"2 New Threats to HIPAA Compliance"
Wireless technology and Microsoft are creating serious new computer security risks.
by Gil Weber, MBA
Adapted with permission from Ophthalmology Management
© Copyright, 2003. All rights reserved.
Regular readers of Ophthalmology Management know that I've written several articles about the computer and Internet security challenges posed by the new HIPAA regulations. Doctors need to upgrade office systems immediately to prevent or reduce opportunities for external attack and internal mistakes, mischief, or malice. Unfortunately, many -- if not most -- computer users simply don't appreciate the magnitude of the security issues involved, or the risks they run by not taking preventive action.
Two recent news stories drive home this point.
Unsecured Wireless Networks
Computer work stations in a wireless network (increasingly popular in both homes and businesses) communicate with each other using radio transmitters and receivers instead of wires. This makes them remarkably vulnerable.
To demonstrate this, an NBC-TV reporter drove around Ft. Lauderdale residential and business districts with a computer security expert, using a wireless laptop computer to scan for open wireless networks. Time after time they "hit" on the broadcast signals sent out by these systems.
They had no trouble getting into numerous networks -- and less than 20% of the networks they scanned had any security. In one particularly worrisome demonstration, they sat outside a building known to house many medical practices and, one after another, accessed unsecured networks. Had they been so inclined, they could have browsed through confidential patient records.
Even more incredibly, they used a GPS (global positioning satellite) program laid over their scanning program to identify the physical location of each compromised network! That information would allow them (or someone else) to return and re-access a network at any time.
Why was this possible? Because the people who set up and use these wireless networks didn't take even the most basic of precautions. They didn't bother to change the default password in their routers -- the entry gateways that broadcast to their networks (and the outside world). Any hacker intent on mischief knows these default passwords. Even worse, some medical practices stored their individual user passwords on the computer in plain text format rather than as encrypted data, giving anyone who gets on the system the electronic keys to their files. These are huge security lapses, but they're surprisingly common.
Don't think that this kind of thing is only done by people with no malicious intent -- fun-loving techies looking for a high-speed connection they can "borrow" to send e-mails. HIPAA requires you to be proactive and protect your system from being accessed by anyone, malicious or not.
New Microsoft Licensing Agreements
When most people install software, they don't bother to read the multiple screens of end-user licensing agreement (EULA) text before they click "I accept." In light of HIPAA requirements, you might want to pay much closer attention.
Believe it or not, the newest version of Microsoft's EULA, contained in XP's Service Pack 1 and 2000's Service Pack 3, gives Microsoft the right to connect to your computer at any time to analyze the software you're using and make changes of any kind, at its sole discretion. This means that if you're using updated Windows 2000 or XP, you have a significant HIPAA security issue -- and a quandary.
HIPAA requires that medical practices have a "compliant technical information infrastructure" that secures patient records and protects confidentiality. Brian Livingston, author of an InfoWorld article that raises this issue, asks a very compelling question: Since Microsoft may start using its new rights at any time, won't it soon be against federal law for healthcare providers to rely on Windows to handle patient records?
Others involved with HIPAA are equally concerned. Peter Clark, the owner of PClark.net Consulting, interviewed in Livingston's article, says that he thinks the license terms are in direct conflict with HIPAA. "Either I don't install the service pack -- and am therefore running an OS with known security holes, which HIPAA frowns upon -- or I do install the service pack and thereby install a new security hole, which allows for automatic changes of the software configuration." Bob Webber, M.D., a systems manager at a teaching hospital, concurs. "If, after a Microsoft service pack is applied to overcome a security weakness in their operating system, and the service pack also secretly breaks the multimedia software and/or revokes access to our patient's data, thus damaging our patient care, who is responsible?"
Yes indeed. Who is responsible if you allow others unrestricted access to your computers and there's a problem with the confidential records? And how long will it be before we hear of hackers piggy-backing into computers on Microsoft updates?
The Cost of Complacency
We don't yet know the price a medical practice will pay for failing to protect the confidentiality of patient records. If you don't want to be the one whose practice name goes on the first HIPAA test case, take the time to look at your hardware and software systems. Review everything thoroughly and make sure you're not compromising your ability to secure and protect electronic patient data.
For More Information
You can read the complete NBC-TV story about unsecured wireless networks at
The complete InfoWorld article about Microsoft is at
Gil Weber, Ophthalmology Management's consulting editor, is a nationally recognized author, lecturer and practice management consultant to practitioners and the managed care and ophthalmic industries, and has served as director of managed care for the American Academy of Ophthalmology.