NW_20001016_en_Government Computer News, October 16, 2000, "Medical Records To Go Global"

The Defense Department will turn to a software product to try to secure its medical records tighter than a surgeon’s sutures.

Vasco Data Security Inc. of Oakbrook Terrace, Ill., will use an array of its products to secure the Composite Health Care System II component of the Military Health System under a $7.3 million, six-year contract, company officials announced late last month.

The new component will let health care workers throughout the world access a patient’s medical data at any hospital or treatment center, said John Allen of Integic Corp. of Chantilly, Va. Integic is the main contractor on the project supplying the security infrastructure for the system.

The transition to Composite Health Care System II will occur in two phases. To begin, contractors will create electronic folders of the medical information that’s in a central database, and then they will create the infrastructure that will secure the data and protect it from corrupting.

Dependents and retirees

DOD expects the move to speed medical service to millions of active-duty personnel and retirees, and their dependents, throughout the world by rushing information through more than 60 various clinical information systems comprising the new health care component, said Jonathan Chinitz, Vasco vice president and general manager.

The system comprises Hewlett-Packard 9000 V-Class enterprise servers running HP-UX 11.0 and an Oracle 8i database, Allen said. The data warehouse will be maintained at Montgomery, Ala., where a backup unit will also be maintained. As each medical center converts its data to the electronic format, it will upload the information to the Montgomery database, he said.

Area military medical facilities will use local systems working as SnareWorks authentication servers to access the system as well, Allen said.

The new component is being tested at the Portsmouth Naval Hospital in Portsmouth, Va., Langley Air Force Base, Va., and Tripler Army Medical Center in Waikiki, Hawaii. The rollout will eventually encompass 104 facilities worldwide.

The component is a small part of a long-range plan to link health programs within DOD, the Veterans Affairs Department and the Bureau of Indian Affairs so that all users can access electronic folders for all patients.

The plan would not pose a security risk to DOD systems through VA and BIA, both of which have been slammed for poor computer security [GCN, Sept. 11, Page 1], because the electronic folders would remain within the DOD system, allowing only access granted under the security guidelines, Allen said.
The e-folders will be under the auspices of DOD until the soldier is discharged.

Users will access local authentication servers via Pentium PCs running Microsoft Windows NT. Checks with server

“If they are not recognized as a user at that site, then it will check with the enterprise network server in Montgomery,” Allen said. “It will see if it knows them uniquely across the enterprise. And it will say, ‘Well, that user is not local, but here are their global roles.’ And it will push down a record for that user to use on the local security server.”

After each user is authenticated, the computer will let him or her access records based on preset levels of authority.

To create the department’s secure infrastructure, Integic will integrate SnareWorks into DOD’s public-key infrastructure. The software lets designers establish security policies based on the access capabilities and controls in the application, Allen said.

Military hospitals will determine access based on a global set of standardized roles, he said. “A local security officer will have to authenticate them and assign their role in the system,” Allen said. Because facilities give their staffs varying degrees of access, local standards are allowed that do not affect a user’s international access, he said.

A secure enterprisewide Single Sign-On process will increase systemwide productivity, he said. Using digital signatures will protect data and link patient records to track anyone who accesses or modifies medical documents, Allen said.