Health Care PKI Project for Internet Security Presentation to the CHIA Technology Symposium September 10, 1998  Ann Geyer Tunitas Group

What is the Goal of a Health Information Network

• Support information exchange that is accurate, authentic, private, and available when and where needed

• Links together a large array of computer and information systems
• Truly a worldwide computer network supporting public access
• Standards that drive interoperability and cost-efficiencies
• Target of massive research and development

• Democratizes the information access environment
• Makes each party responsible for their own domain
• Much simpler on the user
• Commonplace across industries
• Being adopted as the universal network for information exchange
• Concerted effort to develop electronic commerce applications

• The Internet is a public network open to participation by any party
• The security challenges
• With whom am I communicating
• What information should I give to this person or organization
• How do I protect my information from inappropriate disclosure
• How do I know the information I send or receive hasn’t been changed or corrupted

• Can we trust cryptography to protect our information
• Do  we know how to use it and does it meet our needs
• Will our business associates trust it and use it

• Louis J. Freeh    Director, FBI
• Uncrackable encryption is now and will continue to allow [individuals] to communicate about their criminal intentions with impunity and to maintain electronically stored information impervious to lawful search and seizure.
• Gail Weinreb     Director, HCFA
• HCFA Security Officers have determined that acceptable encryption mechanisms are not currently available for the Internet to insure the degree of privacy HCFA, plans, and contractors are required to maintain.

• FedEx
• Charles Swab
• McKesson
• Department of Defense
• Automotive Industry

• HIPAA
• Explicitly identifies the Internet as an option for its EDI mandates
• SSA
• Planning for the submission of medical evidence and consultative examination reports for disability claims
• Vision Services Plan
• 7,000 eye care providers using Internet for claims adjudication and lab orders and payments
• Physicians Online
• 170,000 physicians with Internet access

• Regulatory Environment
• Expected HIPAA privacy regulation will set standards for acceptable security requirements
• Legal Infrastructure
• Digital signature legislation will provide the necessary legal infrastructure
• Technology Solutions
• Electronic commerce initiatives are driving the  development of appropriate technology
• Federal EDI mandates are driving the deployment of solutions

• Education and awareness
• Technology developments and diffusion
• Business issues and application support
• Collaboration; common expectations
• User acceptance and participation

• Authentication
• Non-repudiation
• Authorization
• Encryption
• Integrity

• On the Internet No one knows if you’re a dog !
• Authenications becomes a critical component of Internet security

• Public key encryption
• Two keys:  one private, one public
• Your public key used by others to send you a private message
• Your private key is used by you to read the private message
• You can electronically sign messages
• Electronically signed messages that you receive can not be repudiated by the sender
• Your Private Key equates to your electronic identity

• Digital Certificates
• Certificate Authority
• Directories
• Navigation Assistance
• Education and Training

• Purpose
• Develop industry standards for healthcare certificate services
• Create reference implementations that can be used to coordinate the use of public key encryption across the industry
• Develop user education and training programs
• Promote the uses and benefits of a healthcare PKI
 
• How to participate
• Join a PKI Workgroup for your sector
• Review and comment on the PKI Reports
• Attend the annual  project conference

• Benefits of participating
• Grounding in the business and technical issues associated with implementing  public key technology in the healthcare
• Reference Implementation Reports
• Exposure to commercial PKI products and services
• Education and training material to address user readiness and acceptance factors
• Interaction with peers using the Internet for healthcare business transactions
• Coordinated response to privacy and confidential legislation

• A Healthcare Certificate Authority
• Issues certificates to individuals employed in the healthcare industry
• Certifies the ownership of a public key pair
• Ensures that each individual has a unique certificate name for use in multi-enterprise environments
• Maintains a directory for healthcare attributes that support authorization and access control
• Offers services to facilitate information exchange
• If you trust the CA . .
• then you can trust in the identity of the individual associated with the public key pair

• Multiple parties which have an existing relationship of trust with a specific sector of the industry
• Examples of potential Healthcare Certificate Authorities
• California Medical Assn with physicians
• Catholic Health Assn with its member hospitals
• BCBS Assn with its member plans
• Parties who can readily certify identify without undue effort and expense
• Parties who have a vested interest in protecting the integrity of digital certificates

• Single identification procedure
• Eliminates multiple separate pins and passwords
• Enables secure email and other data exchange
• Exploits the interest of others who will distribute information via the Internet

• Immediate benefits to provider organizations
• CMA has agreed to be active partner
• Providers want to see health plan participation and commitments for specific types of data
• Provider systems with physician organizations are starting to get interested
• Biggest hurdle
• developing an understanding of the concepts
• a strategy for how to introduce electronic communications existing business processes.

• Support move to Internet due to low cost structure and elimination of user hardware/software support
• Some are piloting Internet websites with user passwords and pins, but are wary of support for certificates.  Issuing digital certificates to staff is not economical on single resource basis
• Most will not provide sensitive patient or business information without appropriate Internet security provisions
• Certificates are not well understood
• Will increase their efforts to deploy more web-based resources when they see physician buy-in
• Physician participation and acceptance of certificates will unlock web deployment

• Each party connects, as appropriate, to the Internet
• Each party obtains a healthcare certificate for use as electronic identity & authentication
• Providers are responsible for their staff certificates
• Each information provider accepts the healthcare certificate as proof of identity to make authorization assignments
• Authentication and authorization replace need to issue different passwords and pins
• Secure, low cost communications and information distribution solutions encourage increased web deployment
• Content attracts users; users attract content