Health-care organizations, including state agencies, are wrestling with how to meet data security requirements in the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996. Although the deadline for complying is at least two years off, the health-care industry has much work to accomplish by then. HIPAA sets mandatory goals for protecting the integrity, confidentiality and availability of patient data, but it leaves health-care organizations to decide how to meet those goals on their own.
However, doing it on their own could complicate matters. Every time a doctor's office submits a Medicaid claim, a managed-care firm approves a referral or a laboratory sends information to a state health department, if the information moves electronically, two or more organizations must agree on standards for safeguarding the data. "Collaboration is really the only way the HIPAA regulations will be effectively implemented," noted Laura Ripp, program director at HealthKey, a Seattle-based organization working on data security standards and practices for the health-care industry.
With a $2.5 million grant from the Robert Wood Johnson Foundation, HealthKey has spent two years exploring practical, affordable ways to protect medical data transmitted over the Internet. As part of that initiative, five not-for-profit regional organizations composed of private and government entities have developed and tested security technologies and practices. Completed in June, the pilot programs were conducted in Massachusetts, Minnesota, North Carolina, Utah and Washington.
Privacy and Security
A broad-ranging effort to improve health-care administration, HIPAA calls for rules to govern how organizations handle information linked to individual patients. The law has separate provisions for privacy and security. The privacy rules protect the rights of patients to control how their medical information is used, whether it's stored on paper or in electronic format. The security regulations aim to protect electronic data about patients both when it's stored and when it's transmitted across a network.
The U.S. Department of Health and Human Services (HHS) issued the final version of the privacy rules on April 14 of this year. The health-care industry has until April 14, 2003, to comply. At press time, HHS had not yet released a final version of the security rules but was expected to do so by year's end. Health-care organizations will have two years from the issue date to comply with those.
A third set of regulations mandating standards for electronic data transactions was issued last year with a deadline of October 2002. A fourth set, still under development, concerns unique identifiers for health-care providers, health plans, employers and patients.
Although HIPAA adds urgency to the quest for standards, HealthKey was not born solely to deal with HIPAA compliance, said Ripp. Rather, it emerged from a long-standing effort in the health-care industry to cut costs by increasing efficiency. "The real driver for all of this gets back to the same thing the government is trying to do, and that's administrative simplification," Ripp said.
Electronic transactions will make business more efficient, but only if the industry can agree on standards for moving the data.
In Minnesota, one HealthKey project looked at how to make security systems installed in different organizations work together. One of the most promising approaches to security is public key infrastructure (PKI), said Walter Suarez, executive director at the Minnesota Health Data Institute (MHDI), which conducted the project. Each user on a system protected with PKI has two software "keys" for encrypting and decrypting messages - a private key known only to himself or herself, and a public key known also to people who exchange data with the sender. Each user must register with an administrator who certifies the electronic signature of the people using the keys.
"The problem is that each company producing these software packages is using a proprietary system to find those keys," Suarez said. Lacking national technical standards for security products, two users can exchange secured data only if they're both using PKI software from the same vendor. But, of course, getting a large collection of trading partners to agree on a single security package is no more likely than getting them all to choose the same bookkeeping software.
Another obstacle PKI presents is that each organization must be able to certify the identity of every user at every organization with which it might exchange data, said Denton Peterson, chief information officer of the Minnesota Department of Health. "The cross-certification model does not scale well to cover the large number of organizations that must share information securely," he observed.
The Minnesota HealthKey project set out to look for an alternative. It found the core of one at the U.S. Department of the Treasury, which had contracted with Mitretek Systems in McLean, Va., to develop a "bridge" security system. This acts as a go-between for PKI software from different vendors. "If the message comes in software package A, and it needs to go to someone who has software package B, it will convert the authentication portion into something that is acceptable to software package B," Suarez said.
MHDI worked with Mitretek and VisionShare of St. Paul, Minn., to adapt the Treasury Department's system to the needs of the health-care industry. For example, the system needed to handle much larger transactions than the financial industry requires, such as files containing medical imagery, Suarez said.
To test the system, MHDI transmitted an encrypted message from its data center in St. Paul to the office of the Hennepin County Medical Center in Minneapolis, which uses a different PKI package. "The message was sent less than 10 miles from our office to Hennepin County, but the authentication process was done by the Mitretek office in Virginia," Suarez said. Transmitting the message, getting it certified and confirming the sender's identity to the recipient all took less than a second.
Making a third party responsible for certification means that organizations don't have to administer that information for all their trading partners. "The bridge software checks that they're certified with the certification host. So you don't have to cross-certify," Peterson said.
MHDI is now working to make the bridge software commercially available to health-care providers, payers and public health agencies in Minnesota, Suarez said. Potential users in the public sector include the Minnesota Department of Human Services, which administers the state's Medicaid program, and the Department of Employee Relations, the state's largest health-care purchaser.
The Department of Health looks forward to using bridge technology in a future electronic system for receiving disease reports from medical labs. "We have discussed the adoption of bridge technology with the [Centers for Disease Control and Prevention] as part of the National Electronic Disease Surveillance System project, and we've included a proposal to test it as part of a grant we submitted to them," Peterson said.
Cutting Security Costs
In Utah, the HealthKey project was led by the Utah Health Information Network (UHIN), another not-for-profit public/private partnership. UHIN operates a value-added network that the health-care community in the state uses for electronic data interchange (EDI). It also works to create standards for data definition and transmission.
"If you want to think of us as a pre-HIPAA HIPAA, that's what we are," said Bart Killian, UHIN's executive director. "We've been doing HIPAA in Utah for about six years."
Since many smaller organizations find traditional electronic data interchange too expensive and difficult to implement, UHIN, like many other e-commerce providers, has been exploring the use of the Internet. But while UHIN's private network offers a secure pipeline for medical data, the organization needs to develop safeguards for data transmitted over the public network.
After examining the advantages and costs of traditional PKI, UHIN determined that its members could not afford to use that method, Killian said. "So we went back and tried to figure out what were the major components, what were the risk factors involved, where did we think the attacks might come. And we tried to create a compromise that would allow us to cover our risk but not become administratively burdened."
Administering a large collection of public and private keys and the certification data to go with them is a formidable burden. While members of UHIN believe strongly in the tenets of HIPAA, and some of Utah's own rules regarding health-care data are actually more stringent than the federal government's, "we also believe it needs to be done in a reasonable manner, at a reasonable cost," Killian said.
The alternative method UHIN developed is a "very limited, very generic form of PKI," Killian said. "We're only using keys for the servers, not for individuals and not for individual machines. So within our network we can deal with less than 20 keys."
Under UHIN's approach, for example, 700 doctors linked to a single server at a hospital would share a single set of keys. "Each one has his own log-on and password behind that set of keys that their server uses to communicate with my server," Killian explained.
Several health-care organizations have been beta testing the new system, and UHIN is preparing to make it commercially available by year's end.
Does this sort of "PKI Lite" offer the same level of security as traditional PKI? "Absolutely not," Killian said. "But it's reasonable, and it's appropriate."