The Edmonton Journal
Monday, June 1, 1998

Privacy issues being ironed out for health computer net


By Jen Ross
Critics argued a person's private medical records shouldn't be accessible to everyone from doctors to insurance companies to government bureaucrats.
"Everyone assumes that computerized systems are less secure," says Gordon Lucas, part of the Alberta we//net team. "But you'd actually have a higher measure of security than you would with papers lying around an office."
We//net planners are also looking at using a private network rather than a public one like the Internet to make sure health records are more secure.

If you were waiting for the results of an HIV test, the last thing you'd want to know is that someone else is reading those results over the Internet.

But with hackers more active than ever, it's a legitimate worry posed by the new Alberta "we//net" -- a provincewide computer network that will give doctors, hospitals and government planners access to a database of personal health information.

A controversial draft of the new Health Information Protection Act -- which sets out the privacy rules under which the we//net would operate --ignited fierce opposition when it was introduced in the legislature.

Critics argued a person's private medical records shouldn't be accessible to everyone from doctors to insurance companies to government bureaucrats. Others said they fear the network will be easy prey to hackers and other computer bandits.

To quell such privacy fears over the multi-million-dollar network, the province is hammering out new legislation to govern who'll have access to personal health records and new technology to make sure it's seen by their eyes only.

"Everyone assumes that computerized systems are less secure," says Gordon Lucas, part of the Alberta we//net team. "But you'd actually have a higher measure of security than you would with papers lying around an office."

On the technological side, a team of computer security experts from Alberta Health, Ernst & Young and IBM are looking into tools like digital signatures and encryption to protect records on the we//net from hackers.

They work like this. Assume your doctor has asked for the lab results of your HIV test, results many doctors routinely receive by e-mail.

Since computer bandits can intercept and read e-mail, lab technicians need to make sure the results are confidential. Since someone can presumably break into a doctor's e-mail system and send a fake request for such results, the lab needs to know it's actually the doctor sending the e-mail And since someone could alter the results in the reply, both doctors and lab technicians need to know the information they read hasn't been tampered with.

To protect this information, the technician would use a special password that would put a digital signature, which is like a personalized fingerprint, on their e-mail or other electronic record. If any part of the e-mail changes, the receiver will get a message warning of the intrusion.

There's also encryption, by which the technician would send data locked with a cyber key that only the doctor could unlock with a specialized key password. If anyone else tries to open it, the message will get scrambled.

Carrie Bendza, spokesperson for Entrust Technologies Inc., a company that develops the encryption software being considered for the we//net, says the technology has been around since 1994 and claims no one has managed to crack the system yet.

"You'd need 25 or 30 systems going for weeks or months to get to a secured e-mail," says Bendza.

We//net planners are also looking at using a private network rather than a public one like the Internet to make sure health records are more secure.

As for the we//net rules, a provincial steering committee is now hammering out the nuts and bolts of what patient information can be shared, with whom and how.

Alberta Health spokesperson Garth Norris says the committee may decide, for instance, that a patient's sexual history can only be shared with a family doctor and hospital staff or that it can only be put on a network if the patient's name is anonymous.

A steering committee chaired by Ron Stevens, the Conservative MLA for Calgary-Glenmore, has held about five public consultations and members are consulting industry, doctors and health authorities.

They're putting together recommendations which they hope to have ready for Health Minister Halvar Jonson by the end of June. He'll be able to add the recommendations to a new bill to be introduced in the legislature this fall.

The we//net could be on-line next spring, although some privacy issues may still need to be worked out.

WHY A 'WE//NET'?

* To give medical professionals quicker access to health records that could be crucial in a medical emergency;

* To help government bureaucrats predict the needs of an aging population and plan hospitals and other health programs;

* To prevent abuses like double prescribing by revealing if a patient has already bought drugs at another pharmacy.