Will HIPAA Allow Wireless?
December 02, 2002
The Health Insurance Portability and Accountability Act of 1996 asks that medical facilities take reasonable steps to protect patient information, but that doesn't necessarily eliminate security-crippled 802.11-based networks.
On the face of it, Wi-Fi's future in the medical professions looks bleak. The biggest hurdle is HIPAA: The Health Insurance Portability and Accountability Act of 1996. This sweeping law requires, among other things, that all data on patients be kept secure and private. Given Wi-Fi's security vulnerabilities, a question arises as to the appropriateness of using Wi-Fi to handle medical information. Yet analysts and medical-industry technologists say there still is room for 802.11 solutions in spite of what might look like significant hurdles.
The issue is complicated by the fact that the government has yet to publish specific regulations defining HIPAA's demands for security and privacy. In other words, while the law demands the security of electronic data, Congress has not yet said what an acceptable level of security might be.
Whatever those guidelines eventually look like, says Dr. Craig Feied, there should still be plenty of room for 802.11 solutions. "Networks are networks whether they are wireless or wired," says Feied, the director of the Institute for Medical Informatics at Medstar Health, which operates the 900-bed Washington Hospital Center in Washington, D.C.
Like many in the field, Feied sees major benefits in the use of wireless technologies, especially in a hospital setting, where the ability to handle information on the go can significantly enhance both physician productivity and patient care. He argues that security is an issue in any network, and that potential breaches are only a marginally greater concern over a wireless network as compared to a wire-line network.
His solutions include strong authentication practices and application-oriented encryption. Overall, he notes that the final HIPAA regulations likely will not demand an absolutely foolproof system. "Nobody thinks we are going to stop all the attacks, nor does HIPAA require that you do so," he says. Rather, the law asks only that network operators make "some reasonable provisions to attempt to protect the information."
That's a pretty big gray area, and many industry players agree that it leaves room for hospitals to move ahead with their 802.11 rollouts despite Wi-Fi's acknowledged insecurities.
To satisfy HIPAA, one need only "do the good-faith-effort thing," said Margret Amatayakul of Margret\A Consulting, a consultant in the field of computer-based patient records. "Turn on WEP, even if you know that in the big picture it does not do a whole lot of good."
She notes that HIPAA is a generic standard: The final regulations won't address 802.11 or any other specific technology, since Congress does not want to have to update the rule every time there is a technological advance. That being the case, she suggested, a good-faith attempt to use available security protocols should be sufficient."You may not have all the bells and whistles, but HIPAA probably will not require all those," she said.
Others note that there are some unique security challenges in the healthcare environment that will need to be taken into account. In particular, simplicity in one's security protocols is key.
Hospital equipment and other constraints often cause one to lose a network connection simply by walking down the hall, noted Shelly Julien, VP of marketing at NetMotion Wireless. In that situation, "it is easy to see how users will try to get around security. They will begin to write down passwords in order to have one less step to follow," or they will share computers in order to save a step. That being the case, Julien said, "anything you can do to make it less onerous for the user is going to be better."
If those are the kinds of concerns people are discussing, some say, it would appear that HIPAA is not going to squelch Wi-Fi in the medical world any time soon.
"We can just dismiss all the fear, uncertainty and doubt," declared Craig Nulan, security practice director at health informatics technology firm Cerner Corp.
In the healthcare arena, "care delivery is priority number one. Delivering favorable clinical outcomes is the paramount objective," he noted. Numerous hospitals have found that Wi-Fi helps them to improve the quality of care, and this simple fact speaks volumes in the face of a security threat that, to date, remains largely theoretical.
After all, he noted, there have been no significant reports of medical information being compromised by the use of wireless technology. Miscreants have yet to station themselves in hospital parking lots with sniffers.
"It could happen. A lot of pigs could sprout wings and fly, too. But it isn't happening routinely," Nulan says.
In the face of such theoretical threats, the said, the patient benefits inherent in Wi-Fi use will outweigh the theoretical limitations imposed by HIPAA, at least for the foreseeable future.