additional highway deaths are tolerated as a trade-off against the added expense of steel cages to protect occupants from crashes.

According to Hodge, it may be security breaches that will drive demand for tighter standards. "The public has already decided" that it wants the Internet, he says. "The public will tell us what we need to do."


For the moment, Kammer says, the public wants "security that is free and causes zero annoyance."

WebMD Health News
© 2000 WebMD, Inc. All rights reserved.