A Presentation To
DEPARTMENT OF HEALTH AND HUMAN SERVICES
NATIONAL
COMMITTEE ON VITAL AND HEALTH STATISTICS
SUBCOMMITTEE ON HEALTH DATA
NEEDS, STANDARDS, AND SECURITY
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
A Perspective on Information Security
August 6, 1997
Presented by: Donald L. Bechtel
Advisory Analyst,
Strategic and Technical Planning
Healthcare Data Exchange (HDX)
A
Subsidiary of Shared Medical Systems, Corp. (SMS)
Mr. Chairman and members of the committee, I am Don Bechtel, an Advisory Analyst responsible for Strategic and Technical Planning at HDX. I am also a co-chair of the ANSI Accredited Standards Committee X12 Eligibility Work Group within the Insurance Subcommittee. On behalf of HDX and SMS (HDX's parent company), I want to thank you for the opportunity to testify before you today on the very important subject of the security and confidentiality of individuals' health related information.
As you may know, SMS and HDX were very early supporters of the legislation Senators Bond of Missouri and Riegle of Michigan, and Representatives Hobson and Sawyer of Ohio first introduced in 1993 as the Health Care Information Modernization and Security Act. This legislation received strong bipartisan and bicameral support throughout the health reform activities of the Congress under both the Bush and Clinton administrations. And we are pleased to see that the legislation enacted as a part of the Health Insurance Portability and Accountability Act of 1996 (Subtitle F - Administrative Simplification) remains true to the original precepts of Senator Bond's pioneering efforts.
A fundamental consideration underlying this legislation is the need for all parties to properly and responsibly handle the individually identifiable information that is under their control. On that, there seems to be no disagreement. However, with conflicting State statutes, inconsistent regulations by Federal and State departments, and unclear jurisdictional interpretations, it has become very difficult for responsible organizations to determine what the proper course of action should be for a given set of circumstances. We see this every day as we work with our customers to support them in their efforts to meet their data security obligations, and we experience it ourselves in our own business. The need for a data security "standard" around which the health industry can rally has never been greater.
Before I get into my comments, I would like to introduce my company to those of you who may not know us. For more than 28 years, SMS has focused exclusively on serving the information technology needs of participants in the health industry. We have made it our business to develop, deliver, and support the information solutions that help our customers meet their varied and changing business needs.
SMS provides these health information solutions to customers in 20 countries and territories across North America, Europe, and the Asia-Pacific. Our customers include integrated health networks, multi-entity health corporations, community health information networks, hospitals, physician groups, government health facilities, managed care organizations, health benefit plan administrators, and payers. Based on customer need, our solutions can include any combination of clinical, financial, and administrative applications, enabling technologies, and integration and support services.
SMS established HDX in 1991 as a separate subsidiary to provide EDI clearinghouse services to healthcare providers and payers. This was in direct response to our customer requests to help them with issues stemming from many managed care initiatives. Our payer customers include indemnity and managed care health plans, commercial and BlueCross/BlueShield Plans, Medicare, and Medicaid. The transactions that we process today primarily deal with health care related administrative and financial issues, and include eligibility, claims for institutional, professional, and institutional pharmacies, and remittance advice. Our future business plans will take us into other segments of healthcare.
Since its inception, HDX has experienced steady transaction growth each month. Our current eligibility service operates in an online real-time environment and processes millions of transactions per month. HDX's eligibility service is designed to be integrated with a provider's information system so that the eligibility inquiry transactions can be generated as a by-product of other business processes (e.g., admission, registration, or scheduling functions), and the eligibility response transactions can automatically update the patient's account information.
The claim formats that we transmit today are mostly UB92 for institutional claims, NSF for professional and some institutional claims, and for pharmacies we are using the NCPDP format. We currently process millions of claims each month.
Our remittance advice service today is limited to Medicare Part A payments to our institutional providers, although an all payer solution is being readied. Currently, we process hundreds of thousands of remittance transactions per month. When we move to an all payer solution, we expect this number to increase significantly.
HDX is currently in joint development with several payers to implement the ANSI X12 278 transaction for authorizations, referrals, and notifications. Like our eligibility service, this new service will utilize online real-time processing that occurs as a by-product of other existing information system functions, (e.g., order entry and admissions for Emergency Room notifications). This service is currently being beta tested.
My testimony today will consider several aspects of data security and confidentiality from a vendor's point of view. There are several perspectives that I will examine, Policies and Procedures, Protecting Data at Rest, Access and Application Controls, Data Transmissions, and Recoverability.
As vendors to health care organizations, SMS and HDX develop systems, products, and services that our customers use to conduct their business. Consequently, SMS and HDX employees do not routinely come in contact with customer or patient data. Our systems provide some of the tools that are used by our customers to provide secure information processing environments. However, it is our customer's responsibility to establish their own policies and procedures to insure that a secure information processing environment is being maintained. Only they can determine their legal and contractual data security obligations, and only they can take the necessary policy, procedural, and operational steps necessary to satisfy those obligations.
Because SMS and HDX operate computer systems and communication networks that process and transmit our customer's data, including individually identifiable data, we strive to operate these in a secure fashion. However, we do not collect this data, we are not users of it, we do not have ultimate responsibility for determining which legal and regulatory restrictions apply, and we do not have total control over the systems and processes which would need to comply with any legal or regulatory data security requirements. While we do realize that we have a degree of involvement with these systems and networks, we feel that our responsibility for the information which is stored, processed, or transmitted is one of a custodian. The steps we take as a custodian are described below.
First and foremost, we believe that clear and well documented policies and procedures for data security and confidentiality should be defined and communicated to all employees who work for organizations involved with health information. It is important to raise employee awareness as to the significance of this issue. Having policies that clearly state the potential disciplinary actions that may follow if the policies or procedures are breached, including termination of employment and possible legal actions, will help to establish that significance.
Both SMS and HDX have established and documented corporate policies that describe to our employees their responsibility and the procedures to be followed in order to protect and maintain the confidentiality and integrity of individual identifiable information they might encounter. These policies are included in our employee handbook given to every employee. We periodically update this handbook to reflect changes in policies or procedures that are a result of new requirements or improvements in technologies available to monitor or enforce these policies. Our corporate policies are reviewed with new employees during employee orientation classes conducted by our human resources department.
All employees and contractors of SMS and HDX sign agreements which indicates their awareness and intention to observe our data security policies and procedures.
The facilities of SMS and HDX are secured, with controlled access. Our computer center is in a separate building where access is restricted to only those employees and vendors who have a business purpose for being there. Access is controlled by a security guard who checks in all employees and vendors.
We have established an Information Security Group whose responsibility it is to monitor our information systems. Audit reports of security alerts are reviewed daily.
Access to customer data files is tightly restricted to only those individuals who need access to this information based on the applications they are authorized to support. Access privileges are granted when needed, based on the policies and procedures in place at the time. All accesses to data are logged. These logs are reviewed daily by the Information Security Group.
The lack of a coherent and consistent set of legal and regulatory data security requirements makes it difficult for any organization to determine and justify how much should be spent on data security. Also, the costs associated with data security can be quite large, with many not necessarily directly attributable to data security. For example, the procedural and operational costs for administrating a data security program can become significant, particularly when deploying encryption or token based systems. Further, end user access and ease of use can be made more difficult by a data security program. Establishing the necessary "data security culture" can be a major organizational undertaking, requiring not only dollar and staff investments, but also entailing a significant commitment by management and senior executives. And with each organization having to determine and set its own course independently of key business partners and competitors, many companies find that being ahead on this issue can become a inhibitor to other business activities. In effect, being responsible can exact a cost and operational premium that may not be incurred by other less responsible parties.
Nevertheless, with an issue as important and basic to health care as the confidentiality and security of patient information, SMS and HDX, like most responsible parties, have concluded that some measures must be taken. Rather than try and dictate these to our customers, we have chosen to proactively and collaboratively work with them to determine what support they need, and where they need flexibility. After all, as discussed above, it is ultimately our customers' responsibility to establish and maintain an appropriately secured operation.
The internal systems used by SMS and HDX employees all utilize unique passwords. The systems and products that SMS develops also require the use of unique user-ids and passwords, but the implementation of these is up to each customer. Customers also have the option to supplement our data security offering with additional technologies
The HDX EDI services rely on the user controls of the information system that are the source of the transactions we process. In other words, because we generate transactions as a by-product of existing work flows, we do not add another layer of security as we feel this would be unnecessary and redundant. For example, an eligibility request transaction (X12 270) will be generated by the SMS registration application. When a hospital registrar logs onto the SMS registration application, they must enter their user-id and password to verify they have access authority. Access to the HDX Eligibility Service is granted by the customer to those user-ids that usually have access to the registration or admission applications. The user-id will be logged with each eligibility request to be transmitted to the payer. Similar processes occur with other transactions. Our goal is to simplify procedures and reduce the cost of required processing.
SMS and HDX have evaluated token and smart card devices, and in some instances, are using or testing their viability. For example, smart cards have been used by both SMS and HDX as a means of authenticating a user logging onto a system. This technology proved to be very effective, and not too costly. Although this technology is not part of our standard product offering, our customers have the option to implement it themselves, and we are aware of customers who felt it appropriate to do so for such things as local and remote user authentication and for remote physician access.
SMS is also working with speech recognition, a form of user identification and authentication. Although this is currently only being studied for the purpose of capturing information, it does offer the potential to address data security needs.
SMS is also working with several of our customers to explore the potential use of biometrics (such as fingerprint readers) as a means of identification and authentication. By and large, biometrics are proving to be a cost effective and efficient means for identification authentication. It also offers the potential to identify patients during the admission process. Other areas being researched are signature recognition and retina identification, but this technology is thought to be too expensive to be practical at this time.
Our applications restrict access to features and functions within an application based on user access authority associated with the user-id. It is through policy decisions that are established by our customers that a user's access authority is granted. The authority granting function is performed by the customer's security administrator.
Our customers are responsible for protecting access to remote access points within their networks. SMS uses firewalls to protect and track access to customer sites through our proprietary network.
Our products usually identify a patient by a patient number, normally assigned during patient registration/admission, or by a medical record number which is assigned to a patient the first time they register at the provider's facility. Once a medical record number is assigned, it remains with the patient for the duration of their care at the provider.
HDX transactions use the identifiers required by the payer and the provider. For example, the payer may require that an eligibility inquiry include the patient's last name, first name, date of birth, sex, plan code and member ID to identify the person in their system. The provider may request that the payer return the beneficiary's patient number or medical record number so that the response can be associated to the patient's information in the provider's information system.
HDX encrypts all real-time transactions that travel inside our network domain; our network domain is defined as being between our service demarcation points which are terminated by an HDX Gateway. Although our network is closed and secure, we do utilize Value Added Networks to provide some of our communication services.
Our systems secure all passwords as encrypted data. In many of our systems, patient identifiers, clinical data, and patient records are stored as compressed records, rendering them unreadable without access to the application that services the records.
When data is transmitted from the provider to the HDX EDI Switch or vise versa, all real-time messages are encrypted in our network. Many of the payers we access from our HDX EDI Switch use private point to point lines in lieu of encryption between our switch and their operations. However, our payer customers have the option to use our infrastructure to receive and transmit encrypted messages by using an HDX Network Gateway at their network point of access.
Currently, batch transactions are not transmitted as encrypted data. However, all these transmissions are done point to point over secured network circuits.
The HDX network encrypts all its real-time transactions using a proprietary encryption algorithm. Because we are not using Internet Protocol, we are not using SSL. We chose a proprietary scheme because it was easy and cost effective to implement. We are evaluating the use of SSL to meet our security encryption requirements as part of an effort to move our internal network to TCP/IP using a private Intranet. However, a network-wide change in protocol of this type will be costly, and will need to be coordinated with our customers. As this conversion will not occur soon, the SSL technology will have time to become more stable.
When we connect our HDX Network Gateway to a customers network, we can and do use TCP/IP, and SSL could be utilized in those settings. Although presently, no one has asked that we do this with their network.
SMS is also evaluating SSL as a security solution for its internal TCP/IP networks. Some of our customers can and have implemented this technology within their network environments.
We believe SSL technology will play a role when using the Internet as a communications network for health information among external organizations. SSL appears to provide many of the security features that are needed, namely: confidentiality, integrity, peer entity authentication, as well as key management mechanisms. However, the authentication process may be weak. There is clearly a need for digital certificates, to be able to hold, receive, and recognize different authorities. We're not sure that SSL will provide this.
We are currently interfacing several Intranet networks where access is controlled by a firewall. Firewalls provide access controls which restrict access to only authorized TCP/IP addresses.
SMS is evaluating the use of tunneling with firewalls as a means of creating a virtual private network on the Internet with a 128 bit encryption algorithm that supports Public Key Cryptographic Standards, including a challenge and response mechanism.
Another Internet technology that looks to be promising is Secure HTTP (S-HTTP), also used on the World Wide Web. S-HTTP can secure a request/response pair separately with data origin authentication, integrity, and confidentiality. It also supports non-repudiation of responses. S-HTTP emphasizes record or document level protection rather than session-level protection. This in combination with SSL seems to offer potential, but no performance information is available at this time.
Ideally, we will utilize standards based security solutions.
The cost to implementing our proprietary encryption scheme is difficult to quantify as it was combined with another project.
The ongoing cost in terms of performance has been some increase in processing time. Our calculations with standard based encryption were much more significant, several times slower than our current experience.
The implementation of other schemes will likely be more expensive and more difficult. Areas of particular concern lay in authentication schemes. It would seem that user authentication will be critical especially when using the Internet. This will most likely require electronic digital signatures using public key technology, which raises concerns about who will be the certification authority and generates questions about key exchanges. The cost of key management also looks to be quite high.
We have no immediate plans to use the Internet for transmission of patient information. If we move to the TCP/IP communications protocol, we will most likely move first to an Intranet scheme. If we became confident that our use of the Internet can be appropriately secured, we will re-evaluate this decision. However, we do believe that if the Internet is used, all transactions should be encrypted and transaction origins authenticated.
With a private network, the security threat is greatly reduced. It would be very difficult to invade a private network, unless the hacker was located within the user enterprise or at one of the communications switching centers. Neither of these scenarios appear likely.
No, we do not use electronic signatures at this time. However, the issue here is primarily related to their legal standing rather than any technical impediments.
An important part of any security scheme is recoverability. We have well defined procedures for recovering data in the event of a disaster. These procedures are reviewed and periodically exercised in test situations to ensure they remain valid and operational. We take precautions to keep backups of all data and files that our systems maintain for our customers, such that these recoveries can be performed. We store these files both on-site in our data center for application errors that require recovery and off-site for disaster recovery. We encourage our customers who use our products at their facilities to establish similar procedures. All of our products provide recoverable check points in processing.
Generally speaking, our provider customers are not asking for more security. The security that has been provided to them plus what they obtain on their own appears to have satisfied their current business needs. Requirements for more stringent security needs will likely be driven by the standards setting organizations or by regulatory changes. Awareness to security needs in provider settings has been increasing, but the concerns usually arise in the context of system access via the Internet. The use of firewalls seems to have been very effective here.
Payers, on the other hand, have been more interested in what security features we offer. They have not been demanding more, but simply want to know what we have in place. Medicare and Medicaid have the most stringent requirements, but the features we provide appear to have satisfied these government organizations.
Cost is always a concern. It is important to keep the cost of our products and services fair and reasonable, as the cost of purchasing and operating information systems is ultimately recovered from the fees our customers charge their customers.
Another concern related to cost is performance. As vendors, we must maintain optimal system price/performance; degrading performance to satisfy unnecessary or redundant security practices will have a detrimental effect on the system's value to our customers. The performance cost of some security practices will significantly increase system requirements in order to support the expanded calculations needed for encryption and possible data storage needed for logging audit trails. The use of data security standards will allow vendors to develop solutions that meet a stated criteria in a cost effective way, without putting unnecessary specificity on what solutions must be incorporated.
Organizations must have adequate procedures and mechanisms in place to insure that the integrity and confidentiality of data is preserved, and that the information is used as intended by those who have a right to use the information. Satisfying these requirements should be the first priority in determining what security measures are needed. Having a standard that clearly establishes guidelines for these requirements will be of great benefit. However, the cost to implement mandated requirements should be carefully weighed against the benefits that will be achieved.
Yes, the technologies that we described above (e.g., retina scans, fingerprint, techniques used by the credit card industry) can be integrated. The limitations are cost of equipment, cost of licensing fees, performance, and practicality.
Mr. Chairman and members of the committee, this concludes my statement. Thank you.