HCFA Reverses Internet Decision
THE HEALTH CARE FINANCING ADMINISTRATION HAS issued a new policy allowing the Internet to be used for transmitting HCFA-related healthcare information. And in the process, the agency has formally acknowledged that standard encryption technology does provide adequate protection to sensitive Internet messages.
"They’re reversing their previous position out of recognition that data can be secured," says Brad Casemore, deputy director of the Center for Healthcare Information Management, an organization that actively challenged HCFA’s Internet ban ruling.
The controversy began in the fall of 1997 with the infamous Region II memo that ordered those using the Internet to transmit sensitive HCFA-related data to cease and desist under provisions of the Privacy Act of 1974. But the voice of opposition was loud, forcing HCFA to re-evaluate their position. Largely at the request of HCFA’s new CIO Gary Christoph, the agency asked the IT industry to help write a new policy. "In the end, we came to the conclusion that [the memo] was based on antiquated data," says HCFA spokesperson John Parmajani.
In rare fashion, the healthcare industry is now praising HCFA’s efforts in soliciting industry feedback and providing a plausible solution for both healthcare providers and IT vendors. "We are very pleased with the result," Casemore says. "With regard to our members, the original policy put a chill over the ongoing development of Internet-based products and services."
For Sarasota Memorial Hospital in Florida, the new policy is a green flag signaling instant deployment of its CPR to physician offices throughout the region--via the Internet. "Without a doubt this is a relief to us," CIO Jim Turnbull says. Sarasota’s progressive Internet strategy was stopped in its tracks when the ban was issued last year. The hospital already was sending patient data--that could have been interpreted as HCFA data, Turnbull says--to one physician office over the Internet. "We quickly cut it off, just to be safe," he says.
Under the new regulations, HCFA will require organizations that plan to transmit HCFA Privacy Act-protected and other "sensitive" data to register with the agency via email; and the agency is reserving the right to audit organizations’ compliance to the requirements. But Parmajani doesn’t believe HCFA will carry out much auditing. Providers will comply given their own obligations to data protection, he says.
Various encryption methods are acceptable for securing Internet messages, including standard email S-MIME and SSL 3.0 (Secure Sockets Layer). The minimum level of encryption is Triple 56 bit DES for symmetric systems, 1,024 bits for asymmetric systems and 160 bits for new elliptical curve systems--or their equivalents.
The requirements are reasonable, industry experts say: cost efficient--Sarasota recently upgraded to 56 bit technology for $2,500--and adequate for healthcare data protection. It would take 35 hours to break a 56 bit key length encryption with $100,000 worth of today’s code-busting technology. And the number of hours increases significantly as the investment in decryption equipment decreases, and vice versa.
But that’s just to crack the code. The greater challenge for hackers is to grab and assemble the data packets in transport, says Russ Condrey, senior systems analyst for Medic Computer Systems in Raleigh, N.C.
HCFA officials say the policy is subject to change, if and when minimum encryption levels are deemed insufficient. Condery believes that could be as early as next year. In cooperation with the industry, HCFA will rewrite the policy as needed until HIPAA’s security regulations take effect, probably in 2001, thereby replacing all other security provisions, Parmajani says.
McKesson to Buy HBOC
HBOC, Atlanta, and McKesson Corp., San Francisco, on Oct. 19 announced a definitive agreement for McKesson to acquire HBOC. According to officials, the merged company--McKesson HBOC--will be the "world’s first comprehensive healthcare supply management and information solutions company," combining HBOC’s healthcare software business and McKesson’s healthcare supply management company. It will be worth an estimated $21.2 billion when the deal closes in the first quarter of 1999. According to the agreement, HBOC shareholders will receive 0.37 shares of McKesson common stock for each share of HBOC stock.
This acquisition comes three months after a rumor that HBOC was buying McKesson. That announcement caused HBOC’s stock to fall 11 percent on two consecutive days. Mark Pulido, president and CEO of McKesson, discounted skepticism on Wall Street regarding the Oct. 19 merger and announced an anticipated growth rate of more than 35 percent over the next three years. The new company looks to leverage its sales force, cross selling products and services to its combined customer base of 78,000 medical facilities, payors and retail pharmacies.
Pulido will retain his titles for the new company. Charles McCall, chairman, president and CEO of HBOC will be chairman for McKesson HBOC. The board will be equally represented by both companies.
-- Charlene Marietti & Lisa Paul
Cellulars Save the Day
BOGGED DOWN WITH PAGERS, LAPTOPS AND CELLphones, most medical personnel would welcome a communication system that could do it all. The frenzied growth of code-division multiple access (CDMA) technology may soon allow you to place phone calls, send and receive pages, access clinical data and even the Internet--all from your cellular.
With CDMA, a single device can be your pager, your phone, your email and your network connection for laptops, says Jeffrey Brown, president and CEO of Data Critical Corp., a wireless telemedicine company in Redmond, Wash.
Once a struggling cellular technology, CDMA is beginning to show advantages over its market forerunner, time-division multiple access technology. TDMA, which assigns each call to a specific frequency, influenced the first wave of cellular phones. But its flaws became apparent as cellular communications gained popularity: Areas of heavy cell phone traffic often experienced frequency "bottlenecks," garbled reception and even crossed calls.
Conversely, CDMA uses spread-spectrum technology to break the transmission into digital "packets" and send it over a range of frequencies. This method lightens the load on crowded frequencies and allows multiple transmissions--data and voice--to be sent simultaneously over the same frequency range.
CDMA technology can allow two physicians to exchange an X-ray by using the wireless phone as a modem, view the image on separate laptops and discuss the image--all during the same phone call. "With CDMA, voice is packet data and data is packet data," explains Ira Brodsky, president of Datacomm Research Co., a market analysis firm in Chesterfield, Mo. "There’s no reason why you can’t make a call and apportion it partly to voice and partly to data."
Brown sees a big market for CDMA devices in home healthcare. "You could conceivably send a cardiac patient home with a monitor and a phone device that can send out information and allow the physician to view that information from another location. That’s really the missing link in the loop today."
Since CDMA technology assigns a unique digital code to each call and separates the data packets from each other during transmission, the chance of intelligible eavesdropping is almost nil, says Dale Miller, director of consulting services at Irongate, Inc., a data security consulting firm in San Rafael, Calif.
Qualcomm, Inc., San Diego, began researching CDMA technology more than a decade ago. And in 1992, the Telecommunications Industry Association accepted CDMA as a wireless standard, but products were of little use without a cellular infrastructure capable of supporting them.
PrimeCo (owned by AirTouch Communications and Bell Atlantic), Sprint and GTE began testing the CDMA network waters as early as 1996. But this year cellular companies began offering CDMA services to the public at a breakneck pace. AirTouch began testing complete voice/data services and US West brought data/voice/
paging packages to market.
As the infrastructure grows, more developers are joining the CDMA handset market. In July, international wireless giant Motorola, Inc. added CDMA capabilities to its StarTAC cassette tape-sized cellular phones.
Today’s CDMA combines the convenience of cellular, the coded privacy of digital and soon, developers hope, the global range of satellite communications. Within the next two to four years, Brodsky predicts, users may be able to accept simultaneous voice/data transfers approaching 128 kilobits per second, far outranking today’s commercial modems.
If it works for the physician, why not the hospital network? Brown says it’s just a matter of figuring out how to put the pieces together. "CDMA, in its current state, is basically a telephony tool," Brown says. "But the spread-spectrum idea is already used in a lot of wireless LANs, and there’s no reason why they couldn’t be adapted to CDMA."
Pamela Tabar is a freelance writer based in Cleveland
Preceding Cancer with Control Data
SOON CANCER RESEARCHERS MAY BE A STEP CLOSERto understanding the genetics behind the disease, and cancer patients a step closer to a cure, thanks to the National Cancer Institute’s (NCI) Cancer Genetics Network.
It’s the result of years of discussions on how to effectively identify genes and other risk factors that influence cancer susceptibility, says James W. Hanson, senior advisor for medical genetics in the division of Cancer Control and Population Sciences at NCI in Bethesda, Md.
When operational in mid-1999, the Network will house information on hundreds of thousands of potential cancer victims, utilizing resources from up to 11 major research centers nationwide. Individuals that populate the database may be asked to volunteer for research projects, or their medical data may be used in studies of specific populations.
Data will be shared among participating institutions via the Internet, but in encrypted form, says Prakash Nadkarni, assistant professor at the Yale Center for Medical Informatics. Even if the information is stolen, no names will be attached to the data, and therefore specific patients cannot be identified, Nadkarni says.
Hanson recognizes he can’t predict what researchers will ask of the registry, and wants the technology in place to handle most kinds of requests. So, for the next six to nine months, NCI and two groups of participating research institutions will finalize procedures and decide what kinds of patient data they will collect.
Eight institutions compose the cancer genetics group, and three (University of California at Irvine, Massachusetts General Hospital in Boston and Yale University) will provide the informatics/ information technology resources. UC-Irvine will maintain the registry database, Massachusetts General will ensure that the latest informatics technology is being used and Yale will design special databases to support particular registry projects.
In addition, all three centers will support the cancer genetics group and address their changing systems needs, a task for which NCI will encourage interaction with the private sector.
The Cancer Genetics Network, initially funded by NCI, has an annual budget of $6 million to be divided among participating institutions, in addition to grants and other funding allocated by each institution.
NCI is not ruling out the possibility of more institutions joining the network and will also consider increasing its funding if that happens.
Labs Revamp Their Businesses
BELEAGUERED CLINICAL LABORATORIES ARE revamping business strategies and ramping up with new software and communication tools to better respond to clinical needs, manage their businesses and comply with federal guidelines.
Hit hard by managed care contracts that limit testing to defined reference laboratories, some hospital laboratories are planning new strategies to take on capitation. One such group is laboratory services broker, LabNet of Ohio. Now 18 members strong, the consortium shares no ties other than the common goal to regain business lost, mostly to managed care contracts. Fully operative, LabNet manages day-to-day operations via a wide area network covering approximately 250,000 square miles.
On the regulatory front, HCFA Medicare and Medicaid rules preventing fraud and abuse have increased government scrutiny of laboratory operations and billing practices.
None too soon, software vendors are touting the availability of products designed to manage the complex regulatory, policy and workflow issues. Major vendors like HBOC are announcing new products and new versions that promise to increase profitability in the laboratory.
At the bedside, point-of-care testing is making serious inroads into traditional clinical testing methodology. Point-of-care coordinator Lisa Roney at Huntsville Hospital Systems in Huntsville, Ala. has a laundry list of direct and indirect cost savings using portable systems. Ideally these POC devices interface directly with the CPR, but, few are now in use.