Shook is hoping that other states adopt compatible systems; if they don't, HealthRadius may have to install a vast and confusing array of different digital-signature systems. (Without a common standard, Shook fears that HealthRadius may have to establish its own PKI service for its customers. That not only would be more costly and difficult -- HealthRadius would have to license and distribute software to everyone who is authorized to access its data over the Web -- but also would open HealthRadius up to liability for its digital-signature system.)
So far HealthRadius has spent about $1 million on technology, including security. By the time it rolls out nationally during the next year or two, Rosmann expects he will have spent $2 million to $3 million on technology. But perhaps most important, the company has already subjected itself to an intensive security audit (in the spring of 1998) and will undergo another one early next year. It also requires periodic audits of the 50 clinics and hospitals that supply it with medical-records data, and a randomly selected 5% of clients' sites will be audited each year.
In such a review, an independent outside party rigorously examines the procedures and technology that a company is using to handle its data. In HealthRadius's case, the auditors were interested in seeing whether the company could live up to the security standards of the Health Insurance Portability and Accountability Act of 1996. That legislation established ground rules for medical-records privacy -- always a delicate subject and one made even more so in the Internet age. (DrKoop.com got into hot water recently when its advertising partner, DoubleClick, sold lists that included members' health information. HealthRadius's contract with its clients bars it from selling its information.)
The audit, which takes about three weeks to complete, includes interviews and a systematic review of the technology itself. That may seem like a lot of effort to secure something as relatively uncontroversial as immunization records. But a market test in 1998 confirmed that the HealthRadius service had no chance of acceptance if people felt even a slight concern that someone could access its demographic information on the more than 2 million people in its system. "We needed to act as a bank -- you have direct access and no one else has access," says Shook.
In addition, managing immunization records is just HealthRadius's initial foray into the arena of electronic-medical-records exchange. In the not too distant future, Rosmann plans to start databases that will contain patients' disease histories and other medical matters. At that point, he wants an unblemished security track record.
The company's biggest vote of confidence so far has come in black and white: a letter from the National Committee for Quality Assurance (NCQA), an independent nonprofit organization that evaluates the quality of managed-care organizations. The letter, dated January 1999, stated that NCQA considered HealthRadius's registry of immunization records an allowable source of data for its own system, which is used almost universally by health plans. "NCQA gave its blessing because we had provided the privacy," says Rosmann. "As soon as that letter was issued, about every health plan became a customer."
That's not to say Rosmann is satisfied. "We still have a little sensitivity around the subject of security," he says, still in that calm, careful voice. In fact, he has Shook shopping for three more security items. One, HackerShield from BindView Development, scans for known intrusion methods, similar to the way antivirus software checks for familiar computer viruses. A second, IPsec, is a computer-security standard that keeps unwanted data traffic from bothering a company's servers. One benefit of that would be protection against denial-of-service attacks that can overload and disable a server. (Remember that disastrous day for Amazon.com and eBay last February?)
The third product Rosmann and Shook want, WebTrends, monitors and analyzes firewall logs for unusual activity. That will help Shook manage the company's defenses more actively and will also help the company prosecute any hackers who try to break in. Because catching a hacker would make the kind of headlines that Rosmann would like to be in.
David S. Bernstein is a freelance writer in Watertown, Mass.
What Are You Afraid Of?
So what's the worst that can happen? There are several types of hacker attacks, all of which have occurred in recent months.
Denial of service. Much like protesters' barring the entrance to a physical store, hackers can shut down your E-business by making sure no customers can get through to your site. Typically, they bombard the site with data traffic, rendering the Web server useless. That is the type of attack that brought down ZDNet, E*Trade, CNN.com, eBay, Buy.com, Amazon.com, and Yahoo, each for about three to five hours, all during a period of several days in February.
Electronic theft. This scenario is just like a physical robbery: the hacker breaks into your system, finds something he wants, and downloads it to his own computer. In most cases you may retain your copy of the data, but now someone else has it as well. Is that so bad? Ask the folks at CD Universe, an Internet music retailer based in Wallingford, Conn. Last December someone describing himself as a 19-ye
