HCFA Reverses Internet Decision
THE HEALTH CARE FINANCING ADMINISTRATION HAS issued a new policy allowing the Internet to be used for transmitting HCFA-related healthcare information. And in the process, the agency has formally acknowledged that standard encryption technology does provide adequate protection to sensitive Internet messages.
"They’re reversing their previous position out of recognition that data can be secured," says Brad Casemore, deputy director of the Center for Healthcare Information Management, an organization that actively challenged HCFA’s Internet ban ruling.
The controversy began in the fall of 1997 with the infamous Region II memo that ordered those using the Internet to transmit sensitive HCFA-related data to cease and desist under provisions of the Privacy Act of 1974. But the voice of opposition was loud, forcing HCFA to re-evaluate their position. Largely at the request of HCFA’s new CIO Gary Christoph, the agency asked the IT industry to help write a new policy. "In the end, we came to the conclusion that [the memo] was based on antiquated data," says HCFA spokesperson John Parmajani.
In rare fashion, the healthcare industry is now praising HCFA’s efforts in soliciting industry feedback and providing a plausible solution for both healthcare providers and IT vendors. "We are very pleased with the result," Casemore says. "With regard to our members, the original policy put a chill over the ongoing development of Internet-based products and services."
For Sarasota Memorial Hospital in Florida, the new policy is a green flag signaling instant deployment of its CPR to physician offices throughout the region--via the Internet. "Without a doubt this is a relief to us," CIO Jim Turnbull says. Sarasota’s progressive Internet strategy was stopped in its tracks when the ban was issued last year. The hospital already was sending patient data--that could have been interpreted as HCFA data, Turnbull says--to one physician office over the Internet. "We quickly cut it off, just to be safe," he says.
Under the new regulations, HCFA will require organizations that plan to transmit HCFA Privacy Act-protected and other "sensitive" data to register with the agency via email; and the agency is reserving the right to audit organizations’ compliance to the requirements. But Parmajani doesn’t believe HCFA will carry out much auditing. Providers will comply given their own obligations to data protection, he says.
Various encryption methods are acceptable for securing Internet messages, including standard email S-MIME and SSL 3.0 (Secure Sockets Layer). The minimum level of encryption is Triple 56 bit DES for symmetric systems, 1,024 bits for asymmetric systems and 160 bits for new elliptical curve systems--or their equivalents.
The requirements are reasonable, industry experts say: cost efficient--Sarasota recently upgraded to 56 bit technology for $2,500--and adequate for healthcare data protection. It would take 35 hours to break a 56 bit key length encryption with $100,000 worth of today’s code-busting technology. And the number of hours increases significantly as the investment in decryption equipment decreases, and vice versa.
But that’s just to crack the code. The greater challenge for hackers is to grab and assemble the data packets in transport, says Russ Condrey, senior systems analyst for Medic Computer Systems in Raleigh, N.C.
HCFA officials say the policy is subject to change, if and when minimum encryption levels are deemed insufficient. Condery believes that could be as early as next year. In cooperation with the industry, HCFA will rewrite the policy as needed until HIPAA’s security regulations take effect, probably in 2001, thereby replacing all other security provisions, Parmajani says.
McKesson to Buy HBOC
HBOC, Atlanta, and McKesson Corp., San Francisco, on Oct. 19 announced a definitive agreement for McKesson to acquire HBOC. According to officials, the merged company--McKesson HBOC--will be the "world’s first comprehensive healthcare supply management and information solutions company," combining HBOC’s healthcare software business and McKesson’s healthcare supply management company. It will be worth an estimated $21.2 billion when the deal closes in the first quarter of 1999. According to the agreement, HBOC shareholders will receive 0.37 shares of McKesson common stock for each share of HBOC stock.
This acquisition comes three months after a rumor that HBOC was buying McKesson. That announcement caused HBOC’s stock to fall 11 percent on two consecutive days. Mark Pulido, president and CEO of McKesson, discounted skepticism on Wall Street regarding the Oct. 19 merger and announced an anticipated growth rate of more than 35 percent over the next three years. The new company looks to leverage its sales force, cross selling products and services to its combined customer base of 78,000 medical facilities, payors and retail pharmacies.
Pulido will retain his titles for the new company. Charles McCall, chairman, president and CEO of HBOC will be chairman for McKesson HBOC. The board will be equally represented by both companies.
-- Charlene Marietti & Lisa Paul
Cellulars Save the Day
BOGGED DOWN WITH PAGERS, LAPTOPS AND CELLphones, most medical personnel would welcome a communication system that could do it all. The frenzied growth of code-division multiple access (CDMA) technology may soon allow you to place phone calls, send and receive pages, access clinical data and even the Internet--all from your cellular.