Statement to

Department of Health and Human Services
National Committee on Vital and Health Statistics
Subcommittee on Standards and Security

Health Insurance Portability and Accountability Act of 1996

Draft Security Standards

February 1, 2001

By
Jan Lovorn
Chief Privacy Officer
Protegrity, Inc.
and
Past Chair of ASTM E31.20 Subcommittee on Data and System Security for Health Information representing ASTM Committee E31 on Health Informatics

First, let me thank the NCVHS Subcommittee on Standard and Security for this opportunity to speak to you today. As I have testified before, ASTM Committee E31 on Health Informatics became aware of the security requirements in the mid 1990’s. Work began under the auspices of Peter Waegemann of MRI on the requirement to authenticate health information as early as 1994. The Standard Guideline on the authentication of healthcare information was published in 1995. It came up for revision last year. Once the standard was completed and the ongoing legislation (first the Kennedy-Kassebaum bill and then HIPAA) and the recurring and increasing need to protect health information, the subcommittee was given its current name and began work on several standards related to the protection of health information. The subcommittee was composed of healthcare providers, healthcare organizations, computer security implementers, system implementers, and many other people interested in protection health information. Two additional standards were developed that apply to digital signatures, a Technical Security Framework (ASTM E2085-00 Guide On Technical Security Framework For Healthcare Information ) and a digital signature guideline (Standard Specification for Authentication of Healthcare Information Using Digital Signatures E2084-00). I am here today to tell you about the latter. It was first developed as a provisional standard (a standard with full standard status, just not the complete consensus process). At the end of two years, the standard was elevated to a full standard with the full ASTM consensus process.

ASTM Digital Signature

1.Why is your SDO interested in electronic signatures at this time and what business processes will be enabled or improved by electronic signatures in the future?

ASTM early on saw requirements in the healthcare industry for a method to provide authentication of healthcare information as well as a method for data integrity and later nonrepudiation of actions. Based on the criteria defined in E1762 Guide for Electronic Authentication of Healthcare Information, digital signatures were found to be the only technology that currently meets those requirements. The Technical Security Framework and the Standard Guide for the Use of Digital Signatures in Healthcare were developed.

2.What electronic signature standards are practically being used today, to what extent are they being implemented, and for what purpose, in connection with the standards developed by your SDO?

ASTM E2084 Standard Specification for Authentication of Healthcare Information Using Digital Signatures is based on security industry standards developed by ANSI and ISO. Following is a list of those standards referenced by the standard.

ASTM E1762 Guide for Electronic Authentication of Healthcare Information

ANSI X9.30 Part 2: Public Key Cryptography Using Irreversible Algorithms:

Secure Hash Algorithm (SHA-2)

ANSI X9.31 Reversible Digital Signatures Algorithms

ANSI X9.61 Elliptical Curve Digital Signature Algorithm

ISO 9594-8 1993: The Directory: Authentication Framework

ISO 9796 1991: Digital Signature Scheme Giving Message Recovery

RFC 2630 Cryptographic Message Syntax

3.What are the problems or limitations of your current electronic signature methods?

None as far as we have seen. Key lengths may need to be increased due to the advances in technology and processing speed. But several implementations meeting the requirements of the ANSI and ISO have been available and installed for several years. Their implementations should be verified against the ASTM standard. But the subcommittee sees no problems due to the diligence that the subcommittee used to follow existing standards.

4.To what extent do you believe that a HIPAA standard for electronic signatures will benefit the healthcare industry? Do you believe a HIPAA standard for signatures is possible? How would you go about adopting such a standard?

ASTM Committee E31 Health Informatics feels that we have developed a standard for digital signatures that can be used by HIPAA implementers to meet the requirements identified in the Security NPRM. Some of the requirements were taken from E1762 criteria for electronic signatures. Only digital signatures meets all the requirements identified in E1762 and the Security NPRM.

5.What will be the impact of adopting a standard under HIPAA that is different from the electronic signature methods you are using today? What will be the advantages and disadvantages? Will your SDO support such a standard?

It could have significant impact on the information security industry and its consumers and customers.

6.How could your SDO work with other SDOs and with NIST in coming up with such a consensus electronic signature standard?

ASTM would be happy to work with other SDOs and NIST to develop additional standards or implementation guides for digital signatures. In addition to technical standards as developed by ASTM E31.20 Data and System Security for Health Information, we have a sister subcommittee E31.17 Privacy, Confidentiality, and Access that focuses on the policy and implementation issues related to security. We could attend joint development meetings, work on joint projects, and review standards before publishing to determine that the meet the relevant ASTM standards. To meet consensus, ASTM may need to revise existing standards, and is willing to do so. Our goal is to develop usable standards that meet the ongoing requirements of the healthcare industry.

7.What do you estimate will be the time frame for development of a consensus electronic signature standard that could be adopted under HIPAA?

If we had to start from scratch, then it could take 18 or so months. But using ASTM 2084 Standard Specification for Authentication of Healthcare Information Using Digital Signatures cuts a significant time slice from that time.

8.What should be the role of the HISB and of NIST in developing such consensus standard?

ANSI HISB could provide the coordination of the SDOs in the development of the implementation guides that were identified at the January 8 meeting in Orlando, FL. NIST is no longer in the standards development process for information security. The Computer Security Research Center now participates actively in ANSI X9, IEEE, and IETF in the development of standards. Even with the new Advance Encryption Standard, the final document will probably be handled under the ANSI standards process.

9.What role would you like the NCVHS to play in this area?

NCVHS could provide encouragement and guideline so that the SDOs can meet the needs of the healthcare industry.

I want to thank you for the opportunity to speak in front of you today.

I have attached a copy of the presentation detailing ongoing ASTM work that is relevant to security, digital signatures, and privacy that was made to the joint

SDO meeting in Orlando, FL on January 8 of this year.