Focus on Healthcare: Securing User-Controlled Records
By Ben Halpert
Within the information technology field, there are many options for the creation, storage, dissemination and security of electronic healthcare records. The concept of owner-controlled or usercontrolled information has been around for quite some time. While HIPAA provides requirements for healthcare and insurance organizations, such legislation does not pertain to user-controlled records. How to securely implement such a process is up for debate. Whatever system or systems prevail, we can only hope that a standard electronic medical record will be adopted by the medical industry.
Microsoft has launched HealthVault to enable individuals to put their healthcare records online. Once the record is created the owner can determine who should have access to the record. Even if the Microsoft HealthVault system has been assessed from a risk perspective, it is often other weak links that lead to compromise. Insider attacks and other interconnected systems that may have vulnerabilities are just two examples.
Another potential system to house personal healthcare records is the online social networking service Facebook. Marc Benioff, chairman and CEO of salesforce. com, has mentioned Facebook pages as having such potential. We need to wait and see if Facebook indeed enters the personal medical records management business.
When discussing ownercontrolled electronic healthcare records, I am partial to offline alternatives. One example available today is the MedicAlert E-HealthKEY USB device. When the device is plugged into any machine other than the designated user's home machine, the USB device allows access to critical medical information that medical professionals would need in case of an emergency.
USB thumb drives have a tendency to eventually be lost or stolen. A USBbased solution should meet the following minimum requirements:
>Encrypt data with a Federal Information Processing Standard (FIPS) validated algorithm;
>Require multifactor authentication to access the data contained on the device (except for the emergency scenario);
>Securely delete all data after a previously specified number of incorrect authentication attempts are made; and
>Securely delete files that are accessed or copied to a machine upon removal of the USB device.
From a deletion perspective, on both the computer and USB device, a process that would defeat known information recovery techniques should be implemented.
While most people are good, there are nefarious individuals who would seek to discover any and all conditions a person may have and use such information as a means of exploitation or worse. //
Ben Halpert, CISSP, is an information security researcher and practitioner and writes monthly about security. Email comments, questions and requests to him at Editor@MobileEnterpriseMag.com; please include SECURITY in the subject line.