On the face of it, Wi-Fi’s future in the medical professions looks bleak. The
biggest hurdle is HIPAA: The Health Insurance Portability
and Accountability Act of 1996. This sweeping law requires, among other things,
that all data on patients be kept secure and private. Given Wi-Fi’s security
vulnerabilities, a question arises as to the appropriateness of using Wi-Fi
to handle medical information. Yet analysts and medical-industry technologists
say there still is room for 802.11 solutions in spite of what might look like
significant hurdles.
The issue is complicated by the fact that the government has yet to publish
specific regulations defining HIPAA’s demands for security and privacy. In other
words, while the law demands the security of electronic data, Congress has not
yet said what an acceptable level of security might be.
Whatever those guidelines eventually look like, says Dr. Craig Feied, there
should still be plenty of room for 802.11 solutions. "Networks are networks
whether they are wireless or wired," says Feied, the director of the Institute
for Medical Informatics at Medstar Health,
which operates the 900-bed Washington Hospital Center in Washington, D.C.
Like many in the field, Feied sees major benefits in the use of wireless technologies,
especially in a hospital setting, where the ability to handle information on
the go can significantly enhance both physician productivity and patient care.
He argues that security is an issue in any network, and that potential breaches
are only a marginally greater concern over a wireless network as compared to
a wire-line network.
His solutions include strong authentication practices and application-oriented
encryption. Overall, he notes that the final HIPAA regulations likely will not
demand an absolutely foolproof system. "Nobody thinks we are going to stop
all the attacks, nor does HIPAA require that you do so," he says. Rather,
the law asks only that network operators make "some reasonable provisions
to attempt to protect the information."
That’s a pretty big gray area, and many industry players agree that it leaves
room for hospitals to move ahead with their 802.11 rollouts despite Wi-Fi’s
acknowledged insecurities.
To satisfy HIPAA, one need only "do the good-faith-effort thing,"
said Margret Amatayakul of MargretA Consulting, a consultant in the
field of computer-based patient records. "Turn on WEP, even if you know
that in the big picture it does not do a whole lot of good."
She notes that HIPAA is a generic standard: The final regulations won’t address
802.11 or any other specific technology, since Congress does not want to have
to update the rule every time there is a technological advance. That being the
case, she suggested, a good-faith attempt to use available security protocols
should be sufficient.
"You may not have all the bells and whistles, but HIPAA probably will
not require all those," she said.
Others note that there are some unique security challenges in the healthcare
environment that will need to be taken into account. In particular, simplicity
in one’s security protocols is key.
Hospital equipment and other constraints often cause one to lose a network
connection simply by walking down the hall, noted Shelly Julien, VP of marketing
at NetMotion Wireless. In that situation,
"it is easy to see how users will try to get around security. They will
begin to write down passwords in order to have one less step to follow,"
or they will share computers in order to save a step. That being the case, Julien
said, "anything you can do to make it less onerous for the user is going
to be better."
If those are the kinds of concerns people are discussing, some say, it would
appear that HIPAA is not going to squelch Wi-Fi in the medical world any time
soon.
"We can just dismiss all the fear, uncertainty and doubt," declared
Craig Nulan, security practice director at health informatics technology firm
Cerner Corp.
In the healthcare arena, "care delivery is priority number one. Delivering
favorable clinical outcomes is the paramount objective," he noted. Numerous
hospitals have found that Wi-Fi helps them to improve the quality of care, and
this simple fact speaks volumes in the face of a security threat that, to date,
remains largely theoretical.
After all, he noted, there have been no significant reports of medical information
being compromised by the use of wireless technology. Miscreants have yet to
station themselves in hospital parking lots with sniffers.
"It could happen. A lot of pigs could sprout wings and fly, too.
But it isn’t happening routinely," Nulan says.
In the face of such theoretical threats, the said, the patient benefits inherent
in Wi-Fi use will outweigh the theoretical limitations imposed by HIPAA, at
least for the foreseeable future.
