Can Healthcare Facilities Conduct E-Commerce on the Internet Safely?
By Robert Neil
A recent wave of hacker attacks on prominent Internet sites has raised questions about cyber operations' abilities to protect themselves and their customers from disruptions in services—as well as more serious assaults. The issue, which computer experts point out isn't a new one, has been thrust into the national spotlight as a result of a three-day denial-of-service (DOS) attack beginning on Valentine's Day.
A group described as "malicious computer geeks" began the week by overloading Yahoo.com with more requests than the site could handle, thus making it inaccessible to legitimate users for about three hours. The next day, cyber-vandals launched a similar hit against Buy.com, and DOS attacks ensued against eBay, CNN.com, and amazon.com, continuing Wednesday against ZDNet.com, excite, and E*Trade. Although Attorney General Janet Reno has vowed to track down the hackers, the FBI has admitted that—although not announced at the time—it, too, was a victim of a cyber assault that week.
None of the random strikes was aimed at the healthcare industry's young e-commerce companies, but they're not immune to such problems. Real Web security will remain an elusive goal as technology allows both users and hackers to improve their methods, and experts agree some Internet sites are more vulnerable to DOS and other types of attacks, because companies don't spend enough time and resources on security issues.
The enthusiasm to incorporate the Internet and e-commerce into healthcare has masked some of the less-touted truths about Web security—specifically, that no site is ever 100% safe. It's not just the well-publicized DOS attacks that have computer experts concerned, but also companies that have moved so quickly to get on the Web, they may not be taking the proper time and money to install reliable security systems.
Although only an estimated 5% of healthcare supply purchases currently are conducted over the Net, that figure is predicted to rise by 10% to 30% in the next five years. Providers and suppliers teaming with Internet operations—whether they're dot-coms or ventures incorporated by group purchasing organizations, distributors, or others—should be careful to review security issues in their discussions with potential cyber partners.
"Planning for Internet security is not much different from planning for physical security," said Maher Hakim, chief technology officer at Neoforma Inc. (Santa Clara, CA), one of healthcare's leading e-commerce companies. "Thieves are out there all the time, (and) you cannot stop that, so live in a safe neighborhood and do your best to protect your home with security devices—door locks, security systems, etc.
"Similarly, when you are planning to run pieces of your business operations on the Internet—let's say you are leveraging a B2B (business-to-business) exchange—two things you have to think about (are) site security and application security. Check to see where the B2B exchange is hosted and what site security features the hosting service is providing. Also, ask about application security, what technologies are being deployed at the exchange to ensure that the application that is running your business operations is secure and reliable."
As simple as it may sound, asking the right questions is key to finding out if an Internet company has taken all precautions available; however, LaShawn McGhee, an experienced systems architect, noted that a computer expert should be the one asking the questions. Like every industry, the computer realm has its own language and characteristics, and a hospital or manufacturer should have someone as experienced as the professionals employed by the dot-com companies.
McGhee said DOS attacks have been going on for years, and any reliable operation will be aware of that. An Internet-based company should have staff that tracks hacker Web sites to keep up with the latest plots and viruses, or at the very least should have contracts with firms that specialize in these areas. According to McGhee, hackers are well organized with news groups, newsletters, and downloadable kits, used for serious or innocuous mischief making. An Internet company and its users must be just as organized, but according to a GPO executive, keeping up with technology is only part of the solution.
"As problems like (DOS attacks) arise, the infrastructure companies—server, router, firewall, and network software companies—will rise to the occasion to provide solutions to minimize the risk of these problems recurring as they have in the past," said David Mawhinney, president of Premier Health Exchange, the e-commerce operation launched by Premier Inc. (San Diego) and recently merged with Medibuy.com Inc. (San Diego).
"However, we know from experience that the better the safeguards become, the more of a challenge it will be to the best hackers," Mawhinney said. "Serious e-commerce companies will develop contingency plans that will include having multiple redundant and 'hot-swap back-up' sites to minimize risk, as much as possible, to all sites being simultaneously attacked and brought down."
DOS attacks are not the only concern Internet users face: viruses, security breaches and worms like the one proliferating through e-mail systems last week, are other common—and potentially more serious—problems. McGhee said that's why hospitals, suppliers, or any company using the Internet should have someone on staff to take charge of security issues; additionally, employees should be trained on the ramifications of using passwords or codes. As high-tech as hackers are, sometimes the first step to entering a system illegally is obtaining a password carelessly shared, or one that's easily discerned.
Despite the best of precautions, McGhee said no system will ever be completely safe from attacks, which means users will need back-up plans. Gene Byerly, vice president of healthcare information services at Health Services Corporation of America (HSCA; Cape Girardeau, MO), agreed and said hospitals should have contingency plans for e-commerce, just as they do for other vital functions of their operations.
"It would be similar to implementing a paperless MMIS (Materials Management Information System)," Byerly said, "and having the system go down. Goods coming in the door would still need to be delivered to the appropriate department, and purchase orders would still need to be defined and placed with the vendors. In (the case of an e-commerce system that went down), the backup system may be an EDI system coupled with faxing and telephoning orders. The back-up plan, hopefully, would only be in place for a day or two. Contract information from HSCA remains available on CD-Rom."
Byerly indicated that if a company has critically sensitive information on a Web site, such as pricing, financial account numbers, etc., then officials should take on the responsibility for the highest possible level of security. He also pointed out that most secured sites and e-commerce systems incorporate sophisticated firewalls, dual-key encryption, multi-layered security, and applications designed with security as an up-front priority.
"The Internet was not originally designed to be secure, so building in security becomes a challenging priority," he said. "(The) bottom line (is) do all that you can within reason, seriously discuss and consider the content that you post and have a backup plan."
Robert Neil is a healthcare purchasing analyst for Medical Data International Inc. Neil is a frequent contributor to Hospital Network.com.
This article was excerpted with permission of Medical Data International Inc. Copyright 2000 Medical Data International Inc. All rights reserved. Reprints may be obtained by permission. Contact an MDI account representative at 800-826-5759. This article contains all original material developed, researched, and written by Medical Industry Today staff for exclusive publication by Medical Data International. To reach MDI online, visit the company's Web site at www.medicaldata.com.
Edited by Rick Dana Barlow
Source: Hospital Network.com, sister website to Medical Design Online.