Last month, he cleaned up after an attack by the Witty worm, which rewrote hard drives on 80 or so computers. The week before that, a notebook computer was hacked as it tracked data emanating from sensors attached to a subject who was sleeping as part of a research project. The campus had to "cut the hacker out" by turning off Internet access to the notebook so the study could be finished, says DeVoney.
The research center depends on the universitys technology infrastructure, and government budget cycles make it hard for the university to buy what it needs when its needed. Right now, for example, DeVoney has no perimeter firewall. Nevertheless, in April 2005, the Medical Center and thousands of other healthcare organizations will have to comply with regulations to protect the electronic security of patients records—records that keep track of their physical or mental conditions, their treatments and their healthcare insurance and payments. Violations can incur civil penalties of up to $25,000 per infraction per year, and criminal penalties of up to $250,000 in fines and 10 years in prison. (Very small organizations have an extra year to comply).
The regulations cover security in 18 areas, divided among three broad categories: administrative policies, such as who can update records; physical safeguards, such as access controls; and technical systems, such as firewalls, used to protect patient records. Organizations must specify who has access to what information, how computers are safeguarded, and how security breaches are handled.
Institutions, for instance, will have to track every time a patient record is transferred electronically, by any means—or medium. In other words, a hospital will have to document not only when information is transferred from one departments electronic files to anothers, online, but also when and how the data is moved on foot, using a magnetic tape, disk or other physical medium. In addition, the hospital will have to specify what kind of card readers or other devices are installed, to make sure only authorized workers can get to workstations or servers. They must even specify how devices or disks are checked out from work areas.
The regulations are part of HIPAA—the Health Insurance Portability and Accountability Act passed in 1996—and are just the latest in a series of rules the law will generate for years to come. But the cost of complying—ranging from $20,000 to $1 million for security alone, according to Jon Bogen, founder of West Chester, Pa.-based HealthCIO—is being borne by the organizations themselves.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: