We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
75,294 News Articles

Who should be at the root of protecting the nation's healthcare data?

Greg Machler explains why there's a need for a root key for the national healthcare database

What are CISOs working in healthcare concerned about when it comes to protecting medical data in the future? There are a variety of concerns associated with who should and shouldn't be able to access your individual medical record. This is both a policy issue and a technology issue for the CISO.

[iPad security: How a hospital treated trouble]

If the United States moves to a national healthcare database, medical information will need to be accessed by hospitals, medical clinics, mental health clinics, pharmacies, medical researchers, government health care organizations and other medical institutions. The real question is: Who will decide what information should be accessed? Once the policy decision is made, how will the CISO enforce it?

There are some technological complications related to protecting the data. If the government opts to let the user manage who has access to data, how is that process enabled via technology? Would there be a national health care portal that allows an individual to define who can access certain portions of their data or would the national, state, and/or health care institution negotiate that access?

[Digitized medical records are easy prey]

Data protection of the medical information requires use of encryption and a key or keys. All encryption that is used to protect data requires a root key. In the financial-services industry, many banks have their own root key so there is no national financial services root key. But a national database of individual medical data would require a root at the national level and potentially even globally. The root has the ability to access all information, thus giving the institution that owns the root great power.

A national database of medical data requires policy decisions and then technology the enable that policy. It will be difficult to determine who has access to different portions of health care data. Once the health care data access policies are complete, access rules will be created to enforce who has access to the data and encryption will be used to protect the data. But, because encryption with certificates requires a root key, the institution owning the key will have great power.

Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline.

Dell XP Migration SMB
Dell XP Migration SMB
IDG UK Sites

Lytro Illum release date, price and specs: Light field camera goes 3D

IDG UK Sites

Tim Cook says Apple aims to be best, not first, hinting that iWatch is coming

IDG UK Sites

Twitter - not news

IDG UK Sites

Fun film festival trailer plays with classic movie scenes