Wired: How Secure Is Digital Hospital?

Fri, 30 Mar 2001 16:49:33 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How Secure Is Digital Hospital?

by Michelle Delio 
2:00 a.m. Mar. 28, 2001 PST 

Not content to merely make healthcare history with its all-digital,
completely automated hospital, HealthSouth also hopes the Alabama
facility it will build is going to encourage all medical institutions
to improve patient care by using cutting-edge technology. 

The digital hospital, a joint project between HealthSouth and Oracle,
will offer Internet access from every patient bed, electronic
medical-record databases, digital imaging instead of traditional
X-rays, and a hospital-wide wireless network that will allow
portable-computer-packing medical workers to update and access
patient records from anywhere. 

"What we're doing now is making a reality out of something that many
people have talked about, but no one has attempted," said HealthSouth
CEO Richard Scrushy. 

"I'm envious of anyone who will work in this new facility," said
Sahid Samir, a resident intern at New York's Bellevue hospital.
"Bellevue is an excellent hospital, but I think that a first-rate
communications system would really enhance our ability to do our
work. It just takes too long to get the data we need sometimes." 

Many doctors and other healthcare professionals feel they are working
in one of the last pre-digital industries, Samir said. But while they
welcome advances in medical science, some are in no rush to adopt
high-tech ways of handling medical records and other sensitive
information. 

Health care analyst Peter Emch of Credit Suisse First Boston said
digital record-keeping should speed up doctors' rounds by making it
easier for them to access patient documents. 

"Certainly the hospital industry could use modernization," Emch said.

But the biggest barrier to high-tech healthcare is doctors' concerns
about the security of computer systems. 

"With all of the stories we hear about how this website and that
government computer system was hacked into, how can I feel good about
putting my patients' medical records online?" said Henry Vitelle, a
Manhattan obstetrician and avid computer user. 

"When computer systems are completely safe, then I will feel safe
about using them for critical data," he added. "I don't feel
comfortable about having records somewhere that they could be
tampered with by some joyriding hacker with no sense of the havoc he
could cause." 

Vitelle also said he discussed the dangers of wireless transmission
with other doctors and hospital administrators at a recent medical
conference in New Orleans. He said he was troubled at the news of
HealthSouth's planned wireless network, since recent reports have
indicated that wireless networks aren't completely secure. 

Wireless networks use shared radio frequencies to move data, so
security concerns about this method of information transmission have
always been high. The IEEE 802.11 standard -- also known as Wired
Equivalent Privacy (WEP) protocol -- was meant to be a crack-proof
method of securing data that was being transmitted using wireless
devices by encrypting the data. 

But WEP has "major security flaws," according to the Internet
Security, Applications, Authentication and Cryptography (ISSAC)
research group at the University of California in Berkeley. 

A cracker just needs some easily obtained equipment to be able to
intercept wireless transmissions, change the data contained in those
transmissions, and access the contents of a wireless network. 

The flaw "seriously undermines the security claims of the system,"
according to the ISAAC group <http://www.isaac.cs.berkeley.edu/>. 

The group recommends that anyone who is using an 802.11 wireless
network not rely on WEP for security, but instead employ other
security measures to protect their wireless network. 

HealthSouth's Scrushy said that the hospital will utilize strong
encryption and other methods to protect data, but said that the
actual technology that will be used is still under discussion and
development. 

He also pointed out that the hospital has already made patient
records available to doctors and patients via the Internet on the
HealthSouth website <http://www.healthsouth.com/> and hasn't had any
security or privacy problems. 

"It has always amazed me that so many doctors are loath to explore
new ways of doing their jobs," said Toronto Globe medical writer
Richard Mackenzie. "Typically, those involved in research welcome
technology with open arms, those who work directly with patients shy
away from it. They say they are worried about security and it
impacting patient care, but I think a lot of them are conservative
techno-phobes." 

But according to a recent study by Cyber Dialogue
<http://www.cyberdialogue.com/news/releases/index.html>, doctors do
not fear and loathe technology. 

Ninety percent of the surveyed physicians accessed the Web in the
past year, and 55 percent are daily users, with about 24 percent of
physicians being "professional users," which the study defined as
spending at least three-quarters of their online time for
professional purposes. 

But most of those physicians were not actively using the Internet for
clinical or administrative purposes, citing those pesky security and
privacy concerns as the primary reasons keeping them from making
medical records available online or communicating with patients via
e-mail. 

Most felt that the technology that would enable them to do this
securely wouldn't be available for at least five years. 

"Despite the belief that physicians are techno-phobes, their personal
use of the Internet has already reached critical mass," said Thaddeus
Grimes-Gruczka, vice president of Cyber Dialogue's Health Practice. 

"Vital factors essential for making the jump from personal usage to
clinical use include integrating technology into workflow at the
point of care, addressing privacy and security concerns, and
demonstrating how online technologies will help physicians practice
medicine more efficiently and effectively," he said. 

And that's exactly what HealthSouth plans to do. 

"This will be the hospital model for the entire world," Scrushy said.
"We will demonstrate how technology can lower healthcare costs,
greatly reduce human errors and provide patients with the best
medical care available." 

The 500,000-square-foot, 219-bed digital hospital will be built in
suburban Birmingham, Alabama. Construction is scheduled to begin in
the first quarter of 2002 and is expected to be completed by mid to
late 2003. 

HealthSouth already is looking at 10 more cities where similar
hospitals could be built. 

The hospitals will be designed so that they can be upgraded easily,
and automation will reduce human errors such as providing incorrect
medication to patients. It also will reduce time spent on such labor-
and time-intensive tasks as admissions, thus giving healthcare
professionals more time to spend with patients, Scrushy said. 

"Our automated hospital isn't just about technology; it's about using
the best technology available to provide the best medical care to
patients. People deserve the highest level of care we can provide,"
Scrushy said. 

Swaid N. Swaid, a neurosurgeon who is working as a consultant to
HealthSouth, said the e-hospital should provide safer, more efficient
care. 

"To marry technology with medicine is exciting," he said. "I think
it's going to be a tremendous way to provide patient care that is
superior to anything we have seen."

[ends]
- -----
Owen Blacker
Senior Software Developer / InfoSec Consultant    Wheel: Clerkenwell
See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys
Sig  0x00036874 | d39f b776 fa20 c125 b0e2  aa6d 555e 4126 0003 6874

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Due to RIP, pls check for revocation before using this key!

iQA/AwUBOsSq5VVeQSYAA2h0EQI+3ACg3MIXZpPidbGk4Vo0xIpFMl9rx9YAoLUV
OfAWZUhMA7mhfWqw7F2NFf9T
=HiIF
-----END PGP SIGNATURE-----

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/