Kepa Zubeldia, M.D.
ENVOY-NEIC / AFEHCT
National Committee on Vital and Health Statistics (NCVHS)
Subcommittee
on Health Data Needs, Standards and Security
August 5, 1997
I want to thank the Subcommittee for extending the invitation to testify today representing the Clearinghouses members of AFEHCT. It is a privilege and a special opportunity, not only for AFEHCT, my employer, ENVOY-NEIC, but also for myself.
I am coming today representing the Association For Electronic Health Care Transactions (AFEHCT). I have the pleasure of serving in the board of directors of AFEHCT. My position with ENVOY-NEIC is of Vice President of Technology, in charge of the Internet activities, and voting representative to the ASC X12. I co-chair the Interactive Health Care Claim work group in X12, and I am a member of the IEEE.
Preparing today's presentation, I have had meetings with a number of other clearinghouses, large and small, as well as practice management vendors members of AFEHCT, and the views I bring represent a summary of those meetings. It is important to note that although competing with each other in the market, AFEHCT members share common views regarding the need, benefits, expectations, and potential pitfalls of Administrative Simplification.
The Association for Electronic Health Care Transactions (AFECHT) is a voluntary trade association comprised of:
A summary list of AFECHT members is attached.
AFEHCT formed a security work group in 1996 to explore the issues specific to this area and addressed in the Health Insurance Portability and Accountability Act of 1996. We've enjoyed working with the members of HHS and HCFA who have attended our meetings and have developed a mutually productive relationship. We expect and hope to continue this relationship in the future.
After a number of meetings, the AFEHCT security work group has identified a number of concerns we hope that HCFA and HHS will take into consideration as they formulate policy for the security of individually identifiable health care information.
There is a varied number of participants in the administration of health care, as depicted in this diagram.
Within these participants there are a number of bidirectional data relationships, backed by contractual trading partner relationships, performing a number of functions. The following example represents the health care claim processing functionality.
As you can see in these diagrams, there are complex relationships. Market pressures and business opportunities have caused the creation of a network of clearinghouses, interconnected in a multitude of ways, offering a balanced and competitive market solution.
Clearinghouses perform not only a reformatting function, which is well known, but also aggregation, verification, and distribution of transactions, as shown below:
It is performing these functions that a clearinghouse helps achieve true administrative simplification. With the clearinghouse as a trading partner taking responsibility for the data, the healthcare data can be arranged in such a way to simplify the processing and the administration by both payers and providers.
One unusual characteristic of the health care processing system is the relative age of most systems. A substantial portion of the data processing infrastructure was deployed in the 80s, with the typical systems using terminals in a shared environment. We have found that less than 25% have Microsoft Windows capable systems and most of those are used for word processing or auxiliary functions rather than for practice management. The situation in pharmacies is even lower penetration of graphical user interfaces, with a substantial percentage of users that still use point of sale terminals similar to credit card terminals.
The healthcare connectivity to the Internet is among the lowest in all industries. Recent studies show that less than 5% of the health care practices are connected to the Internet. This is probably the result of the combination of old equipment not supporting TCP/IP and the fear of security intrusions when connecting to the Internet.
Privacy and Security are two very different concepts. Too often these terms are used interchangeably when, in fact, security is the means or methods employed to assure privacy. The task before the Secretary is to adopt security regulations at a time when the definition of privacy is still being developed or considered.
In our own discussions in the Security work group we have many times drifted from one topic to the other. We have seen other health care security groups wrestle with the same problems. It is difficult to address security without somehow also addressing privacy in health care.
Related to the issue of securing health care information is the issue of controlling the access to that information. The ultimate security is achieved when all access is denied. This, however, is not the goal of the security policies. Rather, the policies are to control the appropriate access to the information, with reasonable protection given the risks involved. Both, the policies, as well as the access control mechanisms must be in place to adequately protect the health care information.
In our research of security issues in health care, we have found a lack of evidence of improper access by breaking through existing technical security barriers, specifically by wire-tapping telecommunication lines or similar intrusive attacks. The reported cases involve confidentiality breaches by individuals that have legitimate access to the information, or the careless lack of security measures to protect the information.
Even basic security measures, such as a paper shredder, or a lockable filing cabinet for medical records, or security and confidentiality policies for employees, are lacking in most medical and dental practices.
For example, a case that was widely publicized involved access to the Social Security Administration database by SSA employees for personal gain. Another case was reported by the news media about medical records being disposed of in the trash can without shredding, and subsequently blown away by the wind.
It is far more difficult to control the access by authorized individuals that abuse their security privileges, than to control the access by outsiders through security measures. Given the need to know of authorized individuals, technical security barriers that control the intent of the access are impossible to implement. This is an area where the security policies are more important that the technology.
While privacy and confidentiality breaches are periodically in the news, actual security breaches are practically unknown. The use of the Internet to connect health care computer systems, however, has the potential for dramatically changing this.
Currently over 99% of the health care administrative transactions take place over private networks such as:
Only an insignificant fraction of the healthcare data is being transmitted over the Internet in the several pilot projects currently in progress. All of this Internet data is being encrypted, most of it at the application level.
The cost of breaking through the existing security layers in the transport of healthcare data is many orders of magnitude higher than the cost of breaking through conventional security measures protecting other healthcare data.
There seems to be an assumption that clearinghouses will disappear once standard transactions are in place. That belief is not supported by the facts and is not widely held by industry experts.
The clearinghouse functionality is clearly defined within the healthcare industry. It provides much more than simple connectivity. Additional features include network management, payer interface relationships, translation services, vendor certification, etc. Even if all providers began using the adopted standard transaction formats immediately, there would still be a strong, long-term market demand for clearinghouses, if for no other reason than to reduce the number of "provider-payer" relationships or connections that any one provider or payer would be required to manage.
A provider might reasonably be expected to have direct relationships with the 15, 20 or even 30 payers most common in their geographic area. But it would be unreasonable to expect that same provider to establish a new, direct connection to a payer in another part of the country when they happen, however infrequently, to encounter a patient with that coverage. The same would be true for the insurance plan or payer who currently manages connections to thousands of providers and does not wish that number to increase by thousands.
Without clearinghouses, providers would be required to establish trading partner agreements and electronic connections with some portion of the 1700 payers, 5,000 hospitals, and 50,000 pharmacies in the United States — the total could be more than 52 million trading partner relationships! (And this number doesn't even include the thousands of third-party administrators and direct employer payers of self-insured benefit plans.) The theoretical number reaches into the billions. The estimated total of 52 million trading partner relationships is with the participants doing electronic commerce with only those with which they do a substantial business.
In contrast, clearinghouses reduce these relationships to under 200,000, one for each participant dealing with the clearinghouse of choice.
For health care transactions, a critical business process issue is to support, not inhibit, the ability of clearinghouses to create efficiencies in the marketplace -- a role already recognized in HIPAA.
The clearinghouses fulfill a need that is (a) in the public interest, (b) driven by the market needs of the health care community, and (c) already self-regulated. This is a proven business model that has already accomplished great efficiencies for both providers and payers.
The clearinghouses provide functions that are crucial for supporting electronic transmission of health care information: reformatting transactions into standard data formats, error checking, editing, aggregating, distributing and routing transactions, and producing management and analysis reports. To perform these functions, the clearinghouses "open the transaction envelope" for routing and switching purposes yet ensure security and integrity of the data through administrative procedures, technical tools, and contractual agreements — all of which could be certified by the industry-established accreditation authority; the Electronic Healthcare Network Accreditation Commission (EHNAC.)
Some of these transactions could, perhaps, be supported without clearinghouses, but only with significant decreases in efficiency and increases in cost to both providers and payers. Coordination of benefits, for example, would become extremely costly to administer, if it could be done at all, without clearinghouses. Several of the transactions that are named in the HIPAA legislation, in reality, require a clearinghouse if they are to be done in a real-time mode, particularly the eligibility, referral and claim status transactions.
Clearinghouses, in fact, due to their centralized data management, provide a security environment that is much easier to manage than the millions of direct point to point connections that would be required in the absence of clearinghouses.
In a health care environment with over 50 million trading partner relationships, the management of the access control, authentication, data integrity, and other security parameters would become a daunting task. The simple reduction of the number of trading partner relationships makes the management task feasible.
The existence of clearinghouse as aggregation points, although viewed by some privacy experts as a threat, provides an effective security mechanism through which the privacy assurances can be enhanced. It is the implementation of the security policies in a manageable environment that assures the protection of the individual privacy.
To support efficient and secure transfer of health care transactions, a "chain of trust" is established as transactions flow from provider to payer.
In many cases, multiple clearinghouses are involved as transactions flow from provider to payer. This process has developed and been driven by the needs of the market, in which it is more effective — both administratively and technically — for a clearinghouse to forward certain claims to another clearinghouse rather than creating yet another independent connection with yet another payer. Not only is this process efficient, it enables effective communication, transmission, and interoperability across disparate provider and payer systems.
The "chain of trust" is established by the trading partner contracts between providers and clearinghouses, and between clearinghouses themselves. This is "trust" in the data contents and the identity of the parties. Each clearinghouse certifies, secures, and is responsible for its link in the chain.
Security experts use the terms "trusted third party" and "chain of trust" with meanings that are totally different from the meaning of those terms in our context. This difference in terminology has confused many experts.
In our context, a chain of trust is established by business relationships in which each trading partner trusts the data it receives from the previous trading partner to be correct. This trust is based on a business contract, regardless of the data being encrypted, signed, or in any specific format, and without using digital certificates. It is purely a trust in the business relationship.
The clearinghouse, as a trusted party, takes part in the business transaction, and is entrusted with the data with the confidence that it will perform the function as contracted. It is not a "third" party, but is actually a party to the transaction itself. This bears no resemblance to the concept of a certification authority as a "trusted third party," but the lexical similarity is often cause of confusion.
The term "chain of trust" as applied by security experts to the verification and validation of digital certificates, and the trustworthiness of those certificates, is totally different than the clearinghouse chain of trusted relationships. The digital certificate chain of trust can be automatically validated with a computer program. The clearinghouse trusted relationship cannot be automatically validated, but requires understanding of the legal relationships embedded in contracts.
The role of the clearinghouse as a party to the transaction is crucial in achieving the administrative simplification, while at the same time providing the security and control necessary to preserve the confidentiality of the data thus entrusted.
An in-depth analysis of health care security will not be complete without assessing the different risks involved. Different security measures are appropriate for each level of risk. The risk of compromising the confidentiality of the information varies with the type, amount, and context of the information. For instance, releasing the date of birth of the patient, while irrelevant in a city like Washington DC, could be relevant and enough to identify an individual in a small rural area.
Even though it is possible to restrict computer access to all terminals, by using a biometric fingerprint device, it may not be necessary to do so in the operating room, since access to the environment is itself very controlled. In fact, a fingerprint device would not work in the operating room, where everyone must wear gloves. The risk must be assessed and could easily change with the changing environment.
Risk assessment must take a global view, and not just concentrate on specific technological solutions. For instance, it is of little use to have a lock that only opens with the correct retinal scan in a medical records room that can be easily accessed through the ceiling plenum with a simple ladder.
As an example from another industry, there is risk involved in flying airplanes. We know that many military pilots have been saved through the use of ejection seats and parachutes. Nonetheless, the commercial airline industry has not installed ejection seats for its passengers, nor hands parachutes to the passengers upon boarding. Other risk mitigating factors, such as seat belts, oxygen masks, and floating seat cushions are commonly used. There is a balance between acceptable and unacceptable risk, as well the asset to protect (human life) and the cost to protect it. Similar examples are found through our daily life, such as driving a car or walking across an open field during a storm.
We believe that the analysis of the risks involved is an integral part of any security proposal in health care. The indiscriminate application of security measures, either too lax or too stringent, will have a detrimental effect on privacy, efficiency, confidence in the system, and eventually, quality of care.
Security technology advances have accelerated in the last few years. The Internet, in particular, has increased the need to secure systems against intrusion. There have been many horror stories reported, including web sites that were supposedly secure, such as the CIA, that have nonetheless fallen victim to attacks from crackers.
Ultimate security cannot be achieved if accessing the data is necessary. However, the security barriers can be built in such a way that breaking through the security is economically infeasible.
Since it is still theoretically possible to break through any level of security, it is necessary to accompany the security barriers with a security policy that will adequately cover the case of a security breach. As Senator Bennett explained, the policy will assure that whoever breaches the security barrier "will be very sorry that they even tried."
It is the combination of technology and policy that becomes effective. Technology erects the barriers necessary to support the security policy. Attempting to control the security by one without the other will most certainly fail.
As a practical example, given the policy of maintaining the confidentiality of personally identifiable information, a technology solution can be instituted to process personally identifiable information (Patient ID, DOB, Address, etc.) through a "one way" function that will make it impossible to derive the personal information, while providing a persistent way to identify the individuals in a manner appropriate for longitudinal studies.
The technology solutions necessary to maintain confidentiality in an open network such as the Internet are different and not appropriate to other networks such as packet switching, leased lines, or point to point RJE stations. The security policies, however, should be applicable regardless of the technology in use.
The Administrative Simplification Provisions read in part:
The Secretary shall adopt security standards that:
- take into account (I) the technical capabilities of record systems used to maintain health information; (ii) the cost of security measures; (iii) the need for training persons who have access to health information; (iv) the value of audit trails in computerized record systems; and (v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and
- ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.
Our understanding of the mandate has led AFEHCT to analyze security standards that could be adopted by the Secretary in compliance with these requirements.
In the last few months, the Security work group of AFEHCT, in conjunction with HCFA and the DHHS, has been compiling a directory of security standards that could be applied to health care.
We are including in this directory existing security standards, or current work in progress from: Federal Information Processing Standards (FIPS), American Society for Testing and Materials (ASTM), Accredited Standards Committee (ASC) X12, Health Level 7 (HL7), Public Key Cryptography Standards (PKCS), Electronic Health Care Network Accreditation Commission (EHNAC), Food and Drug Administration (FDA), Office of Management and Budget (OMB), Health Care Financing Administration (HCFA), Veterans Administration (VA), European Standards Committee (CEN), Internet RFCs, and others.
Our preliminary finding is that there is not one single standard or even a family of standards that could be adopted by the Secretary. The best candidate, and deserving serious consideration, is the CEN European preStandard for "Security categorisation and protection for health care information systems." This document, still in draft form, is largely technology independent and includes policy and risk analysis considerations. Being a CEN document, if adopted by the Secretary, could facilitate the international exchange of health care information with Europe. It is interesting to note here that the european healthcare systems are precluded from exchanging health care information with their USA counterparts due to the lack of adequate health care security in the USA.
Most of the health care security documents reviewed lack a general focus, and concentrate instead on specific technologies to solve specific problems. Typically the problem they are trying to solve is the transmission of data over an open network such as the Internet, or user authentication in an open environment. Even though these are two security problems to be addressed in the future, they are neither the most important security problems to be addressed not can they be addressed by a purely technological solution.
Specifically, the ASTM proposals are not technology neutral. They focus on specific security technologies that are proprietary and encumbered by patents. The licensing of these patents from RSA Data Security would add a substantial cost to the administration of healthcare, with little or no benefit to the public. We believe that when standards, by their nature, must be technology driven, the technology should be neutral, and provide public domain alternatives when possible. The cost and risk analysis must be part of the standards setting process.
A single set of security standards cannot be applied to all of health care without a complete risk analysis. Otherwise we will end up with security measures too lax in some areas and too restrictive in other areas. This could bring the entire administration of health care to a collapse.
AFEHCT is specifically concerned about the general requirement for encryption and electronic signatures in all electronic transactions, as proposed by others. Some have proposed that all transactions flowing between the Provider and the Payer, or between two Payers, or other trading partners, must be digitally signed and encrypted end to end.
Using end to end encryption will make the data invisible to the clearinghouses. Using end to end digital signatures will prevent the clearinghouses from aggregating and distributing the healthcare data. Either of these end to end measures will effectively wipe out the ability of clearinghouses to perform their administrative simplification function that is so vital in health care.
We are in favor, however, of the discriminate use of encryption and digital signatures when appropriate. These technologies, when supporting specific security polices, will cause the development of a new area of electronic commerce.
For example, the use of the Internet as we currently know it, requires the use of strong encryption between the trading partners, as well as positive identification and authentication. The specific technology to achieve these goals on the Internet has been rapidly evolving in the last few years, and even though it is still in flux, is usable for certain environments. Thus the work done by the ASTM, when viewed in this light, is of great value.
One point worth mentioning is that the specific transactions defined in the HIPAA are implementable using X12 standards, and NCPDP standards. The ASC X12.58 standard defines the security structures to be used with X12 formats. In fact it defines the technical requirements to provide assurances at either the transaction set level or the functional group, or both. It allows sending secure and non secure transactions inside the same envelope. There is little justification for looking elsewhere when protecting X12 transactions.
Other standards, such as those issued by HL7, ASTM, NCPDP, etc. do not provide syntactical security structures as part of the standard, and must therefore look outside for the security they need.
The Standards adopted by the Secretary should be in the form of security policies instead of specific security technologies.
In some cases the specific policies will restrict the choice of technologies. However, both the development of new technologies at an accelerated pace, as well as the existence of a substantial health care administration legacy base, should be enough reasons to not regulate today the technologies to be used.
The benefit of Policy vs. Technology will be an enduring standard.
The use of encryption and digital signatures should not be implemented end to end, but between adjacent trading partners.
These technologies should only be used when required to support a security policy, or when their use does not interfere with other business processes. Mandating their universal utilization will not bring administrative simplification, and could cause a collapse of the system. Assessing the security risks, costs, and benefits must be part of the process.
Thank you for the opportunity to present this testimony to you.
Other materials provided with this testimony:
AFEHCT letter to Secretary Shalala