Protection of health data urged

Responding to rising privacy concerns about digitized medical records, the National Reseach Council released a report today recommending encryption and authentication as the best protection for transmitting medical information over the Net.

The NRC, which is organized by the National Academy of Sciences, examined the privacy issues surrounding the use of electronic medical records for more than a year as the practice has spread. The report states that there currently are no strong incentives to safeguard records because patients, industry groups, and government regulators aren't demanding enough protection.

Already, paper records are fraught with security concerns such as the "nosy-neighbor syndrome," in which hospital personnel look up and distribute records to unauthorized people. With the Net, those issues are magnified exponentially because these same records can be shipped around the world in a matter of seconds, accidentally or on purpose. Aside from exposing privacy, this information can be used to deny health insurance or for marketing purposes.

The committee members, who include technology experts, physicians, and health care administrators, recommended solutions like building electronic firewalls for internal hospital networks. They also addressed the use of the Internet to transmit records or host databases, which the council says is a growing trend.

"We feel strongly that using the Internet does not raise additional privacy concerns," Paul Clayton, chair of the NRC committee on maintaining privacy and security in health care applications, said today. "Our recommendations are that there must be a system to authenticate the user and that no information should be sent over any network that is not encrypted."

Overall, the report found that computerized systems can cut costs, raise the quality of medical care, and help guard against abuse.

"Many medical institutions have dedicated internal telecommunications networks now. However, that may become expensive, and they will increasingly turn to the Internet," said Carl Landwehr, a committee member who is head of computer security for the U.S. Naval Research Laboratory.

"Hospitals can implement authentication, access controls, audit trails to track who accesses the records, and physical security and disaster control systems to protect the records," he added.

The report calls for the government and industry to make the recommendations law. It also calls for the Federal Privacy Act of 1974 to be adopted by health care institutions for the fair collection, study, and dissemination of private medical information.