ASP offers physicians secure data solutions

Other industries also ripe for encryption technology

Regulation is not always the enemy of small business – at least not if you are in the data encryption field as the privacy and security provisions of the Health Insurance Portability and Accessibility Act (HIPAA) come into force.
A fledgling application service provider – Mail My Doctor (MMD) – is gearing up to offer physicians a remote, secure server and applications to manage patient data. The privacy and security provisions of HIPAA will require physicians to take measurable steps to protect patient data from unauthorized eyes. MMD hopes to ride the wave of that regulation into clinics nationwide.
But health care is only one industry the firm hopes to penetrate. Regulation is driving demand for encryption of records in the banking industry. Eventually, MMD’s management sees the entire encryption field as its potential market.
Law and software
MMD CEO Matt Miszewski came from a background in law and software technology, combining experience with IBM with employment-oriented legal work as a partner at Podell, Ugent, Haney, Miszewski.
Miszewski took his name off the door of that firm in 2000 in order to start his own technology company – and wound up at the Milwaukee County Research Park in Wauwatosa. There he combined the resources of two firms – Topical Networks and MC Services, merging them into a new entity – Standfire Networks, LLC. It is this entity that began concentrating on developing a secure e-mail solution for physicians – as well as an application that provides stock updates through e-mail. The company created an application that allows for confidential, encrypted e-mail communications between physicians and patients – and can allow for confidential collaboration between physicians as encrypted x-rays and other data are transferred for consultation.
"Where we started was the e-mail space – for a particular reason," Miszewski said. "People are a lot more comfortable in that space than a lot of other spaces. But the HIPAA compliance space got an awful lot more room for other applications."
MMd has written the specifications for a medical records application as well as transaction code technology for use with insurance companies.
The company is currently in the development phase on these products.
The marketers of mMD say they are introducing their services to Wisconsin physicians and using that experience to create a model for the rest of the nation. But as Miszewski and his team of developers and salespeople roll out their applications statewide, they are finding the sense of urgency somewhat lacking.
"Some people think ‘Well, HIPAA compliance is a year away,’" Miszewski said. "They think there is time to work on it. But plans for compliance have to be in by the end of the year so they have to start working on it now."
While mMd has a captive sales force pounding the pavement to recruit physician groups, Miszewski said they are looking into other methods of distribution as well.
"New opportunities come up from day to day," Miszewski said. "We are negotiating with iPhysicianNet. – hoping to tap into their base of 7,000 clients to do a small test nationally before we go national."
The iPhysicianNet Web site focuses on video detailing – providing physicians with pharmaceutical data through live video conferencing with drug manufacturer representatives.
Once the national launch is underway, the group’s expenses will probably increase relatively little.
"Time Warner’s Network Operation Center is right upstairs," Miszewski said, indicating that additional bandwidth is readily available. "There are incremental costs. There are breaking points at 15,000 users where we have to invest in another server – and every 15,000 users after that."
Technical support costs should be minimal given the simplicity of the product’s features, Miszewski said. If significant demand for support is present, Miszewski said mMD would implement automated support systems, use systems that allow users to contact the support department on-line or use a tech support outsourcing service.
How secure
is secure?
Critics of Web-based technology for secure transactions claim that, in reality, nothing transmitted over the public Internet is secure.
"We take the word secure very seriously," Miszewski said. "When I started at IBM, security was a brand-new field when it came to computers. From end to end, we secure the stream of data such that if a hacker were to get physical access to our offices and take the hard drive, it would take at least 100 years for them to crack the code. We use 448-bit encryption to store everything."
But even Miszewski admits that no system is invulnerable.
"I am a believer in the fact that without extreme restrictions that make usability nonexistent – if there is a dedicated hacker who wants to know if you have pneumonia and who has unlimited resources – there is not a solution out there that will solve that problem," Miszewski said.
Industry insiders said a system like mMd’s would be most vulnerable to non-technical and some very high-tech methods.
"You might not be able to break the code, but you can always human-engineer the situation," Nick Laird of Onlight LLC said. Laird is the director of marketing for the Milwaukee-based ISP, and is also president of the Information Systems Security Association (ISSA) Milwaukee Chapter.
"A system like mMC could most easily be broken by having someone sleep with one of the guys who has access to the data," Laird said. "That is what the intelligence community has always been about."
Miszewski stressed that the algorhithm used by mMD was written by the highly-respected Bruce Schneier, author of the book Applied Cryptography.
But security is only as good as the weakest link in the data chain. As an added-value service, mMD offers to work with physicians to ensure that access to data is properly regulated in the clinic offices.
Two ways to assure access to data is regulated on the physician’s end are proper password generation and use of leading-edge hardware to assure the person accessing the system is who they say they are.
"We had a long discussion as to whether we would truly randomly generate passwords," Miszewski said. "Complex, hard-to-remember passwords are very unpopular with users. But if you let users pick their own password, 10% of them will choose the word PASSWORD. There is an incredible amount of predictability in self-chosen passwords. Any word in a dictionary is vulnerable to a brute force dictionary attack."
Brute force dictionary attacks involve use of an automated application to run literally every word in the English language through a password field. Only by choosing alphanumeric combinations that are not in the dictionary can this cracking method be defeated.
Use of appropriate hardware on the physician’s end will be crucial as well.
"One of the keys is going to be this wireless revolution that is going on," Miszewski said, referring to the use of wireless networks. "I have a wireless connection so I can have my laptop at home. But doing that in a physician’s office might be a bad idea. Someone who has an interest would certainly be able to sit outside a doctor’s office in Washington, D.C., to find out what the condition of the president is, for instance."
Avoiding insecure technology is one step mMD will recommend – but it will also steer physicians toward proactively secure hardware as well, specifically thumbprint-sensing computer mice.
Other industries
Miszewski’s crew has designs beyond medical security. Standfire Networks’ Topical Networks subsidiary already operates iontunes.com, a licensed music streaming and download service.
"We don’t distribute music unless we have a license," Miszewski said. "That is where we get our encryption background."
Another massive opportunity is presented by the privacy requirements placed on financial institutions by the Gramm-Leach-Bliley Act.
The legislation, which was signed into law in 1999, was primarily designed to allow banks to get involved in diverse financial services including insurances and securities. But Title Five of the act contains detailed requirements for protection of nonpublic personal information.
Gramm-Leach Bliley will open markets for encryption technology including: