Washington, D.C.
The Subcommittee on Standards and Security of the National Committee on Vital and Health Statistics held hearings on October 26-27, 2000, at the Hubert H. Humphrey Building in Washington, D.C.
ACTIONS
EXECUTIVE SUMMARY
The Subcommittee on Standards and Security held two days of hearings on October 26-27, 2000 in an ongoing process focused on HIPAA administrative simplification and electronic signature. During the two days, the Subcommittee heard 19 presentations and talked with four panels representing business and government to learn about the issue of electronic versus digital signature, the need in health care, standards activities and existing projects.
PANEL 1: Electronic Signatures versus Digital Signatures
Mr. Barnett defined electronic and digital signatures. Electronic signatures are easy to implement and require little overhead. Digital signatures are technologically neutral, provide reliable assurance a document has not been altered, and verified non-repudiable identity. They also require a supporting infrastructure.
Public key infrastructure (PKI) secures the communication and helps provide the digital certificate, but does not confirm identify, Mr. Beatson explained. Health care transactions require: personal identity verification at the network access control level; secure communication; and personal accountability and document authentication when documents are signed. The electronic signature e-sign bill declares the validity of electronic signatures into state and international commerce, embraces all technologies, prevents anyone denying the legal effect of certain signed electronic documents and transactions, and clarifies broad circumstances in which the electronic record satisfies any statute or regulation that mandates a written record.
Ms. Gugel said digital signatures used in a public key infrastructure conveyed checks and balances and measures of trust not inherent in a system that did not employ PKI. Which signature to use in health care depends upon the type of data that needs to be protected and the level of protection desired. Digital signatures are required for strong identification and authentication with a trusted third party standing behind them. Electronic signatures, such as a digitized handwritten signature, are useful when people want to see a signature for approval or employ a system for approving documents or adding counter signatures. Multiple technologies sometimes need to be combined to provide the best solution.
Michael Laure emphasized that both electronic and digital signatures are necessary; each provides a part of the solution. Electronic signatures automate the process for the capture of a signature's intent, and maintain authentication of the signed document. Digital signatures, and associated technologies such as PKI, secure the integrity of the data and authenticate the person involved in the signing. Digital certificates are good, he advised, but in many cases could be cumbersome. He noted that there are other ways to put PKI technology, digital signature technology, and digital certificates together that do not necessarily result in a certificate authority. He emphasized that specifying a specific technology, kind of product or implementation in a regulation can add unnecessary burden and limitations as better ways are found to put these building blocks together.
Health care often requires co-signatures, and a signature system that can specify to this requirement, Mr. Waegeman noted. And health care necessitates a specific document structure that is clear about amendments. Encryption and sealing are especially important in health care. The ASTM standard allows for electronic signature if there is an authority within an organization.
PANEL 2: Business Case for Electronic or Digital Signature
Ms. Narcisi noted the role of effective and affordable user authentication in providing the foundation for high-level privacy and confidentiality essential to the growth of online health care services. She said the authentication in the electronic signature process must be simple, quick, reliable, and flexible enough to authenticate users across a complex network of health care Web sites.
Dr. Neuman said she could not over-emphasize the importance of standards in the health care industry. Standards enabled the pharmacy industry to become so well automated and efficient. Approximately 95% of the 2.83 billion prescriptions filled annually are sent electronically between pharmacies and payers or processors. She noted the impact of the Omnibus Reconciliation Act of 1990 (OBRA 90) when outpatient automated drug use review was mandated for all new and refill prescriptions with changes for Medicaid patients. Every state board of pharmacy subsequently required pharmacists to provide similar surveillance for all prescriptions. Neuman said standards for physician-to-pharmacy transactions could be a boon, both to patient care and the economics of health care.
The vision of the creation of a computer-based patient records system cannot be recognized without a security infrastructure that, Mr. Waegeman said, is best expressed by PKI. He stated the need for a clear resolution that PKI is the only way to create confidentiality, to create security, to save money and to implement the vision of electronic health records. This can only be done, he said, by having the current standards as its basis. The standards of ASTM, recognized internationally, are particularly for health care. Mr. Waegeman recommended including the electronic and digital signatures in the NPRM, and that NCVHS and HHS take a leadership role in promoting PKI and its implementation in health care.
Mr. Wright said he was humbled by such a wide range of transactions and would be loath to write stringent regulations, standards or guidelines in light of the diversity and change taking place within the signature technology field. He said he would be very cautious about writing a standard that set in any solid way what technology needs to be used or what business model needs to be adopted. He recommended the subcommittee think less about setting standards and more about education, providing leadership so people can learn the technologies, see pilot projects play out, and understand the ramifications.
For years DEA had been asked to use electronic prescription. With PKI technology, Ms. Good said, DEA saw a way to address concerns about authentication of parties transmitting prescriptions. PKI is a way to guarantee message integrity, prevent forgeries and alterations of prescriptions in transit and for the pharmacist's liability in verifying the registration status of the prescriber to be taken off the hook.
Mr. Bruck explained that the concept behind the DEA root certification authority satisfies three key requirements: trust in operability, ensuring performance and availability, and the regulatory aspect. The framework is designed so that DEA acts as a facilitator for trust between certification authorities and those responsible for issuing certificates, enrolling doctors and publishing CRL information. In 1990, the pharmaceutical industry asked FDA to accept electronic records and signatures. Rule 21 CFR Part 11 covers all FDA regulated industries, which account for about 25 percent of the GNP.
Mr. Crumpler said the FDA is looking for systems that are trustworthy, reliable, and compatible with their mission to promote and protect the public health. He emphasized the need for more than just a technological solution. Administrative and procedural controls are also necessary.
Ms. Lovorn said she immediately saw PKI’s applicability to health care when introduced to it eight years ago; many things going on in health care need the kind of attributes digital signatures and PKI provide. She discussed attributes necessary for electronic processing of health care information with a signature: (1) non-repudiation; (2) integrity of the information; (3) secure user authentication; (4) interoperability; (5) independent verifiability; (6) the ability to counter signature across documents; (7) multiple signatures across a document or piece of information; (8) an ability to have signature attributes, e.g., a date/time stamp or location.
Mr. Wright gave a brief overview of some of the uses of electronic and digital signatures for legal government transactions and described the breadth of approaches being tried around the world. Police officers and judges, taxpayers, home buyers, and corporate officers are using electronic transmissions in government interactions.
Dr. Schadow emphasized four points: (1) one must understand the digital signature and PKI system in order to make reasonable judgments about the realities of all this technology; (2) trust does not scale very well; (3) authority can not be outsourced; (4) because the issues of public key infrastructure are so difficult to manage, conventional and local trust structures should be reused where they exist. Dr. Schadow noted that the industry was trying to integrate PKI into the existing management system, making as few changes as possible.
PANEL 4: Report on Existing Projects
Mr. Guida presented what the federal government is doing in terms of interoperability and public key technology. GPEA states federal agencies will accept electronically signed documents by October 2003. The statute is technology neutral; implementing guidelines recognize a range of ways to make signatures. Digital certificates or a PKI allow for reliance on fewer credentials useful across a variety of applications, so long as there is a way to interoperate PKIs. The Federal Bridge Certification Authority (FBCA) provides a way. Disparate PKI domains gain topological connectivity through the Bridge.
Mr. Anderson discussed the HealthKey five-state project that takes a market-driven, community-based approach to developing health information infrastructure and, in particular, public key encryption infrastructure. All their projects are driven from a clinical need to do something that they can apply the technology to solve. A major quest has been to determine if PKI is a valid infrastructure for the health industry; an ancillary mission has been to establish if FBCA is an answer to the interoperability issue of PKI in health care.
Mr. Lynch presented a physician-patient scenario that looked beyond the role of digital signatures to view the entirety of authentication, identification and encryption as the business case. Chain of trust interoperability across health care communities, he noted, is a prime requirement. He emphasized the importance in health care of: 24 by 7 by 365 reliability and availability, a trusted root, signature authority bound to roles and identity, and non-repudiation.
Dr. Neuman introduced iScribe as a company with a mission to provide acceptable technology to physicians that reduces medication errors, improves patient care, and helps eliminate administrative hassles that are inherent within the paper-based prescription process. Noting that health care providers are not technophobic, but resist being forced to change the pattern of their daily practice, Dr. Neuman discussed how iScribe strives to fit technology to the doctor's work flow.
Considering next steps, Dr. Cohn summarized what the subcommittee had discussed and learned. Implementation guides were needed that the industry could adopt to provide interoperability; one was a guide on how to do signatures for the transactions. In January they wanted to talk with the SDOs and ANSI/HISB, enlisting their advice and guidance in what the groups have developed, are using, and recommend. Dr. Cohn also sensed this was probably the time to hear from the designated standards maintenance organizations about changes and updates to the standards, as well as any new standards that needed to be brought forward. Some time will be needed to deal with issues on standards of PMRI, namely, the refining of criteria, and prioritization. And they needed to loop back and hear from industry again. Other sessions will be held mid-March, probably mid-to-late April, and mid-to-late May. One will be primarily devoted to PMRI next steps. Enforcement and compliance is ready for discussion, and will probably be another issue. Code sets and a variety of other things would be another discussion. Tracking implementation is insinuated through all of this. The executive committee meeting will be at the Hubert Humphrey Building on November 27th. The full committee meetings are November 28th and 29th.
Dave Barnett, Kaiser Permanente
Mr. Barnett, a security architect with Kaiser, observed there are hundreds of definitions for electronic and digital signatures. He defined the electronic signature as any method that logically or physically associates electronic representation of someone’s identity with the content of an electronic document or record. The definition also implies acknowledged authorship or agreement. The American Bar Association states that there has to be a conscious effort to sign a document. Intentional acknowledgement is implicit. Typing your name on an e-mail message or electronic document is a signature; e-mail programs that automatically sign documents take away intent. These electronic signatures have low assurance: anyone can alter, erase or forge them.
The phrase digital signature is usually reserved for high assurance electronic signatures that override vulnerability and bear the force and effect of a manual or written signature. In common usage, they are mutually exclusive. Digital signatures have two essential technical characteristics: they cannot be forged or altered without detection, and if the signed document’s content changes or is altered, the signature is invalidated. They also have two procedural characteristics: the owner has sole control over his signature, and affixing the digital signature is a deliberate act that serves to approve and consummate the transaction. These characteristics are procedural, not technical. Digital signatures provide reliable assurance that the document has not been altered. They also provide signer authentication: verified non-repudiable identity. Mr. Barnett said digital signatures, as he defined them, comply with electronic signatures described in HIPAA NPRM. They satisfy legal and time-tested characteristics of written signatures.
The ABA’s digital signature guidelines point out that signing a document calls for the signer's attention to the legal significance of the act. While a mouse click can affix an ordinary electronic signature, Mr. Barnett recommended something more affirmative--two mouse clicks being a minimum--to affirm, I mean this.
Noting that often the term public key cryptography is included in the definition, he recommended decoupling how a digital signature is defined in terms of its requirements with the ways in which it is implemented. Most people tend to assume public key cryptography implies a particular technology, in particular, PKI. But digital signatures, in themselves, are technologically neutral. Three mature and widely accepted approaches for digital signatures (discrete logarithm, integer factorization, and elliptic curve) are formalized as algorithms. These general frameworks: can be implemented on any platform, in code, a product, any language, and in a variety of ways. None involves a proprietary vendor. Mr. Barnett said publishing the algorithms and specifying which methods are acceptable would be an important part of the definition.
Electronic signatures are easy to implement and require little computational or organizational overhead. Digital signatures require complex mathematics, tend to have high overhead computationally and need a supporting infrastructure. The choice depends on organizational and regulatory needs, weighing the cost of implementation against the needed function, and the need for reliance and trust. In many cases, an audit trail, an electronic identifier or low assurance electronic signatures is appropriate. Wherever it is critical to trust in the authentication of the signature and the content of the document, the digital signature can be an appropriate solution.
For digital signatures, Kaiser follows the NIST FIPS publication 186-2, which is the digital signature standard, and FIPS 180-1, which is a hashing algorithm used in conjunction with a digital signature. Most products also follow FIPS 140-1 validation. They also use the American Bar Association digital signature guidelines. Permanente also uses IEEE 1363-2000 for public key cryptography; technologically neutral, it doesn't limit us to any particular technology, which as we know changes quickly. Generally accepted practices of an audit record (who did what, when, where) apply to electronic signatures. Several ANSI standards come from the financial industry. ANSI X9.31 is a digital signature using reversible public key cryptography for the financial services industry. ANSI X9.30.1-1997 is another public key cryptography for digital signatures, as is ANSI X9.62-198. The RSA algorithm (X9.31) is considered the de facto standard for digital and encryption signatures. The DSA, digital signature algorithm used in X9.30 was designed as a signature-only algorithm and not for encryption. Slower than the RSA, it is a fairly equivalent alternative and can be implemented on comparable hardware or software. A newcomer, ANSI 9.62, is based on the elliptic curve that is popular because it uses a smaller key and is compatible for mobile devices: PDAs, wireless devices, and Palm Pilots.
The e-sign act, which is aligned with what Kaiser used as a key strategy for providing high quality and affordable health care, paves the way for full utilization of electronic patient records. Mr. Barnett expressed concern that e-sign is not rigorous enough in defining and specifying high assurance signatures. If approaches are not specified, security is weakened. He said this is why Kaiser believes digital signatures are a more appropriate solution than a normal electronic identifier, and recommended specifications about digital signatures and their use in electronic health care.
Kaiser has actively promoted standards that permit secure electronic interoperability. Interoperability and security are vital to controlling costs and providing quality care in the e-commerce world. Digital signatures are an important part of this activity. Kaiser and the California Medical Association are working to identify and resolve interoperability and security issues. The CMA is explicit that digital signatures are required. The non-repudiation, authentication, and integrity services provided by digital signatures are needed in order to trust e-health activities.
Ron Beatson, Cybersign
Mr. Beatson explained that the traditional electronic signature has three separate functions. It captures the signature and samples X-Y positions rapidly over time, providing a set of data and, sometimes, pressure coordinates associated with that signature. In certain applications, that data can be compared against a reference template held on a smart card. Having captured and possibly verified that signature, it can be attached to a document and bound by calculating an algorithmic-based code, which takes into account all the data and attaches that code to the document. Any change in the document will be detectable--the codes will not correspond.
Public key infrastructure relies on a public key and a private key associated with each installation or each individual or organization. Anyone issuing a document encrypts with his sender's private key, and the recipient’s public key, known to everybody. This generates a digital certificate associated with this process, issued by a trusted third party. The encrypted data is communicated securely to the recipient who decrypts it with her own private key, then the sender's public key. Sensible decryption implies that the document originated from some source that holds that sender's private key. An electronic signature identifies you, and you provide irrefutable accountability for documents you sign using the process. The PKI secures the communication and helps provide the digital certificate--but does not confirm identify.
The electronic signature e-sign bill broadens the scope of electronic signatures. It declares the validity of electronic signatures into state and international commerce. It embraces all technologies. And it prevents anyone denying the legal effect of certain signed electronic documents and transactions. It also clarifies broad circumstances in which the electronic record satisfies any statute or regulation that mandates a written record. It requires inquiries into domestic and foreign impediments to electronic signature products and services. And it provides a broader definition of electronic signatures that incorporates the digital signature, depending on how it is implemented.
Security addressing risk linked with electronic signatures can be based on a password PIN, any biometric method tying the transaction to the individual, or a password-protected digital signature.
Technologies for health care transactions need: personal identity verification at the network access control level; personal accountability and document authentication at the point where those documents are signed; and secure communication thereafter.
Electronic signatures of the typical type can be attached in the context of the Internet. The digital signature infrastructure can then be used to certify that document originated from a specific source. Mr. Beatson said the trust associated with that transaction will be accepted worldwide.
Ann Gugel, Baltimore Corporation
Ms. Gugel agreed with Mr. Barnett's definitions but said digital signatures used in a public key infrastructure conveyed checks and balances (certificate authority and registration authority) and measures of trust (third party) not inherent in a system that did not employ PKI.
She noted that you can separate your certificate into two: one for identification and one for encryption. For security reasons, she recommended having encryption in your system.
Which signature to use in health care depends upon the type of data that needs to be protected and the level of protection desired. Digital signatures are required for strong identification and authentication with a trusted third party standing behind them. Electronic signatures, such as a digitized handwritten signature, are useful when people want to see a signature for approval or employ a system for approving documents or adding counter signatures. Multiple technologies sometimes need to be combined to provide the best solution.
Standards Baltimore has developed include the ISO standard for digital certificates. X509 is the standard for the digital certificate in a public key infrastructure. Baltimore also adheres to IEEE 1363-2000. For encryption, their systems provide DAS or triple DAS as well as RSA algorithm and elliptic curve technology or the newest algorithm approved by NIST, the advanced encryption standard. Users choose their algorithm. Baltimore provides the capabilities; users decide the technology to use. Baltimore also adheres to standards that are not open, but are default industry standards, since they are widely used with some major vendors’ products. PKCS and PK standards are widely used by other PKI vendors for digital signatures in a PKI. Standards-based products provide increased interoperability among vendors, and scalability can be enhanced. They also boost user’s flexibility, since they are not tied in to any one vendor or product.
Limitations or weaknesses of guidelines and standards stem from how they are implemented. Poor implementation can happen with anything, and this is not plug and play technology. Public key infrastructure is a combination of software, hardware, people, policies and the implementation architecture; it highly relies on the rest of the security of the system--including network security, audits, and risk assessments--to make sure all holes are plugged in the system.
These signatures conform to the ASTM standards for health care. They conform to the NIST 186.2. Users have the option of using DAS or triple DAS. And they comply with the requirements of the HIPAA security NPRM. Ms. Gugel emphasized that no single vendor provides all the capabilities required in the security electronic signature NPRM. One may provide technology solutions, but not the training and awareness needed for that specific organization. She does not know of any vendor that provides all the risk assessment services in combination with robust auditing. Auditing of everything is a requirement.
E-sign act brings a level of legal validity to the transactions. There are a few cases specified in the e-signature act where e-signatures cannot be used, leaving all other cases available and open for the use of electronic signatures that will hold up in court.
The Global and National Commerce Act is very broad in its definition of what is an electronic signature. Remarking on this weakness, Ms. Gugel cautioned there was room for lawsuits. She said she did not see any technologies stronger than a PKI system for scalability and global interoperability among multiple vendors, outside of a private network, that could provide all of the checkmarks she would like to stand up in the court of law. She emphasized the importance of partners. Time stamping can be an important if you defend a legal signature. In a PKI, an online certificate status protocol can provide instant validation. A third component, a hardware-signing module, provides the highest assurance possible.
Signatures can apply to whole documents, parts of documents, binary files and EDI files. A lot of the EDI vendors lean toward XMLs as the EDI of choice. There is an electronic signature for XML signing, so it is possible to sign parts of an XML form. It is possible to apply multiple signatures and counter signatures to the same document with an additional component.
Ms. Gugel noted two digital signature solutions in other industries could be used for health care. The Identrus model being used in the financial community, and the Federal CA technology that is being used in the government.
Baltimore’s system runs on NTs, NT 4 or 2000, HPS and Celeste systems, most of the larger implementations of operating systems. Baltimore is a global company and a lot of their implementations are in Europe, Asia and the U.S. The Australia Health Insurance Commission and the Australian Tax Office are two of their larger customers. Baltimore is being used as the root certificate authority technology for the Identrus program.
Michael Laure, Silanis Technology
Michael Laure is co-founder of Silanis, which has developed electronic signature technology for nearly a decade, putting electronic signature applications into government, pharmaceutical, health insurance, and financial industries. Their electronic approval management application is based on secure electronic signatures and approval process automation. It uses hybrid electronic signatures that combine digitized handwritten signatures with digital signature technology, enabling scaling into the various technologies and standards and providing security to these processes.
Most of Silanis’s customers use captured signatures, an encrypted file containing imaging information about themselves, and security technology to ensure authentication. The biggest problem Silanis deals with is massive confusion about terms. Mr. Laure defined electronic signatures as a computer based method by which one can express the same legal meaning as a paper signature. Over 100 pieces of state legislation and a vast array of federal legislation exist. The majority, including the HIPAA Security NPRM, talk about electronic signatures and refer to digital signatures as one method. The Uniform Commercial Code, which governs virtually all commercial and financial transactions at a fairly high level, defines a signature simply as a mark or symbol or signer's intention to authenticate the writing. Intention to be captured and to authenticate is the core. Mr. Laure explained this was how Silanis began. Someone asked, ’Can you get a signature into this Autocad drawing, and once it is in there, can you make sure that if it ever changes, that it invalidates the signature’--We came up with a way to do it. This acceptable electronic signature goes beyond the perception of a simple digitized handwritten signature. It involves a process that captures the intent and then secures that signature, bound to the signature record, along with some type of security technology. By default, the baseline for this security is digital signature technology. With a digital signature, you capture intent, can verify that really is the person who signed, and that the integrity of the document has not been modified.
Mr. Laure noted the need to incorporate the registration process along with digital signature technology to meet the security requirements Ms. Gugel discussed. Digital certificates are a good way to do that. He added that there are other ways to put PKI technology, digital signature technology, and digital certificates together that do not necessarily result in a certificate authority. CAs are good, he advised, but in many cases putting a certificate into every person's hand could be cumbersome. He emphasized that specifying a specific technology, kind of product or implementation in a regulation can add unnecessary burden and limitations as better ways are found to put these building blocks together.
Mr. Laure noted that, today, using digital signatures means having a PKI system and a way that individuals can identify themselves. Passwords used on lock certificates can be secure, though people forget them. Smart cards are fairly easy and common. Biometrics adds a fairly high level of user authenticity, but the technology does not yet work flawlessly in the health care environment.
Mr. Laure considered digitized handwritten signatures highly desirable in many documents between health providers, hospitals, insurance companies, and the public.
The guidelines or standards that drive Silanis depend, in part, upon who their customers are and what they do. Many markets Silanis deals in are regulated or managed. If they are not dealing with a specific regulation (e.g., FDA CFR 21 Pub 11, DoD PKI, or CHPIA), they are dealing with the customer’s or industry’s requirements on how signing should take place. Signing is dependent on business processes, Mr. Laure emphasized. Silanis focuses on meeting specific requirements and guidelines that come from the markets and customers.
Mr. Laure said ABA’s digital signature guidelines give a fairly good definition of what the characteristics of an electronic signature should be. The New York State Electronic Signature and Records Act regulations define the characteristics as requiring user authentication, document integrity, and capturing the intent of the person signing. Key standards Silanis follows include the U.S. federal information processing standards, specifically FIPS 186-2, which defines the use of digital signature technology in the federal government, and FIPS 180-1 that deals with message integrity. Together, those two standards define the basic technology. X.509 version three standard for digital certificates is important from the perspective of identifying the originating source of the digital signature. Mr. Laure noted that a few basic standards define the core technology. Everything goes through these digital signature and authentication algorithms; the digital certificate is the companion piece. He added that interoperability will potentially require a higher level of standards.
The major benefit of using these standards, he said, is that they provide clear business, legal and technical requirements as to what an electronic signature should do. He reiterated the importance of focusing beyond technology on business requirements. A limitation Mr. Laure runs into often is that standards are not always followed, and sometimes are applied unnecessarily. It gets complicated and there is inconsistency within industry, because groups compete to regulate. There are state and federal-level regulations, and it is not always obvious which will come into play. Sometimes, regulations focus too much on technology and overlook process.
Mr. Laure said the signatures conform to the ASTM health care authentication standards, NIST 186-2, and FIPS 180. He noted that a standard is defined, required implementation features are in place and optional features are available--all these requirements of the HIPAA security NPRM are met. It is possible to countersign or apply multiple signatures to the same document. And signatures can be applied to binary files, EDF files, whole documents, or partials. The signatures support Microsoft Windows desktop applications as well as browsers, applications running up on an NT server as well as ASP applications, and UNIX and Mac-based Web browser applications. Verification of signatures does not require access to a central server. Documents can be verified on a stand-alone basis. The validity of any certificate associated with it, once tied into one of these databases, can be verified as required.
Mr. Laure noted that the FDA-regulated industries have a fairly specific rule for electronic signatures. They have done a lot of work and a fair amount of implementation.
He emphasized that both electronic and digital signatures are necessary; each provides a part of the solution. Electronic signatures automate the process for the capture of a signature's intent, and maintain authentication of the signed document. Digital signatures, and associated technologies such as PKI, secure the integrity of the data and authenticate the person involved in the signing.
Peter Waegeman, Medical Records Institute
Acknowledging the confusion about electronic signatures and digital signatures, Mr. Waegeman said he felt personally responsible. Six years ago, in ASTM, We came up with the distinction; we created the electronic signature. In 1994, ASTM formed the subcommittee on electronic signatures. Some 28 organizations were represented including: the joint commission, DoD, AHMA, ABA, AAMT, ADA, the FDA, the Justice Department, the board of ASTM, and various medical specialties. After a year of deliberation, it became clear that for many--particularly medical specialties--a digital signature was too cumbersome and costly. And so, he said, they came up with the electronic signature, which does not carry the burden of a security infrastructure, including registration authority and certificates.
Mr. Waegeman said health care could not function with general standards for digital signatures. An acceptable signature must identify a person in a way that cannot be faked or ambiguous. He noted the need to know, not only if someone is an M.D., but also: is this person licensed in that state, what is their specialty and relationship to the patient. These identification attributes are part of the standard 1762.
Health care often requires co-signatures, and a signature system that specifies to this requirement. And health care necessitates a specific document structure that is clear about amendments. Document structure can ensure no one sees an amendment of a medical record that is only part of a note; the signature must require that this amendment comes up when the main document is seen, something that does not occur in electronic commerce or other fields. In addition, the signature must be done in a conscientious responsibility-taking effort; it cannot occur by default as in some commercial systems. Encryption and sealing are especially important in health care.
The ASTM standard allows for electronic signature when there is an authority within an organization. Whenever that doctor is in bilateral communication with an insurance company or hospital, that electronic signature would be accepted. The moment he deals with a pharmacy in the wider health care field, it would not be accepted. These transactions require the PKI infrastructure that contains the digital signature. Mr. Waegeman noted that this is what is needed, but can be difficult to get, and is somewhat complex and cumbersome to manage.
Many countries are implementing PKI systems. Mr. Waegeman said, if he had to decide today, he would probably move towards a digital signature and PKI rather than an electronic signature. He added however that, considering the number of signature systems being installed and how few comply with requirements needed in health care, it might be worthwhile to view them as stepping stones toward reaching PKI and digital signatures.
He commented that ANSI ASTM standards are nationally and internationally recognized in this field. This applies to 1762 as a general guide as well as a specification for digital signatures. He added that ISO TC215 is becoming an international standard for signatures. It is based largely on ASTM standards. Japan, Australia, and some Europe countries are following the lead of the U.S. standards.
He observed that the e-sign act makes electronic or digital signatures legal; it does not validate them. Electronic signatures are available, but he cautioned this does not mean that they apply in health care or that documents signed under these general guidelines would pass as a health care legal document, legally signed.
Discussion
Dr. Zubeldia thanked the panel. He said he heard that there are several parts to a signature. There is the ceremonial part, the individual voluntarily signing that can be expressed by a biometric. There is the signature card concept of a third party--the registration as to who the signature belongs to, and the certificate authority PKI concept. And there is the document management part--if the document changes, the signature is invalidated.
Mr. Laure said he did not know of a standard that met all the requirements of HIPAA. To some extent, a digital signature meets the basic requirements; but it does not guarantee that the person who applied the digital signature is, in fact, whom they claim. That might be one of the notable aspects in the HIPAA rule. There are products and methods to do this, but some of the optional requirements should be mandatory.
Counter signatures are mandatory in many business processes. A challenge in implementing Silanis’ products, Mr. Laure said, is making sure it is capable of performing the business processes involved with each document. If a document is a five-part form, requires four signatures, and has to allow for sections to be filled in between them, then the application has to be able to manipulate the technology to do that. Thousands of different types of documents have to be signed in many different ways, depending on the industry you are dealing with, and it becomes virtually impossible to separate business process from the technology required for the electronic signature itself.
Mr. Barnett said PKI based on X.509 and the work from PKIX come closest to meeting requirements, though they do not specify technologies enough to guarantee interoperability. Kaiser has invested heavily in PKI; they believe it is the most cost effective approach.
Mr. Beatson observed that the document management associated with getting the signature out is available in the software packages most businesses use. The electronic signature industry is making available the capability of adding an electronic signature verified biometrically. You can get a signature, secure your document, and then, when you want to transmit it securely, hand it over to the digital signature people.
Ms. Gugel noted that the health care industry has a lot of custom legacy applications not enabled to accept digital certificates for authentication. Vendors are creating electronic patient record applications and others that need to be PKI enabled if digital signatures are going to be mandated. This requires toolkits or customized integration. Silanis and Cybersign, recognizing the need for adding multiple signatures and counter signatures and document control with signature control throughout the whole process, have undertaken customized integration. Many other applications in the industry need to be PKI enabled or able to accept and recognize an X.509 version three certificate for authentication. If digital signatures are going to be mandated, the industry has to do a lot of work to enable applications. Tools are available. Niche companies enable major applications like the ERP systems. Anyone can buy snap-in products that PKI enable applications.
The main applications today that are readily enabled, she said, are the mail systems using S MIME Web access control, Web-based access control to accept digital certificates. Most of the VPNs are out there, so you have extra-net solutions. Some industry specific applications have not yet been PKI enabled, they are looking at this technology and waiting for what HIPAA is going to say before they move forward.
Mr. Beatson remarked that if you generate a document at a workstation and it goes through the digital signature process, the only thing the recipient knows is that the private key associated with that transaction was submitted at the source end. Typically, that private key resides on the workstation or server. If you walk away and leave your PC on, anyone could conduct a transaction.
Mr. Barnett emphasized the importance of identifying and specifying procedures involved in identification and authentication. He said he had a one Verisign certificate that cost $9.95. I just gave my e-mail address and they sent one. Anyone can download a certification authority toolkit and create his own. Who owns that certificate--How do you know they control it properly?
Mr. Waegeman agreed that electronic health record systems are not safe or secure, and confidentiality is in a sad state. He asserted that PKI could make a difference. Speaking as a patient advocate in the field of signatures, he said the first step was to create a PKI for caregivers. This, by itself, would provide higher security from the point of confidentiality.
Dr. Gellman acknowledged that there might be gains toward protecting the confidentiality of records, but said he was a bit nervous the digital signature might become a universal identifier you need to have to do anything. He expressed concern that the verification process could create an entirely new entity with a tremendous amount of personal information on people--something that never existed before. Whoever does verification has an audit trail of my life.
Mr. Barnett said he heard these concerns, and suggested one approach was having more than one certificate. The certificate that identifies a person as a physician should probably not be used to purchase things over the Internet. There was a need to separate out our identities. Audit trails within the medical community are probably appropriate, especially with medical records.
Mr. Waegeman stated that the American National Standards Institute, Health Informatics Standards Board identified up to 18 different approaches in the United States to creating PKIs. He observed that the most active company in health care was not represented in this discussion, but that many were trying to come to a mediated course toward one acceptable health care approach. There are still holes in PKI; it is a complex issue--But the longer we wait, the more it will hurt.
Dr. Frawley remarked that, as Ms. Gugel pointed out, most of our clinical information systems are legacy systems and many would not support a digital signature application. More troubling, she said, is the fact that many of the products coming on the market will not support a digital signature. Most of the participants in our health care delivery system are using an electronic signature that will not meet any digital signature requirement under HIPAA.
Ms. Gugel said vendors are waiting to see what HIPAA requires. Since the RSA algorithm patent expired, toolkits are readily available at a much lower cost. There is a huge amount of interest from vendors in different industries who want to PKI enable their operations. If the requirements call for digital signatures, they will move in that direction. Mr. Laure said all of Silanis’s competitors incorporate digital signature technology into their products.
Considering both PKI and electronic signatures, Dr. Zubeldia asked what kind of solutions might be adopted as a HIPAA standard for digital signatures, and what might be the time frame. Ms. Gugel asserted that the solution is a combination of technologies. That is why partner programs are important. Both technologies are important in signing documents and tracking signatures through the system. Mr. Laure remarked that PKI gives managed certificates. Everybody gets certificates that are properly controlled, everyone has their identifiers. What is needed, he said, is PK enabled applications that allow those certificates to sign. Mr. Laure said the components are there and adoption could begin now. Rolling it out across the country could take 10 years. If you are going to go with certificates or PKI, define that and roll that out so people have their digital I.D.s. And encourage vendors to implement the signing capability.
Mr. Waegeman agreed that the technology is there, but added that the infrastructure is complex. He compared the situation to when HIPAA came out. Leadership is needed in terms of what can be done. He noted that Chime implemented in Connecticut. Finland and Quebec have fully implemented. Implementation is underway in Australia and several Asian countries. People are realizing that, the sooner we do it, the more we can save and the more we can make systems confidential and secure.
Mr. Barnett said another issue is to what level of detail to specify. It is important, he said, to block out what we need to define; that helps us converge. The first level of digital signatures, IEEE Standard 1363 and FIPS 186 are well defined and list technologically neutral algorithms. The next level down might be PKI, which is pretty well defined and fairly mature. There is a well-known technology framework to use for infrastructure. Third level down, health care PKI, is still up in the air. Kaiser is implementing a PKI. Several standards committees are working on details. We all have a business need to get it down as soon as possible, so we don't have to redo the technology.
Mr. Beatson said a standard is emerging through the bio api consortium, supported by NIST, for the actual identification individuals and that biometrics will eventually adhere to that standard.
Jean Narcisi, American Medical Association.
Ms. Narcisi, Director of AMA’s Office of Electronic Medical Systems, noted the role of effective and affordable user authentication in providing the foundation for high-level privacy and confidentiality essential to the growth of online health care services. She said the authentication in the electronic signature process must be simple, quick, reliable, and flexible enough to authenticate users across a complex network of health care Web sites.
In 1997 and 1999, the AMA conducted surveys of physicians to determine the penetration of Web usage and identify physicians' patterns and habits related to the Internet. Some 59 percent of physicians reported they did not use a computer. Of those that did, by '99 the proportion with access to the Web nearly doubled to 37 percent. Some 27 percent of the Web users indicated they had a Web site. The '99 study indicated that the majority of the physician Web users consider the Web most useful as a communication tool. Other uses include accessing medical and drug information resources. The '99 study indicated that 83 percent of the physicians indicated they had concerns about data security and confidentiality of medical records on the Web.
The AMA is working with the Intel Corporation to deploy a new form of electronic identification called the AMA Internet I.D. Ms. Narcisi said it will protect physician and patient privacy and confidentiality when using the Internet to send and receive medical information.
Intel introduced Intel Authentication Services, which develops and operates authentication services for associations, organizations and any health sites that want to offer branded e-health digital certificates. The AMA Internet I.D. uniquely identifies physicians over the Internet, providing a reliable authentication technique with passwords for secure Internet transactions. The AMA I.D. functions online the same way as a driver's license, passport or other trusted document.
Medical information is private, confidential and not replaceable. Protecting confidentiality and privacy is imperative to ensuring the strength of the consumer trust in a changing technological health care environment. Electronic communications are changing how patient information is stored and transmitted; what will not change is the physician's responsibility to maintain the confidentiality of patient records. Electronic patient records are no different from paper medical records; they contain privileged information that may not be divulged without permission from the patient.
The AMA Internet I.D. comes at a time when there is a growing awareness of the threat to breaches of medical privacy, confidentiality and security of the medical record in the digital age. Levels of security, reliability and quality of service necessary for health status to use the Internet need to go beyond those needed for typical e-commerce.
Authentication technologies are evolving rapidly to meet business requirements. Health care service providers will need to adapt their content and security procedures to address the requirements of new access devices such as PDAs, cell phones and other electronic devices. Many PCs and other digital equipment will soon come equipped with fingerprint scanners, eye scanners and other biometric authentication systems. The AMA Internet I.D. and other Intel IAS infrastructure are designed to be extensible, so they can smoothly accommodate these in the future.
AMA and Intel are currently working to integrate a few new features in Internet I.D, which include delegation. This service enables professionals to delegate staff members to act in their behalf in authenticated online transactions. Fraud management enhancements underway are likely to include automated monitoring of activity logs with flagging of potentially fraudulent activities.
As online health care evolves, AMA and Intel are committed to providing a high level of authentication integrity that will be combined with procedures and tools to make it easy for businesses to deploy and administer their authentication services, as well as make it increasingly simple for end-users to obtain secure access to the information and services.
Sherry Neuman, iScribe
Dr. Neuman developed the design for a system for online outpatient DUR for Medicaid agencies before joining iScribe, which produces the hand-held technology on Palm Pilots and pocket PC devices for physicians to write and electronically transmit prescriptions to pharmacies. iScribe is responsible for providing information at the point of care about a number of potential therapeutic misadventures, such as drug interactions or duplications of therapy or drug-disease contraindications.
iScribe has SSL and encryption for all data transported over any wireless or wired connection. A virtual private network protects the security of the data iScribe receives. The handheld devices capture the prescriber’s signature and can print this on prescriptions. The patient receives a legible, legal receipt that can be compared with the prescription vial.
Dr. Neuman said she could not over-emphasize the importance of standards in the health care industry. Standards enabled the pharmacy industry to become so well automated and efficient. Approximately 95% of the 2.83 billion prescriptions filled annually are being sent electronically between pharmacies and payers or processors.
She noted the impact the Omnibus Budget Reconciliation Act of 1990 (OBRA 90) when outpatient automated drug use review was mandated for all Medicaid prescriptions. Every state board of pharmacy subsequently required pharmacists to provide similar surveillance for all patients’ new or refill prescriptions with changes.
Dr. Neuman said standards for physician-to-pharmacy transactions could be a boon, both to patient care and the economics of health care. Getting the prescription to the pharmacy in a clean legible way that is not manually entered will reduce medication errors that result from illegibly written prescriptions. Electronic transactions from the pharmacy to the physician can involve a refill request, or request a change in prescription due to formulary considerations or additional patient information.
The National Council for Prescription Drug Programs’ standards enhance physician-pharmacy and pharmacy-physician transactions. In the early '80s everything was done on paper with the universal claim form. By the mid-80s, the NCPDP developed a non-interactive, one-way transaction, the telecommunications standard version 1.0. Pharmacists could send a transaction online to a payer, processor, or pharmacy benefit manager (PBM) and be notified that the payer received the transaction and the amount of payment for that claim. With Telecomm Standard Version 5, clinical information can be sent between pharmacies and processors or PBMs.
Dr. Neuman said requirements that need to be met for electronic and digital signatures include individual identification of the user of each certificate and an audit trail. To meet this need, vendors of registrations and certificates are beginning to take on risk for their programs. Standards for electronic signatures or authentication of the sender have become essential.
Dr. Neuman encouraged NCVHS to declare the standard for an electronic signature so the boards of pharmacy can act. Until that roadmap is established, electronic transmission of prescriptions is not allowed by many states.
Peter Waegeman, Medical Records Institute
The vision of a 1991 Institute of Medicine study that found the creation of computer-based patient records system was a necessity for health care has been widely accepted, yet it cannot be recognized without a security infrastructure which, Mr. Waegeman said, is best expressed by PKI. Mr. Waegeman stated the need for a clear resolution that PKI is the only way to create confidentiality, to create security, to save money and to implement the vision of electronic health records. This can only be done, he said, by having the current standards as its basis. The standards of ASTM, recognized internationally, are particularly for health care.
He said the business case for such a system is clear: eliminating parallel paper and printing of transcribed information, time spent physically signing records in hospitals and clinics, chart assembly, records storage and retrieval, and costs associated with records transportation. Studies indicate savings of $50 billion to $135 billion a year. The one-time cost of implementing PKI nationwide could be from $45 to $52 billion. He asserted that PKI is going to save the country and the health care system much more than what we are currently trying to save with HIPAA.
Mr. Waegeman noted the wide range of state laws and situations that need to be corrected in order to create a national and international health care system. Chime and Kaiser are progressing rapidly. Some other companies intend to have large numbers of certificates issued by the beginning of next year. But, he noted, the United States is falling behind; eight countries are advanced. Prince Edward Island has a well-established system. Australia has extensive pilot projects. The Germany Ministry of Health considers their health care five years ahead of the United States in their security efforts, through having established a PKI.
Mr. Waegeman recommended: (1) including the electronic and digital signatures in the NPRM; (2) NCVHS and HHS taking a leadership role in promoting PKI and its implementation in health care; (3) recognition of ASTM E31 and other standards from electronic commerce as the basis for implementing PKI; (4) NCVHS should urge Congress to enact specific legislation which overrides state legislation, goes into credentialing, and provides the basis for future identification of PKI and health care systems in general.
Benjamin Wright, JD
A Dallas attorney and co-author of Electronic Commerce, Mr. Wright’s clients include the Mississippi Secretary of State, a committee advising Indonesia on revising its laws to comply with electronic commerce, and vendors of PKI, digital, and biometric signature products. Mr. Wright said he was privileged to listen to groups, companies, and governments around the world talk about electronic signatures and what their laws should or do say. He suggested that our concepts of electronic signatures are like the elephant that the blind men touch, each coming away with his own disparate perspective. Mr. Wright advised the subcommittee that, in looking to provide guidelines, everyone would gain from considering the true fluidity of the industry and the technology.
Considering how large and diverse the health care industry is, Mr. Wright said he was humbled by such a wide range of transactions and would be loath to write stringent regulations, standards, or guidelines in light of the diversity and change taking place within the signature technology field. He said he would be very cautious about writing a standard that set in any solid way what technology needs to be used or what business model needs to be adopted. At such an early phase in the development of electronic signatures, any establishment of standards runs the risk of locking the industry into something that, in a few years, makes no sense. He recommended the subcommittee think less about setting standards and more about education, providing leadership so people can learn the technologies, see pilot projects play out, and understand ramifications.
Mr. Wright noted a distinction he said he had not heard delineated yet. He recommended distinguishing between requirements for a legal signature and anything needed for security. He advised focusing on what was needed to get a legal signature. He acknowledged security is important, but asserted a digital signature might often work very well as a security device, without being wrapped up in the question about whether it is legal. Conversely, some instances require a legal signature, but demand little in terms of security. It depends on the law and the situation.
Mr. Wright asserted there will be more biometric signing devices, though some may not involve what anyone envisions as biometrics. In the next couple years, he predicted voice signatures will become important. Microphones in computers and cell phones are already ubiquitous in our society. With voice signatures you do not have to pick up a pen, have a smart card, a personal identification number, or password. While he said he did not know of any vendor trying to sell a voice signature today, he anticipated many soon will as bandwidth on the Internet increases and the ability to send voice files becomes less expensive.
Another change Mr. Wright discussed is a new reliance on notary publics. Mailboxes Et Cetera plans to have a notary public in each one of their 3,000 locations. Anyone can sign a document using any device and, after confirming identification, the notary will secure the transaction with public key infrastructure and a private key.
Mr. Wright urged the subcommittee to leave the road broad enough for innovation and to be cautious about assuming that any particular technology works only in any one particular way.
Discussion
Dr. Zubeldia said he had not yet heard a business case for digital signatures. He heard a business case for signatures in securing or signing prescriptions, and for the electronic medical record, of which signature is a component. But the savings was in the electronic medical record. The electronic medical record is a strong business case; signatures are part of it. He suggested prescriptions might make a more compelling business case. He noted HIPAA has a mechanism to set a standard and periodically change or replace it. He heard we should not be adopting a standard that locks the technology in. He also heard we should adopt a standard that forces the vendors to implement--that they are waiting. He asked if there was a compromise.
Mr. Wright cautioned about painting yourself into a corner. He said he did not have a particular agenda. But he was concerned about taking industry down some trail, led by a particular interest group, when there are so many technologies and so much innovation. PKI is not that well played out. Digital signatures have not been tested in court. The concept of a certification authority is an untested business model. No one knows how liability shakes out with any one technology.
Mr. Waegeman responded that, while there is no business case for paper records kept forever parallel to a computer system, whether the focus is on electronic health records or a way to move the health care system into a more efficient system, PKI is a part of it and a business case for it. He acknowledged this has not really been tested, but asked, Who would move their hospital records to a computer system so long as the legal counsel advises, ‘Don't do it?’ He said the test really is, "When is Kaiser going to get rid of paper records and save hundreds of millions of dollars?"
Dr. Frawley noted Dr. Waegeman flagged some problems. Most state statutes and regulations do not recognize an electronic medical record. She said she worked in a hospital that had an imaging system and she kept records on paper and on the system, because it was not clear whether their imaged records would meet the standard for admissibility in court. Very few state statutes and regulations apply to electronic records. Again, we have a lack of uniformity on what is an electronic medical record and what are the requirements for an electronic signature.
Ms. Neuman asserted that the physician-to-pharmacist and pharmacist-to-physician transaction is the business case for moving information electronically. When a physician can write and sign a prescription electronically and transmit it to the pharmacy, there is economic efficiency and a reduction in administrative burden. And there is efficiency at the pharmacy end that no longer has manual entry. The business case for reducing medication errors is there. She noted efficiencies with other transactions: physician-to-lab and lab-to-physician, asking for a prior authorization for additional health services, getting authorization for prescription medications not on the formula. Charge capture is another example. Millions of dollars are lost in the health care system because professional services are not captured and charged for. With electronic transactions, these can be tracked on a Palm Pilot and sent off electronically. Dictation and transcription can be automated, so long as it is certified and authenticated. There is a strong economic, patient care, and business case for electronic transactions that cannot exist without verifiable electronic signatures.
Ms. Narcisi pointed out other ways to apply a standard that do not involve technical specifications, e.g., exploring the risks and liabilities of malpractice on the Internet. Dr. Frawley said Ms. Narcisi raised a good point. Probably the biggest albatrosses are the record retention statutes. AHIMA published a practice brief available on the Internet; the retention periods are widely disparate for different types of records. She noted that many panelists voiced that the technology was moving fast, and we had to be careful to be technology neutral. She said we are struggling over technologies and yet we have these problematic transactions that don't even require a signature. She emphasized a need to focus on guidelines.
Mr. Wright questioned the definition of a technology neutral effort. He noted someone had said you could have a technology neutral standard based on public key algorithms. He pointed out that the public key algorithm, itself, is a technology. He suggested thinking of more general goals, like achieving a reasonable level of confirmation as to the identity of the signer. He said he appreciated the need for establishing uniformity across the industry, but suggested finding transactions where you want to achieve it, then getting specific on what needs to happen for uniformity to exist in that transaction.
Dr. Fitzmaurice noted that with the security standard, they never said, You’ve got to have a guard dog in front of the door, but advised risk assessment, provided categories of risks, and encouraged developing policies and ways to address them. He asked if that approach might work for electronic signatures. Assess needs and adopt mechanisms and policies that provide the degree of authentication, integrity, and non-repudiation needed for any particular transaction. Assess that probability for your own purposes, and adopt policies and technology that let you conduct business and clinical affairs in a way in which you, your patients, and associates are comfortable.
Ms. Narcisi concurred with using a model more on the policy level than as a tech specification. She suggested generalized authentication techniques might satisfy the model they were striving for. Mr. Wright agreed. What is appropriate from government nationwide is education. He expressed hope that, as electronic signatures become more ubiquitous in society, the appropriate kind of technology for particular kinds of transactions will become clear. He suggested grass roots uniformity could arise as different industries begin to feel comfortable with the technology.
Mr. Waegeman expressed concern that this approach will not create a climate where the average hospital gets rid of paper records. Many hospitals, clinics and doctors' and practitioners' offices are buying electronic signature systems and will be locked out of a digital system, which allows communication and better security. Countries that have gone through this painful exercise, acknowledge there is only one way to go: create a legal infrastructure that avoids having both signatures. He noted, too, that having everyone assess their own risk is expensive.
Dr. Cohn said that, as a practicing physician, he worried about having so many methods of authentication. Always having to remember which to use did not sound like a very exciting future. He asked how important interoperability really was; just how much guidance was needed.
Ms. Narcisi said interoperability could not be gauged, because it was not here. Her digital certificate might, or might not, be able to be used on an unknown application. She compared it to credit cards. You cannot use your VISA card at the library. Your digital certificate for accessing medical records shouldn't be used at amazon.com. She did not believe there would be only one solution. The industry is not evolved enough to say there should only be a certain number.
Dr. Cohn asked what if one of his insurers wants PKI this way and another wants it a different way and this swells into 50 ways on EDI transactions? Ms. Narcisi said it would be similar to what they had experienced with transactions and claims. She noted how long it is taking to get standards out and implemented--and in the meantime the technologies are moving along and more payers are interested in that content, because they can send those applications over the Internet. By the time it actually did get implemented, there might be a better way.
Mr. Waegeman observed that people are looking at digital certificates in different ways; what is needed in the meantime is an infrastructure. By the time PKI infrastructure is established, there will be interoperability. Mr. Wright agreed. Needing various ways to deal with vendors is a problem. He said he was not sure society would adopt that world. There are alternative visions. People are beginning to rebel against passwords and smart cards.
Ms. Trudel said she was seeing a gap between the forward thinking she heard that morning and where much of the health profession is today. Often a claim is received without a signature. Someone just says, The signature is in the file. None of the X12 standards in the first HIPAA transactions have a signature requirement. Ms. Narcisi pointed out that those transactions do not require a signature, only authentication. The electronic format of the current HIPAA transactions indicates where it came from. Authentication is important with online transactions. You need to look beyond the electronic signature that, included in a digital certificate, becomes authentication.
Mr. Waegeman noted the documentation of authentication, the signature, is still in the paper record. The transaction system implemented in France saves much more with a real PKI system.
Dr. Zubeldia said the Security NPRM calls for a level of strong authentication, and added it is independent of signatures. The case for the signature is to prove that Dr. Jones signed this prescription. The technology used for both, as in the case for PKI, may be exactly the same. But there are different business purposes.
Patricia Good, Drug Enforcement Administration
Under current law and regulations, a pharmacy cannot fill the most highly controlled prescriptions without a written document with the physician’s manual signature. For years, the industry asked to use electronic prescription. With PKI technology, DEA saw a way to address concerns about authentication of the sender by building into the security services their authenticity as a physician and registrant with DEA and certainty that the prescription originated with that person. It is a way to guarantee message integrity, prevent forgeries and alterations of prescriptions in transit, and that the pharmacist's liability in verifying the prescriber’s registration status gets taken off the hook.
Certification authorities will issue digital certifications to participating physicians. This is a voluntary program; prescriptions can still be transmitted on paper. But the allowance and standards enable transmission by electronic means. Ms. Good said the goal is to set minimum standards that can be met regardless of the technology used.
DEA will operate a root certification authority under which authorities issue digital certificates to one million practitioners.
Industry status has been reviewed and PEC Solutions, who contracted to design a concept of operations for DEA, has interviewed entities: medical practitioners, pharmacy practitioners, health and regulatory enforcement agencies. Technical aspects and the timetable are up for debate in the Federal Register. No regulations have been proposed.
Ms. Good said DEA viewed this from the standpoint of balancing the business practice and granting assurance and security that the issue of forgery and certification of the sending party and their credentialing could be certified.
After industry feedback, Ms. Good said DEA is considering digital signatures for certifying identification.
Steve Bruck, PEC Solutions
Mr. Bruck explained that the high level concept behind the framework, the DEA root certification authority, was proposed to satisfy three key requirements: trust in operability, ensuring performance and availability, and the regulatory aspect.
DEA wanted a marketplace flexible enough to have as many certification authorities as proved commercially viable. They also needed a framework that facilitates trust interoperability to avoid and resolve situations where prescriptions could not be filled because a pharmacy did not trust a CA.
Hundreds of millions of controlled substance prescriptions need to be validated every year. DEA needed to be insulated from that work. The framework enables DEA to act as a facilitator for trust between industry and commercial certification authorities and those responsible for issuing certificates, enrolling doctors and publishing CRL information.
Numerous meetings were held with health care communities to determine the level of assurance that needs to be implemented. One key driver identified was assurance that a practitioner is, in fact, a DEA registrant credentialed to prescribe. The certificate policy will identify the set of provisions that address enrollment and private key safeguarding, all policy issues that, together, turn this electronic certificate into a valid credential that a pharmacy can trust because a sound foundation supports the way it is delivered and safeguarded by the practitioner. It will also address obligations that apply to participating practitioners, pharmacies and industry certification authorities.
DEA registered doctors and pharmacies have accepted a responsibility to operate in a certain manner. There is no established relationship, to date, between DEA and commercial certification authorities. The regulatory aspect addresses these issues.
Mr. Crumpler discussed FDA’s regulation regarding electronic records and electronic signatures, which has been in place about three years. FDA is looking for systems that are trustworthy, reliable, and compatible with their mission to promote and protect the public health. Mr. Crumpler emphasized the need for more than just a technological solution. Administrative and procedural controls are also necessary. In 1990 the pharmaceutical industry asked FDA to consider accepting electronic signatures. The agency developed its Electronic Records; Electronic Signatures regulation (21 CFR Part 11) in response to that request. It began as a signatures regulation, but the agency quickly realized that the associated electronic records also needed to be addressed. The final rule went into effect on August 20, 1997. It covers all FDA regulated industries, which account for about 25 percent of the gross national product. Noting that thus far FDA has been flexible in its enforcement of the regulation , Mr. Crumpler observed that some impacted parties probably will not move toward compliance until they see more enforcement activity by FDA.
He noted that many legacy systems have difficulty complying with the requirement for a secure computer-generated audit trail of all transactions (creation, deletion, modification of records) and the requirement for records retention. Electronic records must be available for FDA review and copying throughout their defined records retention period. For long term archiving purposes, that means that either the system hardware and software would need to be retained, or the records and their associated electronic signatures would need to undergo a validated migration to another computer platform.
FDA divided their electronic records requirements based on open systems and closed systems. A closed system (e.g., a local area network) is one where persons having responsibility for the content of the electronic records on the system control system access. An open system (e.g., a Web-based application) is one where the persons responsible for record content do not have complete control over system access. Open systems must comply with the same requirements as for closed systems, but they also require additional measures, such as document encryption and use of digital signatures. FDA considers compliance with 21 CFR Part 11 to be the minimum needed to ensure that electronic transactions are trustworthy and reliable.
FDA’s electronic signature requirements recognize both biometric and non-biometric approaches. For non-biometric signatures, two security features (e.g., user ID and password) must be entered for a signature, but only one of those security features is needed for each subsequent signing in an uninterrupted period of controlled system access. The electronic signature has to be unique to the individual signer, non-reusable or reassignable, and linked to the respective electronic record so the signature cannot be excised, copied or transferred to falsify an electronic record by ordinary means.
Requirements state the signature must contain: the printed name of the signer, date, time, and meaning of the signature. This information has to be included as part of any human readable form of the electronic record (such as electronic display and printout).
Persons subject to FDA regulations and wanting to use electronic signatures must certify their intent to use electronic signatures as the legally binding equivalent of handwritten signatures. That certification must be in a letter to the FDA with a handwritten signature. Manufacturers can make a one-time certification that covers multiple facilities and all employees for all times, or they can individually certify facilities.
Information regarding 21 CFR Part 11 is available on the FDA Web site.
Jan Lovorn, Protegrity, Inc.
Ms. Lovorn, chief privacy officer for Protegrity, a former chair of ASTM E3120, worked with HCFA and helped write standards to meet the regulations. She said she immediately saw PKI’s applicability to health care when introduced to it eight years ago; many things going on in health care need the kind of attributes digital signatures and PKI provide.
She started working in the ASTM standards arena when Mr. Waegeman was chair of ASTM E3120 on Data and System Security for Health Information. They came up with a standard called the Standard Guide for Electronic Authentication of Health Care Information that looked at business requirements for dealing with electronic information. She discussed some of those attributes necessary for any electronic processing of health care information with a signature: (1) non-repudiation; (2): integrity of the information; (3) secure user authentication; (4) interoperability; (5) independent verifiability; (6) the ability to counter signature across documents; (7) multiple signatures across a document or piece of information; (8) an ability to have signature attributes, e.g., a date/time stamp or location.
Ms. Lovorn said she personally has identified over 200 kinds of players in the health care market that have contact with patient identifiable information. It is important to keep the information private and maintain its integrity. Ms. Lovorn noted that the State of Minnesota requires medical records to be maintained for a minimum of 80 years and nearly all states require pediatric records to be maintained and verifiable for 21 years.
She stated it is important to look at interoperability and the technological and business requirements, and then build a standards base saying, We will not mandate that everybody has to use digital signatures, but, if you use them, we definitely say this is how you need to do them.
A few years ago, a survey indicated 37 percent of all malpractice claims had to be settled out of court because there was not enough information to prove or disprove what people had done. The more electronic exchange of information is utilized, the easier it is to document and prove with digital signatures whether someone did or did not do something.
Ms. Lovorn, a systems engineer with a math background, observed that she has had a lot of experience installing these applications in different systems. I know that technically this works. Over the long haul, it is cheaper and provides benefits in the malpractice area, for prescriptions, for drug trial information--anywhere information has to have integrity.
Companies like SmithKline Beecham send back a million test results every night via telephone lines where there are no checks for integrity. Digital signatures can provide that integrity, electronic signatures cannot.
Ms. Lovorn recommended that digital signatures be selected for implementation under HIPAA. Industries are starting to use this for business reasons and they need to have a way to implement and make it interoperable.
Benjamin Wright, J.D.
Mr. Wright gave a brief overview of some of the uses of electronic and digital signatures for legal government transactions and described the breadth of approaches being tried around the world.
In Gwinnette County, Georgia, police officers and judges interact through a videoconference system using computers; a handwritten autograph and its biometric measurement are captured and bound to court documents.
For two years, the Internal Revenue Service has provided a PIN number to 800,000 Americans eligible to participate in an electronic tax return pilot project. Spain, Italy and Ireland have systems for using public key digital signatures with taxpayers filing documents through the worldwide Web.
Companies like ClosingGuard.Com streamline buying a house, a paper intensive process, with electronic methods. At closing, the buyer signs on a digital tablet. The signature is securely bound to the documents and a notary signs her name, capturing the biometric measurements of the signature. The agent wraps the whole thing with a private key using public key infrastructure. Most of the documentation ends up electronic. However in most cases, the county court clerk, who receives mortgages and deeds for final filing, cannot deal with electronic documents, so often the final mortgage and deed are printed out and delivered on paper to the county recorder.
The securities laws state that annual and quarterly reports from corporations are supposed to be signed. However, the Securities and Exchange Commission wanted to receive that information electronically. Corporations type into the words of the filing, signed by CEO Joan Doe, signed by Director John Doe, etc. The SEC gets their electronic filing authenticated with an assigned password. The corporation is responsible for obtaining and keeping on file the board of directors’ and officers’ handwritten signatures.
Mr. Wright said this was just a taste of the diversity of approaches that the government has come up with toward electronic transmissions. He anticipates much more.
Responding to a question about whether DEA’s Root CA could be used for registering other allied health professionals and providers, Ms. Good explained that the only people that can be in the root are DEA registrants who write controlled substance prescriptions: physicians, dentists, and veterinarians with state authority. DEA is not going to start certifying physical therapists, because we have no venue there. Ms. Good pointed out, however, that a CA operating under their root could, as a sub-business, certify both DEA players and the rest of the world.
Ms. Lovorn observed that among the gains of using PKI and digital signatures are the multiple layers of credentialing that can issue the identity certificate. For example, in Washington, D.C., doctors and nurses can practice in one, two or three jurisdictions and PKI allows them to maintain that credentialing, based on the area they are in, no matter where the Root CA is. You can have subordinate CA's or subordinate certificates. A new concept called attribute certificates will allow people to have credentialing in different areas and be able to match them up to do other things or record what they do.
Dr. Zubeldia noted they had just heard how important it was to be technology unspecific and not paint themselves into a corner. The DEA is doing a well-defined technology for prescriptions. He asked why very specific technology dependent rules applied to DEA and why the FDA is setting generic rules: Which would work best for all of health care?
Ms. Good responded that DEA was not going to define PKIs, but that, right now, PKI is the only thing that rises to the level required. She said what DEA would set forth were things that the system must do, things the verification process must ensure. As the technology develops and other options arise, those, too, could be included.
Mr. Crumpler said the scope of what FDA is dealing with is far broader than what DEA is talking about. They have a very prescribed application and they may be able to accommodate that through PKI or through their own digital certification program. They have specifically avoided that, as discussed in the preamble of their regulation. FDA is not in the business of developing standards or certifying a body. FDA left it to the industry to come up with its own solution. FDA’s only requirement is that whatever they come up with works. FDA is on the hook for what they choose to be the intent of the regulations. He pointed out that, for open systems, FDA also specifies that their manufacturers use encryption and digital signature standards as appropriate. FDA shares the same concerns for open systems where the manufacturer is not in control of the transmission.
Dr. Fitzmaurice remarked that, looking around the country, he saw AMA and Intel linking up to identify doctors. California was starting a similar process. He asked if the procedures within DEA and FDA were self-contained or did they partner with private sector entities. Ms. Good replied DEA envisions groups feeding the CAs under their root. It could be AMA, entities they work through, or state medical or pharmacy boards. Mr. Crumpler said FDA took it upon themselves to link up their regulated manufacturers with vendors who had success stories to tell. FDA held a conference in Philadelphia where vendors and regulated industry shared the difficulties and successes they have had in complying with Part 11. He noted that much of the regulated industry is looking for turnkey solutions. There are none. Everything has to be customized and there is a significant degree of effort and cost associated with an appropriate solution for a particular manufacturer.
Ms. Good added that DEA required manufacturers, distributors and pharmacies to keep a number of records and for those they are not considering PKI technology. The digital signatures only come into play when there is a legal mandate.
Mr. Crumpler commented that FDA set out in 1992 to develop an electronic signature regulation. After six years, they realized both electronic records and electronic signatures regulations were needed. It was very difficult to decouple the two; that is why their regulation is written the way it is. He suggested thinking about associated issues. Electronic auto trails, e.g., is a big issue in our industries. It is one of the areas most difficult to comply with, but essential for establishing audit ability and integrity of the overall system.
Ms. Lovorn clarified ASTM standard allows a combination of technologies that meet most requirements, but that could also fold into other technologies, e.g., voice recognition or biometrics.
Gunther Schadow, Regenstrief Institute
Dr. Schadow, co-chair of the Secure Transactions Special Interest Group and the Orders Observation Committee in HL7, is working on security and public infrastructure aspects of a next-generation Internet contract with NLM. In HL7 he worked to secure transactions and recommendations based on Internet standards and on the SDO’s health care information model.
He emphasized four points: (1) one must understand the digital signature and PKI system in order to make reasonable judgments about the realities of all this technology; (2) trust does not scale very well; (3) authority can not be outsourced; (4) because the issues of public key infrastructure are so difficult to manage, conventional and local trust structures should be reused where they exist. Dr. Schadow noted that the industry was trying to integrate PKI into the existing management system, making as few changes as possible.
Dr. Schadow said NLM was expanding its existing management technology (the user database) to include data about public keys. Personnel, their local MIS department, managed the user and will continue to do so. He said they would act as a kind of certification authority.
Dr. Schadow stated several reasons localized structures make sense in health care. Health care is comprised of personal, really physical and rather long-term relationships quite different from Web-based shopping or other things public key technology is designed for. Telemedicine is probably very far down the road. Employees interact with their employers. And payers have contracts with providers in the existing real world. Based on these real world relationships, certification and PKI technology can be added without changing the trust structures. Dr. Schadow stated the point is not to try to make one system meet all needs, but to build small systems with specialized public key certificates.
Another point he emphasized is the need to deal with unsafe implementations. He noted NLM was trying to use the Microsoft Internet Explorer. (One reason PKCS standards are recognized as an important standard is because the Microsoft browser supports them.) The problem, he said, is that Explorer puts private keys at risk by allowing almost anyone to exploit them in an unencrypted fashion--While digital signatures are nice in theory, in practice they may not be so secure. Electronic signatures on the Web are weak; anyone can probably forge most e-signatures. The picture is slightly different with biometrics and voice recognition, he remarked. But even they can be intercepted and replaced.
Dr. Schadow emphasized that NLM’s electronic medical record system had worked more than ten years on the basis of an authenticated environment. Usually they have very tacit authentication, which is state of the art and reasonably secure. Users are accountable for all their actions, once they lock on. There is reasonable assurance that they wrote the order. The local system and its policies and procedures establish trust beyond reasonable doubt; no additional token may be needed to underpin signing.
A problem with some EDI transactions sent between systems is the individual that, through a separate action, triggered this subsequent transaction is not aware of it and so cannot actually sign. Dr. Schadow proposed allowing organizations to have organizational digital signatures that they can apply on those transactions. Individual accountability is tracked within an electronic medical record system. Organizational accountability could be tracked using digital signatures.
One problem with digital signatures in electronic medical records is defining what the signature actually means, e.g., Patient has fever. Did the individual take the temperature, only hear about it from someone else, or just transcribe the note? HL7 Version 3 allows individualized and specialized accountability. Conceptually, acts are being signed and every act has participants bound to it: e.g., the ordering physician, verifiers, and other approving signatures.
Responding to comments about telemedicine’s role in health care, Dr. Schadow clarified he had only meant teleconsultation would probably not replace arms' length physical consultation in the near future; that it was embedded in a system of physical relationships between people. He mentioned the institute’s grant project doing telemedicine with patients in an institution.
Asked how the institute plans to authenticate entities outside of their network, Dr. Schadow said that, for practical reasons, electronic exchange of medical record data requires a contractual relationship. In practice, you rely on the system security, a password and lock file, and contractual relationships between the business partners exchanging data.
Balancing between interoperability and technology independence, Dr. Schadow said, requires making sure technology dependence does not creep into our conceptual reference information model and definition of transactions. Conceptually defined transaction messages need to be mapped to inplementable technology specifications, resulting in a technology independent and a technology dependent layer. Work is needed on both fronts. Otherwise, there is no interoperability. At some point, you have to decide what you support; yet you can allow support for new technologies without having to change your conceptual model.
Dr. Schadow was asked what happened when patients were discharged and someone wanted to send prescriptions for controlled drugs to their pharmacy. Was that another PKI infrastructure with different passwords, access codes, and inputs? Was there overlap or multiple different PKI infrastructures that did not interrelate? If all these existing licensing structures are underpinned with digital signature or PKI technology, he replied, they could give the certificate. Multiple public key infrastructures can be done; the technology required is not difficult. What is hard is managing all these various relationships and trust structures.
Mr. Bruck observed that what was being suggested was simplifying technological aspects of implementation by transferring into a situation where contracts are developed between participating organizations. DEA was looking at solving two separate and distinct problems with digital signatures: their strong need for prescription integrity and knowing that the issuer is a DEA-registrant. The credential is signed by a trusted third party and conveys enough information for the pharmacist to make decisions. DEA is establishing credential-based workflow. The electronic certificate provides that level of trust for identity and the credential.
Ms. Lovorn remarked that contracts and relationships came up a lot in early discussions about developing digital signatures and the 509 certificates. When writing standards with certificate policies, she explained, the CA’s contractual obligation with subscribers is shorthanded in a policy I.D.--e.g., all pharmacists in the state are registered and operate under a certain policy. Doctors have their licensing and companies have their own policy. When the doctor transmits a prescription, this identifying contractual shorthand in the certificate signals the pharmacist’s system: Yes, this doctor is credentialed and operates in our offices. That said, the prescription pops up on the pharmacist’s window.
Mr. Barnett stated the need to at least agree on definitions, requirements, and procedures--on acceptable ways of implementing, knowing technology will change. He said everyone knew that a Root CA was the best way to deal with this, but we are all scattering off in different directions. He said he felt pressured to get organization and guidance. We are headed for a real and expensive problem unless we narrow the field to things we can understand.
He suggested breaking up the identification and authentication mechanisms and definitions requirements from digital signatures. It is a separate issue. He recommended looking at a draft of ASTM’s model policy. The ABA has defined digital signatures. IEEE 1363 defines them. There is the X9 series and the FIPS 186. He suggested reviewing the literature for something that breaks out the definition of a digital signature from any technology that implements it and defines it in terms of requirement. Cut and paste from things already done.
Dr. Schadow reflected that the good thing about standards is there are so many to choose from. He suggested this is what HHS did writing the security regulation: they got all this stuff and tried to make sense out of it. It is hard work and you have to write yet another framework of how things can be done. Pick a standard, like HL7 for communication with labs or NCPDP for communication with pharmacies--then pick something that works with these standards.
Mr. Barnett said he wasn't proposing more standards. As long as we get some agreement, the digital signature is probably a good start and HIPAA NPRM has fairly decent material. He said he just saw all the confusion; with so many PKIs to proliferate; interoperability and cross-certification would continue to be a problem. He said it is great DEA has a root, but it would be nice if one certificate did it all. Clarity was needed quickly. Ms. Frawley concurred it was troubling to hear that DEA is going off on this project and the provider identifier will be coming out in a Final Rule, and there is FDA with their requirements, and the state boards go out and do different things.
Dr. Zubeldia observed that he had heard nothing about a standard for digital signatures. There is a standard for certificates; but when the certificate is used as digital signature there are HL7, XML and PKIX ways. Not only do we have the certificate, trust, policy and CA levels, we also have interoperability problems on the digital signature itself as a standard.
Dr. Schadow asserted that there are many standards. The problem is that they do not really tie into the medical information communication standards. There are standards for everything; they just have to be brought together. Ms. Gugel emphasized it is important for vendors to implement standards, even if they conflict, and give users choices.
Dr. Cohn suggested they were in the same situation as a couple years ago with the HIPAA administrative simplification regulations. There is a reason they were passed back in 1996 and a reason they mentioned electronic signature. We are at a point where we need it. There is going to be great expense if we don't assist in this one.
Dr. Zubeldia said maybe everyone should stop looking at the standards, recommend specific implementations, and let the standard setting organizations that developed these frameworks define specific implementations so HIPAA can adopt specific implementations of signature mechanisms to be taken up for health care.
Dr. Schadow agreed, but added the key is the specific purpose. If the issue is about HIPAA and supporting claims transactions, then pick something that works well with X12 because that is the workhorse of those transactions for HIPAA. Pick something that works, rather than just trying to be a framework without an implementation. He cautioned this could only be done if the project is well scoped, if you are not trying to do health care digital signatures.
He remarked he did not think it appropriate for the government to define one set of health care standards for all health care security. He wondered why everyone was so scared about DEA doing its own thing. He contended that was exactly what needed to be done. Whoever has authority over a licensing issue and how it interacts with the workflow could make up their own PKI. Those certificates did not have to be used for any other purpose.
Mr. Barnett said he tried to be technologically neutral, but conceded that by giving that up and specifying things, they might move quickly toward interoperability. Mr. Blair observed that they seemed to be pulling together. We are winding up saying we need to go further than just a framework. We need to make sure it is implementable. We can map specific implementations against the requirements defined within ASTM standards.
Dr. Zubeldia responded most the frameworks have 80 to 90 percent overlap, and the one most specific to health care is probably ASTM. We have the standards and we have the experts. He proposed giving those experts the charge to come up with implementation guides for standards they developed. The only argument he had with the ASTM framework was that it was strongly oriented to the Internet and today a negligible amount of transactions occur online.
Dr. Schadow cautioned, We need to understand what we are talking about specifically. There is the framework, the security framework, which is a very good document, and also a provisional standard about digital signatures in health care. He said the ASTM framework is quite good, the provision of standards for digital signatures in health care is concrete, actually implementable. There are definitions for all these proposed structures. The problems with ASTM are it does not interact with any existing information standards that convey electronic information that needs signing, and it is not very friendly, and probably not modern anymore.
Dr. Zubeldia said that from what he had seen coordinating an interoperability pilot, security vendors will do whatever it takes to sell the health care market. They need to know what the market will buy—and the market has no idea. They are all waiting for HIPAA’s final rules. Then, within nanoseconds, the security industry will have something to offer.
Dr. Braithwaite commented that HIPAA requires us to adopt industry consensus standards, not make them up like the FDA did. People expect HIPAA to be the horse--but, according to the law, we are supposed to be the cart. We are getting whipped anyway, Dr. Zubeldia replied.
Dr. Cohn acknowledged the complexity and suggested trying things on for size. He said he heard the need for more understanding of competing standards and options. Tomorrow they could ask whether they should get specific or stay general. Standards groups often create implementation guides; that was an option. Dr. Braithwaite concurred. He said the reason HIPAA adopted standards for transactions work was because they adopted extremely specific implementation guides. The reason they got away with adopting general language for security is that more interoperability requirements were involved. With digital signatures, it is only about interoperability. He said they could not adopt general standards for digital signatures and expect people to implement them. Very specific implementation guides were needed that guarantee interoperability. Dr. Schadow said it was a doable project, so long as it was well scoped. If what you want to do is have digital signed HIPAA transactions, that is not hard to do. Pick something that fits well with X12, and then do it. But be clear that this is not the general health care way. Dr. Cohn granted that scope is always important. He said he was impressed when the FDA talked about a single digital signature activity for 25 percent of the GNP.
Dr. Zubeldia pointed out that none of the HIPAA transactions required signatures. Signatures could be used as a security mechanism (X12.58), but developing a standard for X12 digital signatures was an exercise in futility. From the business case heard that morning, he suggested maybe prescriptions and medical records needed signatures. Ms. Frawley concurred that the way to move towards computer-based patient records was to help the industry affix a signature. She noted a need to hold to a standard for a digital signature; the standard for content of the medical record involved analysis of 50 state statutes and regulations. Dr. Cohn replied that they would be talking about a prescription standard the next day, and listening to people who have been doing digital signatures.
Dr. Zubeldia remarked on Dr. Schadow‘s comment that EDI INT could sign. Something that could be used immediately, even before there is a prescription message or medical records standards, that could secure X12 messages, did not strictly require signature, yet the same structure could be used for X12, might be a good candidate. He suggested encouraging EDI INT to work together with ASTM and see if it fits the ASTM model and framework. EDI INT already had a specific implementation guide that could be tested for interoperability and there was a process.
The meeting was recessed at 5:00 p.m., to reconvene the following morning.
Richard Guida, Federal PKI Steering Committee
Mr. Guida presented what the federal government is accomplishing in terms of interoperability and public key technology. He said the most important statute the federal government operates under regarding use of electronic signature is the Government Paperwork Elimination Act. GPEA states federal agencies will accept electronically signed, electronically formed documents by October 2003. The statute is technology neutral and the implementing guidelines recognize a range of ways to make signatures: PINs and passwords, shared-secret approaches, and cryptographic mechanisms of digital signatures in the use of public key technology. The guidelines state each entity needs to decide which technology is best suited to its own application. The guidelines recognize the value of interoperability. Digital certificates or a PKI allow for reliance on fewer credentials useful across a variety of applications, so long as there is a way to interoperate PKIs. The Federal Bridge Certification Authority provides a way.
In order for two disparate PKI domains to work together, two things have to be accomplished. First, disparate policies in the domains must be mapped. Policy mapping for one domain is issued in X, Y, and Z certificates. The other domain mapping is in A, B, and C certificates. The nature of these certificates is described in the certificate policy, stored in the certificate policy extension of each certificate issued under it. In this way, a certificate conveys the circumstances under which it was issued, the strength of the identity grouping when the certificate was issued, the cryptography’s strength, whether it is on a hardware token or in software, and where the private key is protected.
In order to interoperate, both parties agree upon a mapping. The policy bodies responsible for these disparate PKI domains decide their exchange of currency accomplishing this agreement. This data is in a policy-mapping field of the certificates that exists between the domains. It does not need to be in each individual end-user certificate. It is expressed in one place, the cross-certificate between the two certification authorities that constitute the tops of the local domains.
There has to be a way to process that data. And, when there are many different CAs, a way is needed to tie the CAs together in a mode free of chaos. The FBCA has a single hub--the Bridge. The various spokes of the wheel are cross-certified as if they were with the Bridge. So long as you have a relationship with that Bridge, expressed in a cross-certificate, and somebody else has a relationship expressed in a cross-certificate, you both have topological connectivity. You have the ability to establish a trust relationship between your domain and any other domain connected to the Bridge. This concept, developed over several years, worked in prototype form early in 2000.
The goal was to bring together two disparate PKI domains through the Bridge. One domain would cross-certify with one node of the Bridge. The other domain would cross-certify with the other node. Inside, the two nodes would be cross-certified and connected. In practice, five domains worked together. The GSA had one domain. The National Institute of Standards and Technology had another with two certification authorities, one connected to each node. The Georgia Tech Research Institute, NASA, and the Department of Defense. DoD had their own bridge and test; the bridges connected. Three PKI sub domains (two hierarchical, the other a mesh using Endtrust certification authorities) were underneath the DoD Bridge. The Canadian government participated.
E-mail was tested using out-of-the-box products and plug-ins, available publicly for free or from vendors. E-mail messages were sent between domains. The software literally created a trust path of cross-certificates from one domain to the other. A procedure in that trust path made sure the certificate was still valid. A fairly rigorous test, incorporating revoked certificates and certificates outside of the domains, was done in both directions. All the trust paths worked, with the exception of one domain where they ran out of time and resources. Five PKI domains operated within about two months--a greater success than many expected.
The Federal Bridge is a non-hierarchical peer-to-peer hub. It supports interproduct and interdomain interoperability. It does not require a specific product. Inside the Bridge membrane, multiple mainstream products work together. Anyone external to that membrane, so long as they use a product expressed in the membrane, or a product interoperating with one inside, can use whatever they wish.
The nucleus of the prototype is two products: Entrust and Cybertrust. It utilizes an X500 directory product, Peer Logic. Mr. Guida said FBCA intends to have about six CA products inside the membrane for the production version. The Federal PKI Policy Authority, which exists under CIO council, oversees operation of the Federal Bridge. It is preparing to accept applications from agencies to interoperate with the Bridge.
Addressing the question of digital versus other signatures, Mr. Guida advised that the greatest strengths usually come from a combination of technologies. If you had to pick a single technology to authenticate or make a signature, he suggested digital signatures. The same infrastructure can be used for confidentiality, as well as for a signature, and it provides a firm basis for non-repudiation. He emphasized that a digital signature does not guarantee non-repudiation. In the final analysis, he suggested, PKI is the best single solution. He added, however, that he was not contending it is the only solution, or that it would not be improved through the use of other technologies as well. His personal view is that the use of biometrics to unlock the private key, generated, stored and used on a hardware token, constitutes perhaps the strongest way to identity proofing and signature
Holt Anderson, NCHICA
Mr. Anderson, Executive Director of the North Carolina Healthcare Information and Communications Alliance, spoke from the broad perspective of the HealthKey five-state project. HealthKey, funded by the Robert Wood Johnson Foundation, takes a market-driven, community-based approach to developing health information infrastructure and, in particular, public key encryption infrastructure. Participants include the Massachusetts Health Data Consortium; the Minnesota Health Data Institute; the North Carolina Healthcare Information and Communications Alliance; the Utah Health Information Network; and the Community Health information Technology Alliance in Washington, CHITA, part of the Foundation for Health Care Quality. HealthKey seeks to identify interoperable standards-based solutions to business and clinical problems. Mr. Anderson noted they drive all of their projects from a clinical need to do something that they can apply the technology to solve. A major quest has been to determine if PKI is a valid infrastructure for the health industry and establish a model. An ancillary mission has been to establish if FBCA is an answer to the interoperability issue of PKI in health care.
Minnesota and North Carolina will participate in a pilot in real clinical health care situations involving multiple CAs. The projects in North Carolina concern an immunization project involving public and private records accessed through SSL3 over the Internet. The only way to share information with primary caregivers has been fax and phone calls. Digital certificates and biometric validation will be added.
UNC-Chapel Hill has two clinical projects involving young children with severe problems who cannot be cared for in their local communities. Some children are at a neonatal intensive care unit; the rest came to an intensive clinical setting from rural areas. Databases, accessible to authenticated individuals, will enable parents, anxious to hear on a real-time basis through their primary care physician, to know how things are going. Clinicians also see this as an opportunity to train local physicians so, when children return to their communities, health providers are prepared to continue appropriate care.
Minnesota is initiating immunization data and newborn screening projects with the Federal Bridge. They want to provide secure access to a central query service for eligibility inquiries and realize interoperability among the projects.
Mr. Anderson recommended that the subcommittee keep an eye on emerging models. He observed that the HealthKey Bridge Project could evolve into a national infrastructure for health care: That's presumptuous, but we don't see any alternatives to get interoperability up and running within the two-year timeframe HIPAA requires. He pointed out that no one could rely on a single vendor; everyone has to look at the marketplace. If we can plug into a bridge fairly easily, without a lot of developmental costs, it will encourage others to come into the marketplace.
The big problem, he noted, is interoperability between CAs and the competing infrastructures. He cites it as the primary barrier to interorganization adoption of PKI-based signatures. Until that problem is solved, he said, PKI will probably languish as a disconnected set of islands of many PKIs that can provide e-signatures intramurally, but are not useful in the multi-organizational system of US health care. Observing that HIPAA standards specify encryption, but not PKI, Mr. Anderson recommended mandating use of PKI, based on electronic signatures with minimum operating characteristics and attributes. HealthKey views PKI as the only technology available to implement good electronic signatures. With a more robust PKI infrastructure, including a Bridge CA for health care, there would be wider use of additional certificates, perhaps in combination with biometrics identification, to activate the user's digital certificate.
Mr. Anderson said NCHICA was not yet using electronic or digital signatures, but plans to use them to reduce cost, improve timeliness, and accuracy of transactions now performed on paper.
Mr. Anderson suggested adoption of a standard form factor, such as a credit card-sized or a brass key-shaped token to enable portability of the digital identity. He noted that while there are minimum standards for secure encryption, there are no standards for holding and transporting digital certificates for use in generating PKI-based digital signatures. Vendors pitch proprietary incompatible pieces of the pie resulting in further fragmentation and degrading interoperability.
Two documents, "Recommendations and Guidelines for Community-based Testing," and "A Framework and Structure Process for Developing Responsible Privacy Policies," are available on the HealthKey Web site.
John Lynch, Connecticut Hospital Association
Mr. Lynch, vice president for CHIME Trust, an affiliate of the Connecticut Hospital Association, presented a physician-patient scenario that looked beyond the role of digital signatures to view the entirety of authentication, identification and encryption as the business case. He noted health care providers want something simple and straightforward that plugs in and works all of this process together. He emphasized the need to think about how our health care requirements mesh together, and find a solution that meets them all.
Chain of trust interoperability across health care communities, Mr. Lynch noted, is a prime requirement. He emphasized the importance in health care of: 24 by 7 by 365 reliability and availability, a trusted root, signature authority bound to roles and identity, and non-repudiation. He stated that the federal model is looking at multiple keys for individuals: e.g., a signing key separate from an encryption key. An encryption key you might want in a back up authority, in case it is lost. The signing key is kept where no one else can get it, maintaining non-repudiation.
Mr. Lynch observed that the signature is tied to various roles and identities. At one hospital, a physician may be the ER physician; in another, a consultant with access to different data. Directories track key requirements and components controlled by the owners of the data.
Mobile identity is another key requirement. Many physicians have multiple offices, hospitals, and other locations. Their identities have to go with them. One identity, multiple uses. Connecticut is testing one ID issued by the hospital HR department that is your right of entry to the doctor's parking lot and lounge as well opening up the computer.
Mr. Lynch remarked on the need for organizational level policies as well as those pertaining to personnel. Organizational servers and devices have functions (e.g. encryption) and identities in a chain of trust that can be extended through a CA and cross-certification to the broader community. He suggested NCVHS could take a major role in leading the industry toward minimal quality criteria for policies essential to establishing trading partner agreements. He said trading partner agreements that emerge from establishing layers of trust between institutions are the business case for digital signatures.
Mr. Lynch also said that NCVHS could help by taking the ASTM kind of standard role and reinforcing the concept of common roles and understandings and definitions. He recommended that HHS focus on standard policies and a standard credentials authority. Everyone had talked about health care policies, employee policies, developing standard policies for DEA and non-DEA physicians, and for enabling people to deal with each other across CAs. Somebody has to adjudicate trust between them. He suggested NCVHS could adjudicate, at least for Medicare.
He said NCVHS also ought to have a key role in the audit process. Not only should NCVHS look at health care-specific policies, it should be looking at how it could ensure that the CAs and RAs meet some level of criteria in order to be cross-certifiable.
Mr. Lynch encouraged HHS to lead by example. Requiring use of PKI for Medicare data and allowing CAs to be intermediaries in trading partner agreements and issuers of NPIs would simplify the process and validate participation.
Sherry Neuman, iScribe
Dr. Neuman introduced iScribe as a private company with a mission to provide acceptable technology to physicians that reduces medication errors, improves patient care, and helps eliminate administrative hassles that are inherent with the current paper-based prescription process. Noting that health care providers are not technophobic, but resist being forced to change the pattern of their daily practice, Dr. Neuman discussed how iScribe strives to fit technology to the doctor's work flow.
iScribe developed an application for a personal digital assistant, both a Windows CE-based product and a Palm-based product, which enables doctors to select a patient and drug, then print, fax, or electronically transmit a prescription to the patient's pharmacy. More important than its speed or ease, she said, is how the drug is prechecked for formulary compliance and potential problems that might arise, such as drug interactions or other therapeutic anomalies.
Some 750 physicians use the Windows CE-based product, with about 1,500-2,000 awaiting installation. Another large group of doctors have downloaded the program to their own personal PDAs. This mobile technology offers the venue that physicians need in order to be able to interact with technology and accept it.
iScribe uses electronic and digital signatures in two ways. Digital signatures are used in their network operations communication center, using SSL-based key mechanisms that are RSA 2042 bits for the public key cryptography. iScribe’s virtual private network communications use IKE to pass key pairs for the secret key cryptography for data encryption.
Digital signatures enable iScribe to ensure transactions between physicians and pharmacies are secure from the PDA to their network operations center using Certicom, and that transactions are secure between trading partners: retail pharmacies and processors or pharmacy benefit managers.
Benefits of using this technology and digital signatures include the ease with which they can be set up, the maintenance IKE offers, due to industry-wide standards, for this network layer. iScribe does not support open key exchange with trading partners at any application level.
The major problem that iScribe encountered is the lack of a global approach. Each of the solutions takes a local view, and interoperability or cross-functionality is missing. Also, there is limited experience in this field, and each company is moving forward, developing its own, almost proprietary, way to deal with transactions.
iScribe’s plans to enable electronic signatures and digital signatures nationally include meeting with state legislative bodies. Dr. Neuman said getting laws at the state level to allow electronic transactions with secure digital signatures and electronic signatures is vital.
E-SIGN and UCITA have laid the groundwork. It's up to trading partners and business entities in health care to apply the tenets of E-SIGN. The HIPAA final rule for electronic signatures will allow the states to fall back on or use that as their authority to write laws in their individual states.
Mr. Guida summarized discussions with GAO about the effort to effect interoperability across agencies that focused, not only on the Federal Bridge, but, more importantly, on the policy model. FBCA has a charter. The Seattle Council endorses FBCA and it is part of the CIO council.
He suggested the subcommittee could help bring coherence to an inherently incoherent situation across, not just health care, but the whole government. Every agency has its own certificate policy for its PKI. Over three-dozen agencies are doing PKI work, tests, or production uses. He mentioned five production uses of PKI; agencies relying upon digital signatures and/or the encryption capability of PKI to support their mission accomplishments. DoD is an enormous user of PKI. The FDIC has all 7,000 employees PKI enabled and are enabling member institutions. The FAA is digitally signing aircraft safety material. The US Patent and Trademark Office had production uses for patent claims.
He said that FBCA strived to develop a Federal Bridge certificate policy that could be emulated; elements can be adopted into the agency certificate policies to facilitate policy mapping at a later time. FBCA encourages agencies that conform to one of the levels to consider the Federal Bridge certificate policy as an option that will make it easier to policy map later on.
Mr. Gellman commented that preserving the utility of an electronic document required a medium (software, hardware and a particular operating system) that could be read on a long-term basis. He said Mr. Guida raised a problem: a whole structure of nested institutions work together to produce the results wanted--and if those institutions have not evolved, we have taken a difficult electronic records management problem and magnified it.
Mr. Guida encouraged agencies considering preserving records long-term to think about what formats are least likely to change. PDF and XML-based formats offer hope of preserving information in a way that will not be altered. He recommended the digital notary approach for documents saved with signatures, when needing to execute a reformat. An individual, authorized within the agency, validates the signature on the document, then converts and signs over the changed format, attesting to the fact that this digital notary has tested the signature, done all due diligence things, completed the conversion, and signed the document in the new format.
Mr. Guida noted that a minimal amount of information is required to be confident that a signature was legitimately made: the certificate presented upon receipt, the certificate revocation list, the request to an online certificate status protocol responder stating your certificate had not been revoked and was then valid, and a trusted time stamp. Network logs, network information, and audit records need to be preserved electronically for a long time. He noted that problem had to be solved. PKI solves it better, he said. Elements needed to subsequently prove a signature are institutionally well defined: the certificates, the CRLs, maybe a certificate trust path.
Dr. Zubeldia thanked the testifiers, noting they provided divergent views from the first day, and that it was always refreshing to hear different things. He observed that the technology was promising, but until the vendors made it as reliable as fingerprints and other biometrics, 24 by 7 by 365, there was a problem--One that could be fixed. The technology will get there. If enough people adopt it, they will make it happen.
Mr. Lynch agreed that the digital certificate contains the proper information. What were lacking were the software and an automated way to trust. Off-the-shelf implementations had a ways to go. He recommended pushing the Microsofts to retrofit by issuing health care requirements.
Dr. Zubeldia noted that yesterday they talked about signatures. Today they talked about PKI, a secured mechanism that can be used to encrypt and sign. He said he heard the need to have interoperability among certification authorities, in the PKI components, and in the signatures. He said before we have interoperability in the signatures, we need to find signatures that meet health care requirements, and these may or may not be PKI-based. Ms. Neuman had testified about the use of biometric and PKI. Dr. Zubeldia asked could a biometric graphical signature assist in what they were trying to do, or was PKI the only way to do it?
Mr. Lynch remarked that Connecticut had tried a variety of different biometrics. Signatures are not reliable enough for health care. Biometrics is not quite there yet. Facial recognition is not reliable enough. Fingerprints do not work through rubber gloves, and taking them off left a powder residue. There are no standards yet on biometrics. He said biometrics are probably a generation away and will only be used to open up a digital certificate. A biometric, by itself, isn't bound to a document for long-term proof that it has not been tampered with.
Mr. Guida agreed that ultimately biometrics will play a powerful role, but expressed concern that the algorithms are proprietary and not interoperable. He also observed that, in the final analysis, a biometric identifier is a shared secret. You register on a template for remote authentication. With PKI, you may have a PIN, password or biometric and no one else possesses your secret.
Dr. Neuman noted no intervening entity laws are already in place for pharmacy in many states. Digital certificates will be required if anyone is going to electronically send these transactions.
Mr. Anderson said he hoped biometrics is a technology generation away, not a human generation away. In order to enable health care, we have to get technology out of the face of the clinicians. We've got to have a workstation we can walk up to and it readily identifies us--and when we walk away, it shuts down. He said the committee could help paint a vision of what health care should be in terms of assisting with holding people accountable for accessing data, and make it easy for that to happen in biometrics and PKI. The liability that the law is painting for violations of access is too much not to take seriously.
. Mr. Blair focused on the need to facilitate interoperability. He said he was encouraged to hear about the Federal Bridge project. He added he had heard suggestions that NCVHS recommend policies for certification for Bridges and with respect to role and -based access controls. He asked for clarification on how far the subcommittee should go.
Mr. Lynch noted that ASTM has a set of health care roles and pointed out that everyone should be using the same definitions. Various employee levels needed to be either in the policy; or a directory or database shared with people at the other end so everyone knew levels of authority. Mr. Guida concurred, adding that a directory profile and certificate profile facilitate interoperability. The directory profile enables directories to work together with common schema. A certificate profile describes the contents of a certificate. In addition to the standard fields (your name, public key, validity dates, etc.) are extensions—e.g., main constraints. One thing people worry about in PKIs that cross-certify is transitive trust. The DOT cross-certified with the Federal Bridge, the Bridge cross-certifies with DoD, and they create a trust path through the Bridge of cross-certificates. What happens if DOT cross-certifies with Cuba? Suddenly, there is a chain of cross-certificates where DoD could suddenly create a trust path all the way to a Cuban certification authority, and they would be very disconcerted if they had such a thing. The name constraints extension is a field that deals with that consideration. When the Bridge issues the certificate to the DOT, that certificate would contain in the name constraints field, a listing of certificates under the directory information tree, Treasury is authorized to provide for the interoperable universe.
Mr. Gellman brought up concerns that had been mentioned about privacy consequences. The issuance of certificates creates a pile of information. And transactions activity creates yet another database, not just dealing with privacy, but also information with corporate sensitivities. Who is talking to whom tells something. He asked if anyone had dealt with compliance of the Privacy Act or the Privacy Act system of records this created. Mr. Guida asserted all the records created as a consequence of the registration process for users are Privacy Act system records, protected in accordance with that act. Depending upon how agencies design their applications, retrievable information regarding the use of certificates would be protected under the Privacy Act.
Mr. Anderson said he was encouraged hearing about the policies backing up the Federal Bridge and that the vendor who put the Federal Bridge together is a 501 (c)3, a neutral facilitating entity. He noted NCHICA’s concern about building a business model that worked and said they could use help and encouragement from federal agencies. Dr. Neuman said she was impressed that commercial off-the-shelf software was tested. Mr. Lynch was encouraged that they were cross-mapping at the object identifier policy level. Hearing they could have multiple policies in any one certificate was also heartening. What was missing, he said, was consensus around policies. He proposed that NCVHS take the lead in determining minimal policies and definitions to get everyone cross-talking. Dr. Zubeldia said it was encouraging to hear the four essential elements were policies, certificate policies, the actor and certificate profiles; there is some common thought there. He asked how health care could plug into the bridge.
Mr. Guida said this approach offers multiple ways to get people working together. At some point, HHS and/or HCFA and/or NIH will cross-certify with the Federal Bridge--but the interesting thing is it doesn't just have to be HHS. He said they already had situations where he expected some sub departmental agencies would cross-certify with the Bridge, with the agreement of the parent agency. The Bridge certificate policy expresses explicitly an intention to cross-certify with external elements. One approach is developing your own Bridge. Others cross-certify into that Bridge, and it becomes your Bridge of interoperability for health care providers and activities. Then your Bridge and FBCA’s Bridge cross-certify. Anyone in the health care community who did not wish to participate in the health care Bridge, could cross-certify with a HCFA CA or an HHS CA, gaining topological connectivity. A third approach is to directly certification with the Federal Bridge itself.
Mr. Lynch said he saw a challenge for NCVHS to bring parties together. There is a large VA in Connecticut. Yesterday everyone heard about DEA. NCVHS could bring them and the pilot from HealthKey together.
Dr. Cohn thanked the panelists for fascinating, thought-provoking discussions. One big issue discussed was interoperability; they had looked in-depth at many issues around that and identified technical, policy, and educational pieces. He said he was struck that the policy pieces were so profound. He said he was reminded, listening to mapping, of terminology mapping frameworks the subcommittee had done. He agreed with Mr. Guida; the devil was in the detail. On a high level it all sounds great; trying to get data and concepts to map well is a challenge.
Dr. Zubeldia said specific implementation guides were needed. One was an industry-and-, consensus-driven implementation guide on how to do signatures for the transactions. Generic, technology-independent policies stating minimum requirements to identify an individual had to be implemented; an attempt had to be made at consensus.
He noted technology alone was not enough; policies surrounding it are important. He suggested experts from the FBCA and DoC could bring their insights to policies the subcommittee still had to work with. A question lingered from the morning: What was NCVHS’s role--Should NCVHS accredit the CAs or get directly involved with the Bridge? He did not think so, but somebody had to build trust. Ms. Frawley said NCVHS’s role was fairly clear from the discussions. She did not see them certifying entities or going beyond their scope outlined in the charter. But the industry needed clarity of definitions, requirements, and guidelines for policies. She affirmed this was within their role. Noting many SDOs will hold meetings shortly, she proposed they coordinate with them as soon as possible about implementation guides. Hopefully, in a couple months progress reports and work already underway would help the subcommittee develop recommendations.
Dr. Cohn suggested their role might be to recommend that the Secretary put together a process to accredit CA. He noted that when they asked what would work, they were told to talk to X12, HL7, NCPDP. They could ask for their views in January.
Referring to the end date of 2002 and the need to implement ahead of time to begin testing, Mr. Anderson observed that the one thing that brought the North Carolina community together to form a HIPAA implementation planning task force was the issue of interoperability. They hope for a resource to help benchmark a system, a certification site or approved list of vendors. Dr. Cohn replied that the subcommittee and full committee are on record as recognizing the issues and vagaries associated with HIPAA compliance, and are already engaged with the administrative and the financial transactions. He reported that the digital signature aspects of the final regulations are being delayed. They will not be part of the security final rules. Dr. Zubeldia clarified that the security regulations will not be delayed much. The digital signature is decoupled from security and will come later. Dr. Cohn expressed the subcommittee’s and full committee’s concern. He said they were holding these hearings to get this back on track. An interagency regulation team, that includes industry representatives, continues to meet and receive comments on the regulation.
Dr. Cohn noted that Mr. Blair thought that they had been gravitating towards a two-tiered approach. One tier is looking for common standards for policies, requirements and definitions. They had to drill that down to implementable standards in specific areas: electronic patient records, drug transactions or financial/administrative transactions. They were looking for specific implementations within the overall common policies, requirements, and definitions. Dr. Zubeldia agreed. One tier, he said, was general policies to provide security and authentication that could be implemented by different entities in their own way, but that defined general and minimum requirements for health care. The other was specific implementation of signatures for use with HIPAA health care transactions: an implementation guide adopted by consensus by the SDOs.
Dr. Zubeldia said they needed to talk to standards setting organizations and get them to work. He said he would like to see ASTM working with X12C (the security and syntax part of X12), NCPDP security group, and the Internet Engineering Task Force. Then they should recommend to the Secretary that the standards adopted by SSOs be adopted by the Secretary under HIPAA as the signature standard. The Federal PKI Bridge or NIST or another SSO that defines policy should look at health care-specific policies and adopt or recommend their adoption as HIPAA standard policies. Dr. Cohn noted they had heard a lot, already referenced in other standards, that provided a foundation for this. Dr. Zubeldia recommended that HCFA lead the way by adopting this standard, as they had recommended for the electronic medical record. HCFA could lead in adopting the standards under HIPAA, or just for Medicare.
Mr. Blair observed that the subcommittee was not prepared to make any recommendations until they had done some homework and had testimony in January. Then, they could talk amongst themselves to see if consensus or a convergence of recommendations might be possible in later January or early February. Ms. Frawley expressed doubt that they could have a recommendation for the full committee at the February meeting, but noted they had a process for working between meetings in order to develop consensus on recommendations to the secretary. She agreed that they needed to do homework; they needed to be as educated as possible to present recommendations to the full committee. Unless they had a eureka moment, it would not be until spring before they would be in a position to make any recommendations to the full committee, and then onto the secretary. Mr. Blair maintained that there might be great consensus; maybe a miracle will happen. Dr. Cohn replied he was an optimist. He did not count on a eureka moment; but if it happened, they should leverage it. Recognizing that there were a number of standards everyone had to be familiar with, it was decided to pull together a list of documents for everyone to read. There would not be a letter coming out of the day; but when they had a sense of consensus and some enlightenment, they needed to send a letter to the secretary recommending it.
Thinking about HCFA as a leader, Ms. Burke-Bebee suggested finding out what they are doing regarding electronic signatures and meeting the Government Paperwork Elimination Act’s requirement to have something in place by 2003. She noted the transactions they were talking about with respect to health care are the same transactions for which the SDOs cited there was no need for an electronic signature. Medicare does a lot of EDI without electronic signature. The subcommittee will review HHS's October report to OMB on their progress in implementing GPEA.
Mr. Blair’s report on his two-day meeting with the state of New Mexico, follow-up on NCVHS’s monitoring of ongoing implementation issues, was held over to the November subcommittee meeting. The lead item for that meeting, revisions of the letter to the Secretary on digital signature, had already been modified. There will not be a letter, but there will probably be an update on progress, discussions regarding SDOs, as well as planning for the January hearing.
Dr. Cohn identified seven major issues that they were tracking or needed to deal with: (1) tracking implementation of the HIPAA standards: the financial, administrative, and security standards and identifiers; (2) the issue of changes and updates to current standards and new standards, e.g., first report of injury. Dr. Zubeldia mentioned another standard was coming from X12 on the coordination of benefits; (3) a recommendation on electronic signature, and getting the process actively moving again towards final resolution around standards for digital signature in health care; (4) hearings on enforcement and compliance and a notice of proposed rulemaking; (5) patient medical record information standards; (6) the issue of the openness of the updating and maintenance process for code sets selected for HIPAA standards; (7) the general issue of letters to the full committee on recommendations regarding the claims attachments NPRM and the health plan identifier NPRM. He noted that they hoped to soon see some NPRMs. In addition, the current status of ICD-10-CM medical device codes had to be assessed. And there needed to be an update and discussion about the turmoil over the mapping between NDC and J codes.
Dr. Cohn confirmed that he heard the need to hold a January hearing around next steps in digital signature and input from SDOs and ANSI/HISB. He said he also sensed this was the time to hear from the designated SMOs about changes and updates to the standards, as well as any new standards that needed to be brought forward. A full panel is expected, talking about issues brought up at the last set of hearings around data issues related to some standards and the ability of information systems and organizations to capture all that data. There will be debriefing and identification of next steps. Discussion was also needed around maintaining and updating claims attachments and issues on standards of PMRI, namely, the refining of criteria, and prioritization.
Ms. Frawley suggested that at the February subcommittee meeting the industry could come forward and weigh in. Adopting the X12 standards, she recalled, they heard from about 50 people. Everyone came into the room and to consensus. Hearing from the SDOs, then giving industry the opportunity to weigh in, we felt very comfortable making our recommendations. Dr. Cohn noted that they did need to loop back once they had something more definite. We heard there is an issue, and it's not something that should wait. We need to get this resolved.
Other sessions will be held mid-March, probably mid-to-late April, and mid-to-late May. One will be primarily devoted to PMRI next steps. Enforcement and compliance is ready for discussion, and will probably be another issue. Code sets and a variety of other things would be another discussion. Tracking implementation is insinuated through all of this.
The executive committee meeting will be at the Hubert Humphrey Building on November 27th. The full committee meetings are November 28th and 29th.
Mr. Blair noted that the two days were educational and helpful; they have a course to tackle and complex, difficult issues. Dr. Cohn thanked the subcommittee for their forbearance and the attendees for helping to frame the issues and remind everyone that we do not yet have the answers. The meeting was adjourned at 12:37 p.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
Simon P. Cohn 4-13-2001
\s\
Chair Date