Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
National broadband plan: What’s in it for businesses?
Mobile developers take measure of Windows Phone 7
Comcast, ISC offer IPv6 transition tool
New Cisco Ethernet switches to play broader video, security roles
Windows XP: No IE9 for you
Microsoft lowers Windows licensing costs for virtual desktops
Apple's Ban on Screen Protectors Makes (Some) Sense
Corporate IT eager to deploy Windows 7, survey shows
MIT researchers enable self-assembling of chips
8 things you didn't know about Windows Phone 7
Microsoft touts 'browser with no name' in Windows Phone 7
Microsoft touts speed, HTML 5 support in IE9
It's Official: Facebook Rules the Web
It does not take a village -- or a country
New Internet browser threat sneaks by traditional defenses
/

Rx for security

IT pros in the health care industry must modify their networks to comply with new privacy regulations.

Related linksToday's breaking news
Send to a friendFeedback

By Lisa Kosan
Network World, 05/22/00

Just about everyone at Northeast Georgia Health Systems complained to Griff Law when the network manager told them they'd need to choose new network passwords every 45 days.

Compliance checklist

Imagine the treatment Law and his IT staff can expect when sweeping new federal privacy regulations take effect in the next two years. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) will change how hospitals, insurance companies and the government communicate electronically.

Before year-end, the U.S. Department of Health and Human Services will spell out what the institutions must do under HIPAA to ensure the security and privacy of patient data.

"This will be bigger than Y2K for health care folks," Law says at Northeast Georgia Health System's 323-bed medical facility in Gainesville, Ga. "But it's like trying to get ready for Y2K without knowing the date."

To make sure their networks comply with HIPAA regulations, network executives need to focus on encryption, electronic signatures, firewalls and remote access security. Network upgrades and security systems could cost more than the $8 billion that health care industry spent on Y2K, according to figures from the American Hospital Association.

At least Law has a head start. Northeast Georgia uses Novell Directory Services and can support public-key infrastructure and digital certificates. Both architectures are vital for authenticating access to data from 120 departments.

"Coordination for all the pieces will be complex," Law says. "And if they force us to do a multilevel authentication scheme, such as putting biometric readers on 1,200 PCs, that'll cost a chunk of change."

Some hospitals will be tempted to risk fines rather than invest in the upgrades. But saving money now could be far more costly. Criminal penalties for failing to comply could top $250,000 for each violation, with up to 10 years in prison for each guilty individual.

Walter Fahey, deputy vice president for MIS at Maimonides Medical Center in Brooklyn, N.Y., says the 705-bed facility's Y2K upgrade, which will also aid HIPAA, cost $4.5 million.

The hospital is equipped with better technology than most. Two years ago MIS deployed an ATM backbone with T-1 lines to the Internet. Patient records are stored online, and doctors perform consultations over the network. "In some ways, maybe we did too much," Fahey says. "Having everything electronically stored can be a nightmare. We have firewalls on both sides, but we need to ensure the integrity of everything."

HIPAA could require transaction logs with detailed information about each data exchange. "Most health care systems don't have the logs, or if they do, they aren't readily usable," says Herbert Sullivan, director of security for information systems at Maimonides. "Keeping track of patient-specific information - bills, patient treatment records - that's something we'll have to solve, or vendors will have to help."

Vendors too will need to prepare for HIPAA. "I'm at their mercy," says Leonard Martin, vice president and chief information officer of Lancaster Health Alliance in Lancaster, Pa. Martin wonders whether the vendors of his 180 major applications will meet the government's deadline for compliance.

The medical group's WAN comprises about 60 sites. Lancaster started planning for HIPAA on the first day of the year. Then a committee identified three phases: awareness, assessment and remediation. The first phase has begun, with briefings for staff and the board about implications. Next, they'll compare hospital policies and technology with the final regulations. Lancaster's infrastructure already has the bandwidth to handle biometrics and encryption. It has a switched ATM backbone and runs Fast Ethernet to the servers and Ethernet to the desktops.

The group uses Alcatel's Omni Switch/Router to enable authentication at the port level, says Ernie Thompson, manager of networking services and support. The devices create virtual LANs that tailor access to data and support authentication schemes that let staff access the net from any location with a single password, smart card or biometric reading.

HIPAA upgrades will hurt, but they'll also boost an industry that isn't known for its strength in e-commerce or wired technology. That could mean more robust networks and increased bandwidth to support sophisticated applications, ease network management, reduce operating costs and expand community access to health care via the Internet.

Compliance checkist

Ginger Walker, director of health care and insurance for Alcatel Internetworking in Calabasas, Calif., outlines these steps to take to prepare for HIPAA regulations:

  • Perform a risk analysis of your network and applications.

  • Talk to vendors and leverage the latest security features.

  • Get management buy-in and the necessary budget.

  • Decide if you should outsource the security project.

  • Create a strategic plan based on technical requirements and administrative policies.

  • Start training, and keep training.

  • Establish "chain of trust" written agreements with partners and limit legal liability after data leaves your facility.

  • Begin implementing the plan.

    • RELATED LINKS

    Kosan is a freelance writer and editor in Beverly, Mass. She can be reached at lkosan@mediaone.net

    Forum on Privacy and Security in Healthcare

    Enterprise Healthcare Networks
    Alcatel discusses its healthcare offerings.

    Healthcare networking solutions
    3Com.

    Network World Fusion Focus: Security and the state of American healthcare
    Network World, 11/24/99.

    Newsletter: Directories and healthcare
    Network World, 03/27/00.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
    * HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

    Contact us | Terms of Service/Privacy | How to Advertise
    Reprints and links | Partnerships | Subscribe to NW
    About Network World, Inc.

    Copyright, 1994-2006 Network World, Inc. All rights reserved.