• United States



by Gregory Machler

Who should be at the root of protecting the nation’s healthcare data?

Apr 09, 20122 mins
Access ControlData and Information SecurityHealthcare Industry

A CISO working in the healthcare industry is responsible for protecting private data. Greg Machler explains why this points to the need for a root key for the national healthcare database

What are CISOs working in healthcare concerned about when it comes to protecting medical data in the future? There are a variety of concerns associated with who should and shouldnt be able to access your individual medical record. This is both a policy issue and a technology issue for the CISO.

[iPad security: How a hospital treated trouble]

If the United States moves to a national healthcare database, medical information will need to be accessed by hospitals, medical clinics, mental health clinics, pharmacies, medical researchers, government health care organizations and other medical institutions. The real question is: Who will decide what information should be accessed? Once the policy decision is made, how will the CISO enforce it?

There are some technological complications related to protecting the data. If the government opts to let the user manage who has access to data, how is that process enabled via technology? Would there be a national health care portal that allows an individual to define who can access certain portions of their data or would the national, state, and/or health care institution negotiate that access?

[Digitized medical records are easy prey]

Data protection of the medical information requires use of encryption and a key or keys. All encryption that is used to protect data requires a root key. In the financial-services industry, many banks have their own root key so there is no national financial services root key. But a national database of individual medical data would require a root at the national level and potentially even globally. The root has the ability to access all information, thus giving the institution that owns the root great power.

A national database of medical data requires policy decisions and then technology the enable that policy. It will be difficult to determine who has access to different portions of health care data. Once the health care data access policies are complete, access rules will be created to enforce who has access to the data and encryption will be used to protect the data. But, because encryption with certificates requires a root key, the institution owning the key will have great power.

Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline.