BOSTON (05/23/2000) - Just about everyone at Northeast Georgia Health Systems complained to Griff Law when the network manager told them they'd need to choose new network passwords every 45 days.
Imagine the treatment Law and his IT staff can expect when sweeping new federal privacy regulations take effect in the next two years. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) will change how hospitals, insurance companies and the government communicate electronically.
Before year-end, the U.S. Department of Health and Human Services will spell out what the institutions must do under HIPAA to ensure the security and privacy of patient data.
"This will be bigger than Y2K for health care folks," Law says at Northeast Georgia Health System's 323-bed medical facility in Gainesville, Georgia. "But it's like trying to get ready for Y2K without knowing the date."
To make sure their networks comply with HIPAA regulations, network executives need to focus on encryption, electronic signatures, firewalls and remote access security. Network upgrades and security systems could cost more than the $8 billion that health care industry spent on Y2K, according to figures from the American Hospital Association.
At least Law has a head start. Northeast Georgia uses Novell Directory Services and can support public-key infrastructure and digital certificates. Both architectures are vital for authenticating access to data from 120 departments.
"Coordination for all the pieces will be complex," Law says. "And if they force us to do a multilevel authentication scheme, such as putting biometric readers on 1,200 PCs, that'll cost a chunk of change."
Some hospitals will be tempted to risk fines rather than invest in the upgrades. But saving money now could be far more costly. Criminal penalties for failing to comply could top $250,000 for each violation, with up to 10 years in prison for each guilty individual.
Walter Fahey, deputy vice president for MIS at Maimonides Medical Center in Brooklyn, New York, says the 705-bed facility's Y2K upgrade, which will also aid HIPAA, cost $4.5 million.
The hospital is equipped with better technology than most. Two years ago MIS deployed an ATM backbone with T-1 lines to the Internet. Patient records are stored online, and doctors perform consultations over the network. "In some ways, maybe we did too much," Fahey says. "Having everything electronically stored can be a nightmare. We have firewalls on both sides, but we need to ensure the integrity of everything."
HIPAA could require transaction logs with detailed information about each data exchange. "Most health care systems don't have the logs, or if they do, they aren't readily usable," says Herbert Sullivan, director of security for information systems at Maimonides. "Keeping track of patient-specific information - bills, patient treatment records - that's something we'll have to solve, or vendors will have to help."
Vendors too will need to prepare for HIPAA. "I'm at their mercy," says Leonard Martin, vice president and chief information officer of Lancaster Health Alliance in Lancaster, Pa. Martin wonders whether the vendors of his 180 major applications will meet the government's deadline for compliance.
The medical group's WAN comprises about 60 sites. Lancaster started planning for HIPAA on the first day of the year. Then a committee identified three phases: awareness, assessment and remediation. The first phase has begun, with briefings for staff and the board about implications. Next, they'll compare hospital policies and technology with the final regulations. Lancaster's infrastructure already has the bandwidth to handle biometrics and encryption.
It has a switched ATM backbone and runs Fast Ethernet to the servers and Ethernet to the desktops.
The group uses Alcatel SA's Omni Switch/Router to enable authentication at the port level, says Ernie Thompson, manager of networking services and support.
The devices create virtual LANs that tailor access to data and support authentication schemes that let staff access the net from any location with a single password, smart card or biometric reading.
HIPAA upgrades will hurt, but they'll also boost an industry that isn't known for its strength in e-commerce or wired technology. That could mean more robust networks and increased bandwidth to support sophisticated applications, ease network management, reduce operating costs and expand community access to health care via the Internet.
Kosan is a freelance writer and editor in Beverly, Massachusetts. She can be reached at firstname.lastname@example.org.