The concept and implementation of shared computer resources and files of information is appealing to users in the medical industry, mostly due to the promise of reduced redundancy and improved productivity. The increased efficiency and reduced cost of such computer networks is what attracts radiology departments to the implementation of PACS (picture archiving and communication systems). However, too much sharing can put your operations at risk. In order to service multiple users in locations both within and outside your institution, server systems have to be able to detect requests coming from different client stations and to determine if each person or computer station has the clearance to receive the requested data, information, or service. If your system is not set up to adequately perform these tasks, you put your network at risk for security breaches.

Computer security problems generally are divided into four overlapping areas: secrecy (keeping data and information out of the hands of unauthorized users); authentication (determining who you are communicating with before revealing sensitive information); nonrepudiation (dealing with signatures); and integrity control (how to be sure that the message you received was really the one sent).1-4

The literature dealing with computer and electronic data security is extensive. All radiology departments will soon be required to develop an electronic data security plan. Such plans will address the following elements: 1) access (provides users with the means to transmit and receive data to and from any resource they are authorized to communicate with); 2) confidentiality (ensures that the data and information in the electronic system remains private, usually accomplished through encryption); 3) authentication (ensures that the sender of a message is correctly identified); 4) integrity (ensures that a received message has not been modified or changed in transmission); and 5) nonrepudiation (ensures that the sender of a message cannot deny sending the message).

Guidelines are being proposed as standards for the security of an individual's health data and electronic signatures for use with health plans, health care clearinghouses, and health care providers. These standards would be used to implement and maintain the security of all patients' electronic health information, with a goal of assuring the confidentiality and privacy of any health care information that is electronically collected, archived, and transmitted. There also is a need to implement signature capability with information being electronically archived or transmitted. A digital signature provides the properties of handwritten signatures, such as verification and authentication, along with other benefits such as recording audit trails as to whom the information was sent and received.

On-going efforts

The U.S. Congress passed legislation (Medical Records Confidentiality Act, Law S.1360) that directed the Secretary of the Department of Health and Human Services (HHS) to develop explicit guidelines for securing medical information. On August 12, 1998, the HHS released for comments the 45 CFR Part 142, HCFA-0049-P, Security and Electronic Signature Standards.5 Comments to the proposed standard were to be received no later than October 13, 1998.

In addition to the HHS effort, the DICOM (digital imaging communication in medicine) Standards Committee has a working group that is developing the draft of supplement #31, Security. Also, the HOST consortium (HOST Consortium, 444 North Capitol, Washington, DC) is working with the National Information Assurance Partnership (NIAP) and ARCA Systems to develop a set of common criteria and protection profiles by which healthcare information systems security may be evaluated. This criteria will be an internationally recognized method for information technology (IT) security evaluation, developed by the International Organization for Standardization (ISO) to assist information technology consumers, developers, and evaluators in selecting, evaluating, and measuring IT security. Protection profiles, using common criteria methodology, will describe the necessary requirements for secure systems (National Institute of Standards and Technology, 820 W. Diamond Ave., NN, Gaithersburg, MD 20899) and be used to measure the security of health care IT systems specifically. This effort will support the HHS efforts in implementing and evaluating security rules.

Elements of the proposed HHS rule

The HHS proposes to add a new part to title 45 of the Code of Federal Regulations (CFR) for health plans, health care providers, and health care clearinghouses. The new part would establish that health plans, health care clearinghouses, and health care providers must have the security standard in place to comply with guidelines for security of health care information, ensuring privacy and confidentiality when health information is electronically archived, transmitted, and displayed. This standard will also cover the selected standard for electronic signature.

The proposed HHS rule divides the security requirements into the following four categories: 1) administrative procedures to guard data integrity, confidentiality and availability (formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data); 2) physical safeguards (relating to the protection of computer systems and related facilities from fire, environmental hazards, and intrusion); 3) technical security services (processes installed to protect, control, and monitor information access); and 4) technical security services (processes to prevent unauthorized access to data being transmitted over a communications network). Each of the four categories is summarized by a matrix in which the requirements are presented and their implementation defined.

In these guidelines, a fifth category is presented-the electronic signature. In reviewing the necessary technology, it was pointed out that the use of digital signatures requires a public key infrastructure.

Public key cryptography-an example

Consider figure 1 as an example of how public key cryptography works.6 The purpose of a hash function is to produce a "fingerprint" of a file, message, or image, allowing the correct senders and receivers to be identified. It is easy to generate a hash code when given a message, but virtually impossible to generate the message, file, or image when given the code. The input message, file, or image is viewed as a sequence of n-bit blocks. The input is processed one block at a time in an interactive fashion to produce an n-bit hash function.7 A message (text, image) needs to be transmitted from Mark's computer to Eva's computer via a network (internet or intranet). The message (1) is operated upon by a cryptographic one-way hash function (2) that results in a small message. The original text (or image) can be many megabytes wide but the hash value is only a small number of bytes. The resulting hash message is encrypted, or coded, (3) with Mark's private key (sender), a form of password used to restrict access to files and documents. Mark is responsible for maintaining his private key (4). The encrypted hash value is then used as a digital signature, which is added to the original message for transmission (6).

Next, the entire message to be transmitted is encrypted (7) with the public key of Eva (8), the receiver. The encrypted message is now transmitted to Eva over the unprotected network (9). The message is received by Eva's computer and is decrypted (10) with Eva's private key (11)-only Eva's private key can decrypt a message that has been encrypted with Eva's public key. Eva is responsible for maintaining her private key. The received message (12) is composed of the original message and the digital signature.

The original message part of the received message is processed by the same cryptographic one-way hash that was used by the sender (Mark) (13). Then, the digital signal is decrypted (14) with Mark's public key (15). If the comparison of the cryptographic hash function and the decrypted digital signature are the same, then Eva can be assured that Mark did indeed send the message. If, however, they are different, then Eva received a message that was sent

by someone else or was damaged in transmission.

The public keys of Eva and Mark are provided to both parties by a secure exchange of public keys. It is usually accomplished by a trusted third party-a certificate issuing institution.

Conclusion

Security rules for electronic medical data and information are being studied and proposed. Such rules are intended to protect patient data confidentiality. Plans are being developed by radiology departments and groups for security protocols. The HHS Security and Electronic Signature Standards (45 CFR Part 142), in a slightly modified form, will be in effect within two years. Vendors and manufacturers will also be responsible for installing comprehensive security for the acquisition, transmission, archiving, and displaying of medical data and digital image data. If you have ever seen an 18-year-old hacker at work, then you know the time has come to install and maintain medical data security systems. AR

References

1. Tanenbaum A: Computer Networks, ed 3. Upper Saddle River, NJ, Prentice Hall PTR, 1996.

2. Hayden M: Teach yourself networking in 24 hours. Indianapolis, Sams Publishing, 1998.

3. Derfler F: Using networks. Indianapolis, Que Publishing, 1998.

4. Goncalves M: Firewalls complete. New York, McGraw-Hill, 1997.

5. Security and Electronic Signature standards: Proposed rule, Department of Health and Human Services, Federal Register. Vol. 63, No. 155, August 12, 1998.

6. Dowd PW, McHenry JT: Network security: It's time to take it seriously. Computer, IEEE Computer Security Society 31(9):24-28, 1998

7. Stallings W: Data and Corporate Communications, 4th ed, pp 682-686. New York, MacMillan Publishing Co., 1994.

Dr. Dwyer is a Professor in the Department of Radiology at the University of Virginia Health Sciences Center in Charlottesville, VA. He is also a member of the editorial advisory board of this journal.