Wireless: Big Business in Health Care

Research firm San Jose, Calif.-based Frost and Sullivan predicts that wireless health-care revenue will double by 2005 to $395 million per year, so this segment looks like a very fruitful market for solution providers. In fact, wireless technology overall continues to be a hotbed of activity: More than half (51 percent) of the respondents to VARBusiness' State of Technology (SOT) survey have deployed wireless technologies this past year. And an overwhelming number,72 percent,plan on more wireless deployments next year. What's more, according to Scottsdale, Ariz.-based researcher Instat/MDR, one of the most popular markets for wireless deployments is health

care, running second only to education in the number of wireless products shipped during 2001. But before you go running with a wireless solution to your local hospital, doctor, insurance broker, pharmacy,or anyone else in health care,you had better be able to answer what will probably be their first question: "Is it HIPAA-compliant?"

Everyone in the health-care industry is in a tizzy about HIPAA,the Health Insurance Portability and Accountability Act of 1996. Health-care professionals don't know what it will cost to comply with HIPAA, but they know it will be incredibly expensive. (Estimates range from $3.8 billion to nearly $30 billion during the next five to 10 years.) Health-care professionals don't even know how to comply, because the rules for implementing HIPAA security have not been finalized.

So they will ask you,the expert,for a solution that meets, or exceeds, uncertain legal requirements at a bargain-basement price. While some VARs will walk away from such an unreasonable requirement, others will embrace it as an opportunity to win customers' loyalty.

Part of HIPAA's intent is to force the health-care industry to standardize transaction information and secure the privacy of patient information. Achieving those objectives can only benefit the architects of health-care IT systems, who have long lamented the difficulty of linking health-care partners' proprietary systems and the short shrift that security often gets. But the security awareness health-care executives have recently acquired can be dangerous to wireless solution providers. Wireless networks have acquired the reputation of being "inherently insecure." That half-truth alone is enough to give victims of "HIPPA-titis" pause. Add the uncertainty surrounding HIPAA's final security rules, and prospective clients may start postponing wireless projects.

That resistance can be overcome by demonstrating how wireless technology can meet and exceed all existing and reasonably anticipated HIPAA security rules. Here we explain HIPAA as it pertains to wireless systems, and highlight security solutions already deemed HIPAA-compliant by many health-care experts.

HIPAA Rules For Wireless

The latest versions of all HIPAA rules can be found on the United States Department of Health and Human Services' (DHHS) Web site (www.aspe.hhs.gov/admnsimp). Study them all if you plan to play in the health-care IT market.

We will focus on the proposed security rule, which includes the electronic storage and transmission of patients' health information as it pertains to wireless networks.

The proposed security rule was published in 1998, though it does not specifically address wireless networks. However, it does distinguish between private networks,leased lines and wired LANs,and open networks, such as the Internet and dial-in access systems. Given that, most knowledgeable people would treat wireless networks as open networks.

"When using open networks, some form of encryption should be used," the proposed rule says. It also specifies access control as an alternative,not a supplement,to encryption: "One of the following implementation features would be in place: access controls [or encryption."

In addition, open and private communications networks must implement all of the following features:

Alarm: A method to detect an abnormal condition, such as repeated login failures, an unrecognized client, etc., and terminating the abnormality's connection.

Audit trail: Data collected and potentially used to facilitate a security audit.

Entity authentication: "Irrefutable" identification of authorized users and rejection of unidentified users. Unique user identification and automatic logoff when a user abandons a session are required. In addition, either a password, personal identification number (PIN), biometric identification system, physical token system or telephone callback (for dial-in users) must be implemented to verify a user's unique identity.

Event reporting: This includes intrusion-detection, network abnormalities and completion of significant tasks, such as delivery of a health record, etc.

Message authentication: Verification that a received message is the same as the one that

was sent.

Integrity controls: Internal verification that data transmitted or stored is valid (e.g., a wireless system's access-control list has not been altered without authorization).

Those are the technical security requirements for HIPAA-compliant wireless networks; we'll also discuss HIPAA's impact on client devices, such as PDAs, laptops, Web phones, etc.

Now, we examine ways existing wireless products can meet HIPAA security requirements and,more important,the expectations of nervous health-care customers.

How Much Encryption Does HIPPA Require?

The proposed security rule intentionally does not specify a minimum encryption standard. The rule-makers at DHHS are being especially careful to craft scalable rules that will not impose undue burdens on small health-care providers, such as rural doctors and clinics.

"[The Wired Equivalent Privacy protocol alone is considered adequate for HIPAA," says Amith Viswanathan, lead analyst for Healthcare Information Systems and eHealth at Frost and Sullivan. According to Viswanathan, "encryption tunnels" are not necessary to satisfy the law.

But the 40-bit WEP protocol in the 802.11b standard is so notoriously weak that it doesn't satisfy most customers. At a minimum, they want the 128-bit encryption touted by banks and e-commerce sites. Fortunately, enhanced encryption is built into every wireless vendor's product line. Even more security can be added with standard technologies.

"We use 128-bit WEP on all wireless access points," says Rudy Ruedemann, director of engineering services for R and D Data Products, a solution provider in Princeton, N.J. "We also use VPN servers on wireless networks, where needed. I was an army cryptologist in the 1980s, so I also like dynamic keys." The 802.1x standard also meets HIPAA's user-authentication and access-control requirements, he adds.

R and D's primary wireless applications have been patient-intake and registration systems. Ruedemann recently installed an Enterasys Roamabout Wireless LAN in the emergency room at one of Capital Health Systems' Trenton, N.J., hospitals. Now, patients in pain needn't hobble to the check-in desk; it comes to them as a cart-mounted laptop computer.

"There are few projects I get this much satisfaction from," Ruedemann says. "Thirty seconds saved in registration could save someone's life."

Capital Health is currently considering bedside wireless Internet access for doctors and patients, he adds, and is replacing its 6-Mbps ATM link between two campuses with a 54-Mbps Enterasys-based wireless bridge. The bridge would be reserved as backup for the hospitals' leased

private lines.

However, enabling enhanced encryption can create interoperability problems. For example, in many hospitals, doctors and staff buy their own handheld devices and wireless access cards. Wireless networks have crept into many hospitals one department at a time, creating heterogeneous environments. How can a solution provider secure such a system?

Vendor-agnostic security appliances are one answer. These devices sit between wireless access points and the wired LAN, supplying enhanced encryption and more HIPAA-related functions (e. g., access control, authentication, audit-trail maintenance and integrity control). Products include the Bluesocket WG-1000 Wireless Gateway, Cranite Systems' WirelessWall Software Suite, Fortress Technologies' AirFortress, ReefEdge's Connect System and Vernier Networks' IS 5000 Integrated System.

Another way to achieve hardware interoperability is to move enhanced encryption and other HIPAA functions off the wireless network and into the applications that run on it.

Software Tools For HIPAA Security

PatientKeeper (formerly Virtmed) has been developing mobility-enabling and patient-management software for physicians since 1996. Its software runs on both the Palm OS and Windows Pocket PC handhelds. Using PatientKeeper's software development kit, independent developers can quickly create or port mobile applications to take advantage of the platform's encryption, enterprise security, application interoperability, connectivity and centralized administration features of the PatientKeeper platform.

"HIPAA isn't that much to be concerned about if the security aspect is properly implemented," says Jeff Sutherland, CTO of PatientKeeper. "We've done a lot of research on that, and last year we partnered with Certicom for their encryption protocols." He notes that PatientKeeper has more than 100 third-party developers working on applications for the PatientKeeper platform. That list includes individual doctors as well as Cerner, one of the most well-known names in medical practice-management software.

PatientKeeper uses AES symmetric key encryption, which efficiently encrypts/decrypts data. But an AES infrastructure requires the sender and receiver to share keys, reducing security. PatientKeeper closes this gap by encrypting its AES keys with an elliptical curve cryptography (ECC) public/private key algorithm. All connections between devices and servers are also protected by the Secure Socket Layer protocol. ECC can deliver 256-bit AES keys using public keys as small as 512 bits, compared with more than 15,000 bits needed for the RSA algorithm. The smaller key size reduces processor, storage space and bandwidth requirements.

A user must enter a PIN to connect to or access data stored on the mobile device. Stored data is encrypted using the user's symmetric key, which must be decrypted by the user's ECC private key. The private key can be decrypted only by the user's PIN.

A time-out interval can be set to force re-entry of the PIN or automatic logoff. Upon logoff, memory is flushed and no unencrypted keys or data remain on the device.

A user password granting access to a back-end clinical data repository (CDR) can also be entered by the user and stored on the device. It is encrypted by the server's public key. The encrypted CDR password is signed by the user's private and symmetric keys before it is transmitted, ensuring that the password was sent by a valid user,or, at least, one who knows both the PIN and the CDR password assigned to

that device.

PatientKeeper's security scheme decentralizes the keys hackers need. "The only keys the server knows are the physicians' public keys," Sutherland says. Multiple layers of encryption on each device "makes the handheld [device more difficult to crack than the back-end patient-data systems. We make the handheld's security tough enough that it's cost-prohibitive for a hacker."

Still, users tend to write down PINs and leave them in places that are accessible to other people. To remedy this problem, Sutherland says that PatientKeeper plans to add support for biometric security (see "Biometrics For Handhelds," below).

HIPAA Isn't Brain Surgery

The key to successfully selling wireless health-care systems is understanding the HIPAA rules and your customers' security concerns. HIPAA-compliant wireless systems can be built with off-the-shelf access points and radio cards, although specialized appliances and servers may be needed in large, heterogeneous environments. Software applications can supply their own HIPAA security. But don't stop at the wireless network: Remember to secure those handheld devices, too.