The terrain of the Internet is as open and free as any new lands explored by America in its pioneer-filled history.
Those qualities of openness and freedom create both an attraction and an aversion to virgin territory, just as they did in the Wild West. In healthcare as in other industries today, the tradeoff for exploiting a nearly gratis use of the environment is the chilling realization that everyone else, friend or enemy, can freely travel the same trails .
"It would be a while before we think about passing patient information across the Internet," said Brad Young, who's scouting technology among his leadership duties with a healthcare information networking initiative in rural West Virginia
But technology is moving in to create a sense of safety. Just as in the Wild West, security strategies are being mobilized for the untamed Internet, according to experts assigned the job of protecting electronic messages within a public environment.
Settlers already out there from the banking and merchandising industries have spawned improvements in technology to reduce their risk in doing business on the frontier.
At least one company that seized t he moment a century ago and developed the security to get goods to their destination-Wells Fargo-is still in business today, this time securing the movement of data through a public messaging medium.
Other companies have risen up to serve security-conscious industries such as banking and are retooling their advances for healthcare, where they see a big market opportunity.
Disadvantages of openness. The very nature of the Internet as a public medium provides an opportunity to send dispatches anywhere at little cost, freeing healthcare networks from the expense and limitations of working within current telecommunications networks or building private links.
But those private systems provide a comforting level of order and security that doesn't exist in wide-open country. The premise of that security is controlled access, said Geoff Turner, a San Jose, Calif.-based principal with the accounting and consulting firm Ernst & Young.
In contrast, "for the Internet, everybody has access," he said.
Those who don't arrange for their own protection of business valuables could be vulnerable to people who for various reasons may want to intercept the goods or corrupt their value.
Thus a new vehicle for security is being created for the Internet: a secured and protected ride much like the armored cars Wells Fargo uses to deliver valuables on the real public interstate highways. In the case of the information superhighway, Turner said, systems are being concocted to "provide protection that goes with the information, just like the armored car."
Those systems-which scramble and unscramble messages, verify the s ource and destination of information, and assure that information isn't stolen or tampered with along the way-are becoming mature technologies, he said.
The advances are starting to spark some activity in healthcare among HMOs seeking electronic links with enrollees and among provider networks seeking to send data to and from remote locations.
One security-technology company, called TradeWave, said it's in the final stages of landing its first customer in the healthcare field. The Austin, Texas-based company said service to the undisclosed healthcare network could begin Jan. 1.
And a high-profile Internet vendor, Healtheon Corp., has begun securing transaction routes between HMOs and the ir enrollees (July 15, p. 24).
Healthcare decisionmakers shouldn't just decide to jump onto the Internet without first identifying objectives the medium can help meet, Turner said. But once they identify a way to tap the Internet's potential, "then they need to recognize security is not an obstacle," he said.
First impressions. Try telling that to people who have to guarantee the security of sensitive medical information-and who may see the Internet as somet hing even their aunt or kid brother can prowl around on.
Patient confidentiality is such a priority for Charleston (W.Va.) Area Medical Center and Related Entities, or CAMCARE, that the statewide healthcare networking initiative it' s involved with has solicited viewpoints from consumer and legal groups before committing to any plan, said Young, CAMCARE's director of information services specializing in healthcare information networks.
Young, who also chairs an information systems committee for an emerging integrated delivery system called Partners in Health Network, said current efforts continue to focus on using the state's digital fiber-optic network rather than the Internet.
"I believe it will come," he said of the Internet's networking role, "but I don't think the infrastructure is there yet."
A few hours up the road in Morgantown, W.Va., a 4-year-old investigation of electronic records exchange may be clos e to putting a proven Internet-based infrastructure into production.
The initiative at West Virginia University is testing the security and cost savings of the embryonic system after going through an initial test of its feasibility (See related story, p. 61).
If the Internet can indeed be made secure for patient information, then perceptions have a long way to go to catch up, according to a recent Ernst & Young survey focusing on data security in the healthcare industry.
Regardless of the state of the art, the 134 top information executives and security officers surveyed are still in a "show-me" state when it comes to confidence in the Internet frontier.
The number of respondents using the Internet or planning to use it for important business correspondence actually increased 28% over the past year. But 55% of those same respondents said they were either dissatisfied with or uncertain about the overall level of s ecurity in their Internet connections (See chart, p. 61).
The healthcare survey was part of a larger poll of more than 1,300 respondents representing a cross section of American industries. The level of dissatisfaction or wariness a bout information security measured in healthcare was the highest percentage reported among all the industries measured.
But the jitters aren't a reflection of an unwillingness to make use of the Internet. More than 80% of the current users said they would begin to use or increase their use of the medium for business purposes if it were better secured.
And more than 60% of the currently unconnected said better security would likely lead them to use the Internet .The promise and peril of the Internet were addressed in a recent report for the healthcare industry by Gartner Group, a Stamford, Conn.-based firm that researches information technology trends and challenges.
"If properly done, the risk of improper disclosure of patient information using the Internet will be less than with manual procedures and paper-based information," while "the ability to disseminate the information will be much greater with the Internet," the report said.
But it also warned about the risks associated with the Internet. "Given the nature of the Internet, if someone improperly accessed electronic patient information, it could potentially be instantaneously disseminated to millions of people," the report said. "Also, without adequate controls and tracking, tampering could be much harder to detect than with electronic (intranetwork) information."
An ill-conceived connection to the Interne t not only can be the source of unsecured transmissions but also a weak link in a healthcare network's internal systems security. "The sheer act of attaching a server to the Internet is what opens you up to problems," said Jim Ad ams, vice president of industry services for Gartner Group.
A server is an industrial-strength computer that stores, manages and distributes information intended for the Internet. But it also can be a doorway to internal computers.
In the Ernst & Young survey, nearly half the healthcare respondents said they're equipped to know if someone broke into their system by way of the Internet. Of that group, 20% reported either an attempted or successful break-in to t heir system through that opening during the past year.
But the survey also disclosed that the most prevalent techniques for controlling the remote transmission of data are still passwords, employed by 70% of respondents. Other technical "acknowledgements" built into computer systems also were used by about one in every three respondents.
The types of controls tailor-made for the Internet, however, were not much in evidence. Measures to "encrypt," or render unintelligible, the messages en route to their destination were used by only 10% of the sample, and the same percentage used technology to authenticate the sender.
"If you're going to send anything out over the Internet that's sen sitive, you need encryption," Adams said. "If you don't (use encryption), you're being negligent."
Methods to keep data safe. That's one of a number of technical inventions being adapted for healthcare from other industries to control access to an Internet connection, guard the safe passage of messages along the Internet, and identify sender and receiver.
The products confront the basic components of security strategy outlined by an international standards organization: Data confidentiality.
Identification and authentication of transmission sources and destinations.
Ability to assure the message can be traced to a specific sender and receiver.
"Most medical data is considered sufficiently critical that no person except the creator and the user should be able to read it," said the Gartner Group report on Internet use in healthcare.
That goes for e-mail, too, said Laura Brown, a manager at Ernst & Young specializing in information security. Organizations allowing doctors and staff to use e-mail for medical information are putting the organization at risk because the transmissions typically are not enc rypted. "E-mail can be so easily taken; it can be misdirected and read," she said.
Recent breakthroughs in encryption have lessened problems associated with managing the secret strings of numbers, or "keys," employed to scramble a message and then crack the code, said Turner of Ernst & Young.
The process assigns Internet users a "public key" that helps identify them on the Internet. Sender and receiver then exchange a "private key" to execute the secur e transmission, Turner said.
Though it sounds burdensome, the process can be rendered nearly automatic to users; the World Wide Web browser Netscape Navigator now incorporates such a process, allowing two users to conduct a "secure session" by clicking on an icon, Turner said.
Companies called "certificate authorities" are springing up to issue and manage public keys as trusted third parties, he said.
In the world of self-contained information networks, system users authenticate who they are by signing on with a password that identifies location, privileges and other essentials of secure electronic message exchange, Turner said. "In the Internet, there's no sign-on. So you have to have something analogous to it," he said.
The same businesses seeking to issue and hold public keys also are vying to be trusted third parties that certify who Internet users are, prompting their label as certificate authorities.
Similar in concept to a passport or a driver's license, a digital certificate issued by an authority vouches for people until an expiration date, when the certificate has to be updated and renewed, Turner said.
Though healthcare organi zations can get a quick start by using third parties, it's likely that large healthcare companies will become their own certificate authorities, Brown said.
Message authentication. In sensitive communications, especially those that depend on accurately conveying drug prescriptions or treatment orders, the recipient of the message has to be confident that the message wasn't altered.
An invention called a "check sum" or "message authentication code" strategi cally extracts a unique summary of the message, compresses it and provides a comparison with the actual message after it's received. If any bit is changed, Turner said, the check sum recognizes the change and exposes the corrupted file.
An Internet message can be tagged so the sender can't deny having sent it, and the recipient can't deny having received it.
The function allows especially sensitive communications such as prescription ordering to be traced to the source and verified as received. It substitutes for the audit trail common to many private information networks, which keeps track of all electronic traffic.
The Gartner Group report predicted that this security function won't be required in Internet systems unless physician or clinician orders are entered as part of the system.
Certificate authorities, security systems and high-powered computer servers all begin to add an as-yet-uncertain amount of overhead to what's supposed to be a free electronic medium of data exchange.Security firm TradeWave said it couldn't come up with firm estimates of the investment involved but claimed an Internet network could be set up for about 20% of the cost of a dedicated telecommunications network.
A study it conducted five years ago compared the expense of a fiber-optic telecommunication network with a comparable network that used fiber-optic access to the Internet, including the expenses of building security into the public routes, said Alexander Cavalli, vice president of strategic development for TradeWave. He said the comparison showed the Internet was cheaper by a 5-to-1 ratio.
The Internet security industry also offers a broad range of security levels, with cost tied to how rigorous the security is, Cavalli said.
For example, TradeWave's certificate authority charges an annual fee ranging from $5 to $100 per certificate. The cost depends on the level of security, which affects the amount of ongoing work it takes to keep certificates current and valid, he said. Those rates are negotiable depending on volume, he added
A healthcare organization's initial investment and ongoing management also must take into account the expert help needed to set up and manage a different kind of computer complexity.
Healthcare delivery networks already are wrestling with a number of projects involving sophisticated coordination of personal computers attached to powerful servers. A shortage of expertise in that area has fueled the use of outside companies specializing in the field (July 24, 1995, p. 60).
The introduction of Internet-based technology could put healthcare in a similar bind. "There's a small universe of expertise and a big learning curve for everyone," Turner said. That could lead to significant expenses for talent, which he said was a necessary investment in electronic commerce.
"If you don't start this investigation now, you'll be left in the dust by those that are doing it," he said.
CAMCARE's Young said the combination of encryption, software sentinels called ` `firewalls," and improvements in security processes can develop a secure environment on the Internet. But healthcare organizations, which have bought their computer technology in bits and pieces over the years, have to be assured that a security system can be created to account for the complexity, he said.
"Integrating those components and making sure there are no gaps is something that hasn't been done in the healthcare field," Young said.
The crowd gathers. Companies now coming into healthcare are betting the industry will follow in the footsteps of banks, which are embracing the Internet as a vehicle.
That acceptance came in stages as banks first contracted for services offered by third-party entrepreneurs and then mobilized to offer the customer services themselves.
Intuit Service Corp., a Menlo Park, Calif.-based maker of personal finance software, also got an early start in the home-based transaction business for bank customers, Turner said. Now that the Internet-based service is proven, banks are developing their own.
That beachhead strategy is being emulated by Palo Alto, Calif.-based Healtheon, an Internet pioneer that's signing up employers and payers for its contract service to enrollees of managed-care plans
The move to the Internet allows HMOs and other managed-care plans to offer enrollment and plan-information services to their members on line at lowe r costs than current phone and paper-based methods, while the availability of the services on the Internet helps the HMOs gain access to a wider market.
Turner said companies such as Healtheon can "jump-start" the HMO industry by providing a Web-based secure service organization. Then HMOs can move to their own dedicated local network to gain more control. He said Ernst & Young was in the final stages of helping some undisclosed HMOs do just that.
Other companies are targeting healthcare providers, offering everything from encryption and certification services to medical-record databases.
TradeWave, which made a mark in the defense-contractor and electric power industries, spun off a business unit in September to market Internet security in healthcare and seek business as a certificate authority.
The unit, called HealthWave, assembled an advisory board of notables in the healthcare field led by C. Everett Koop, M .D., former U.S. surgeon general and more recently a promoter of a national health information infrastructure, of which the Internet is a large component.
In another example of a start-up effort in healthcare, InterMax Solutions of San Mateo, Calif., is proceeding on the assumption that it's only a matter of time before the Internet and its connection-facilitating technology will be key tools in healthcare. Among its products is an Internet-based clinical rep ository.
The 6-month-old company also is targeting Fortune 1,000 companies as buyers of its technology, consulting and training services.
"People are going to be early adopters or late adopters, but they're going to have to adopt th is technology," said Scott Ernst, InterMax's director of business development.