Good Afternoon Ladies and Gentlemen, distinguished members of the panel. My name is Michael Lundie, I am the Director of Health Industry Marketing for Cyclone Commerce. My background is in healthcare Information Technology where I have held various positions both technical and managerial for some 25 years. Accompanying me here today is Mr. Paul Bussey, Security Components Development Manager for Cyclone Commerce. We thank you for the invitation to speak with you today on the use of electronic signatures within healthcare.
Cyclone Commerce, a privately held corporation headquartered in Scottsdale, AZ, is the premier provider of Trading Community Management software utilized in successful B2B implementations utilizing the Internet. As such, Cyclone’s Interchange software is installed in some 300 clients throughout the world in various industries, including nearly 60 healthcare related entities. Companies such as Bergen Brunswig, McKessonHBOC, St Joseph’s Health System, ExpressBill a division of WebMD, Glaxo-SmithKline, and most recently the New Health Exchange utilize our software as a way of providing secure data transport, and scalable community management over the Internet.
Our software supports various forms of data transport, one of them being a B2B framework known as EDIINT. It is with this group that I serve as a liaison between the various healthcare SDOs to ensure the needs of the healthcare industry are represented within the EDIINT task force. And it is the interests of the EDIINT task force that I represent here today.
1. Why is your SDO interested in electronic signatures at this time and what business processes will be enabled or improved by electronic signatures in the future?
The IETF (Internet Engineering Task Force, the parent SDO) commissioned the EDIINT task force with creating a standard for sending EDI data securely over the Internet. Early on, this group realized that a general approach would allow any payload (not just EDI) to be sent securely over the Internet. The EDIINT standard created and currently supported by over a dozen vendors defines a method for encrypting, signing and transporting any data payload over the Internet.
EDIINT, an existing standard, with hundreds of implementations, can be leveraged, and is being utilized by the healthcare community to securely transport any healthcare information over the Internet. The signatures currently used by EDIINT are “corporate signatures” which insure one corporation that a document received via the Internet came from a specific trading partner.
We believe that security concepts developed for use with EDIINT may be leveraged to provide a level of support for “personal signatures” required by HIPAA. The EDIINT task force intends to work with the SDOs within the healthcare community to create an end-to-end solution that meets their specific needs.
2. What electronic signature standards are practically being used today, to what extent are they being implemented, and for what purpose, in connection with the standards developed by your SDO?
EDIINT uses X.509 certificates. Although the standard permits PGP/MIME and encourages the use of Certificate Authorities most of the installations use S/MIME as a packaging standard and allow “self-signed” certificates. In other words, companies who already trust each other exchange public keys by trading X.509 certificates.
3. What are the problems or limitations of your current electronic signature methods?
Relative to the needs of healthcare the only limitation of EDIINT is direct support of personal signatures is not provided.
But this is an artifact of what EDIINT is used for rather than a technical limitation.
EDIINT is built on top of the well-known PKI concepts. The theory behind the technology is considered to be sound and when coupled with a CA (rather than a web-of trust) trust model, is infinitely scalable.
4. To what extent do you believe that a HIPAA standard for electronic signatures will benefit the healthcare industry? Do you believe a HIPAA standard for signatures is possible? How would you go about adopting such a standard?
I suspect that the most immediate advantage of HIPAA may be the ability to leverage the Internet to securely transfer healthcare documents.
A HIPAA standard for signatures is possible. I believe that a generic signature standard already exists. The existing problem is not one of inventing a reliable signature but identifying, then defining an implementation for each signature “use case”. The ASTM identified the “use cases” (Standard Guide on Security Framework for Healthcare Information: E2085 – 00) but work still needs to be done on a standard for implementation of each use case.
It is not clear that EDIINT will have a direct role in defining these use case implementation standards but we do stand ready to make any modifications necessary to EDIINT to insure the payloads defined by the healthcare SDOs can be transmitted via EDIINT.
5. What will be the impact of adopting a standard under HIPAA that is different from the electronic signature methods you are using today? What will be the advantages and disadvantages? Will your SDO support such a standard?
EDIINT supports digital signatures created by signing an electronic document with a private key. Certain algorithms are explicitly supported but none are disallowed. But vendors have not elected to support all standards. All interoperability trials used RSA as the signing algorithm. EDIINT is not opposed to other signature algorithms but the disadvantages of using something besides RSA is simply the amount of vendor support.
I might add that RSA was chosen even when it was covered by patent … this is no longer the case.
6. How could your SDO work with other SDOs and with NIST in coming up with such a consensus electronic signature standard?
EDIINT is more of a secure transport standard the “signatures” specified are at the corporate level. However, we are already working with the healthcare SDOs to insure that the EDIINT standard will support whatever payload is defined to support the personal signatures (i.e. doctor, patient) affixed to the payload which needs to be transferred by EDIINT.
In addition, members of EDIINT who have security expertise are already working with the healthcare SDOs to define standards for each signature use case.
7. What do you estimate will be the time frame for development of a consensus electronic signature standard that could be adopted under HIPAA?
Defining an algorithm should not take long. Since there are several completely acceptable technical approaches, making a decision is more important than the decision made. The bigger effort is defining an implementation for each signature use case. This effort could easily take 5-10 months for a committee to complete. Fortunately a significant portion of the effort, clearly defining the signature use cases, has been completed by ASTM.
It seems to me that each of these use cases will take a chunk of time and a phased deliverable could be defined where the most important or most common use cases could be defined first. EDIINT is in no position to make priority judgments in this area.
8. What should be the role of the HISB and of NIST in developing such consensus standard?
EDIINT was very recently invited by the healthcare SDOs to assist in meeting HIPAA requirements in a timely manner. My impression is that these SDOs are currently working well together to respond to the HIPAA requirements.
I think the best role for HISB or NIST to play is to set specific and aggressive targets for delivering a specification. These should include, when possible, milestone targets which occur every few months. My rational is this: The question is not whether the technology is up to the task but in choosing what technology or combination of technologies to use.
When presented with many viable options, a task has a tendency to expand to meet the time allocated. This is especially true of committee work. My strong suspicion is the technical advantages of one approach over another are not as important as specifying a viable solution and moving forward.
9. What role would you like the NCVHS to play in this area?
Same answer.