Securing today’s health care applications
Contributed by Mike Rothman,([email protected]), executive vice president of SHYM Technology, a software company that makes secure transactions using PKI less costly, faster to implement, and more manageable. Contributed articles do not necessarily reflect the viewpoint of the ÆGIS e-journal.
The healthcare industry is beginning to rely on the Internet as a fast and effective way to share information. Electronic transactions have the potential to dramatically reduce the growing cost of medical paperwork, estimated to be more than $10 billion annually.
As healthcare industries increasingly turn to electronic communications, it is necessary to utilize information security technologies to ensure that confidential patient data remains confidential. Electronic credentials used to assure identity become a critical part of the process for securing sensitive patient records and proprietary clinical research data. Often, these electronic initiatives create security concerns and headaches for time-pressed IT managers, as they constantly strive to keep passwords synchronized and up- to-date, while simultaneously handling the flurry of requests regarding forgotten passwords and other complaints. As a result, many hospitals, and other businesses looking for the most advanced security technology, are turning to digital certificates.
Digital Certificates Prove Identity
Much like a passport proves identity in the offline world, digital certificates issued via Public Key Infrastructure (PKI) technologies deliver a way to prove identity in the online world. PKI is fast becoming the cornerstone of the information security infrastructure. PKI is the only security technology that ensures people are who they say they are, provides a digital audit trail of activity, and also proves that documents haven’t been tampered-with. These are critical functions in all healthcare activities from confidential patient data to clinical trials.
How Does PKI Work?
Here’s a simplified look at state-of-the-art PKI passports, how they can be applied in several healthcare application scenarios to increase security, how they improve productivity, and how they reduce the number of passwords users must remember — and that IT administrators must track and manage.
PKI uses keys, which are extremely long prime numbers, to identify users. Two keys are involved: A private key, to which only the key’s owner has access, and a public key, which is stored in a public directory and can be accessed by anyone. The two keys work together so that a message scrambled with the private key can only be unscrambled with the public key and vice versa. The more digits in these keys, the more secure the process.
Just as identities are proven by handwritten signatures offline, digital signatures are used to prove identity online. But without actually seeing the sender sign the document, how can it be proven that the sender is who he says he is? This is where public key cryptography comes into play. A piece of data is run through a complicated mathematical computation to generate another number, which is called a hash. The original data and the hash are inextricably linked. If any part of either changes, the hash will not match and the message cannot be decoded.
To digitally sign a document, a hash is taken of the document and then signed with a user’s private key. Data scrambled with a private key can only be unscrambled with the corresponding public key. The receiver can verify the validity of the document and the identity of the sender by unscrambling the hash with the shared public key and then checking that against another hash computed from the received data.
If the hashes match, the data was not tampered-with, and the sender’s identity can be verified. However, since the receiver did not witness the sending of the message, how can one be sure that the sender’s identity was not forged? This is where the concept of trust enters the system, creating the need for a certificate authority (CA) to verify all online identities.
The CA is similar to an online passport bureau: A trusted entity that makes the PKI system work. All users on the system have software within a browser that generates both the public and private keys. As part of the certificate issuance process, the public key is sent to the CA, which verifies a user’s identity (using credit reporting information or other offline credentials), and then signs the user’s public key with its own private key, also known as the root key. The combination of the user’s public key and the signature of the CA forms an individual’s digital certificate. The root key is similar to the machine that applies watermarks to the passports. Digital certificates represent online passports, and are validated by the CA’s root key.
Through the use of digital signatures, patients can feel secure when confidential data is placed online. The Internet allows information to be shared instantaneously, allowing doctors to care for patients in a more effective and efficient manner. For example, a patient’s general care physician can easily share the patient’s medical history with a specialist at another location. The general physician would use the specialist’s public key (stored in the specialist’s digital certificate) to scramble the message. When the specialist receives the message, the private key is used to unscramble it.
Since no one else possesses the specialist’s private key, only the owner of this key can unscramble the message.
The process is similar in complex transactions. Let’s say a doctor at a medical facility wants to look at the latest test results for a patient who is hospitalized. The doctor simply logs on to the hospital’s extranet, after completing the process of obtaining credentials from a trusted CA. The doctor then uses the assigned private key, which can be stored on a machine, smart card or another device, to send a digital signature to the extranet server. The server receives both the doctor and the CA’s digital certificates to validate the signature. This transaction requires only a few seconds and, because all information needed is electronically stored in the server, is actually simpler than a traditional ID/Password login. A user only needs to ensure that his or her private key is activated, and this is accomplished by entering in a password authentication, or inserting a smart card into a reader. And, unlike a simple ID/Password login, PKI authentication cannot be sniffed, spoofed, or compromised in any way. Digital certificates also provide a legitimate audit trail of the process.
Benefits of Digital Signatures
Every facet of the health care industry has traditionally relied on volumes of paper to track down patient history, treatments, and insurance claims. In the electronic world, it is critical that health care organizations be able to track who is changing documents, when they changed them, and why they were changed. In fact, the FDA has mandated that electronic signatures be added to documents filed electronically, to provide some measure of accountability to the transactions.
Digital certificates allow the creation of a digital audit trail that highlights what documents have been accessed, who accessed them, and for what purpose and for how long they were accessed. The near-certainty of litigation for claims or malpractice makes it all the more important that changes to the electronic documents are tracked and validated.
We can take the example of a standard operating procedure (SOP) which has been filed with the FDA. Many pharmaceutical companies house the SOPs in a document store, such as Documentum. The specificity of drug manufacturing (as well as what is at stake) requires a change to be filed anytime the process is altered. Attaching a digital signature to the change request allows the FDA to validate that an authorized entity requested the change, and provides an audit trail in the event of dispute.
Digital certificates also help provide reduced sign-on functionality to electronic transactions and systems. With traditional client/server or Internet-based systems, users typically log into each system they use individually. Not only does this require enormous time and energy, the user must remember a significant number of passwords. To cope with lots of passwords, users often choose a single password for all applications, and change them infrequently. IT managers must not only be track an ever- changing pool of employees and passwords, but also deal with the flurry of help desk calls revolving around forgotten, expired, or altered passwords. This creates a potential liability when dealing with patient records, since it is imperative that these documents be viewed only by appropriate parties.
Digital certificates and the policies underneath determine the access levels and authorization of the user, providing a single authentication mechanism for all PKI-ready applications and systems. For example, a PKI-ready application could challenge the user to present his/her electronic credential, in the form of a digital signature, to access the system. Users would not have to keep logging in as they access various parts of medical documents, as the other applications would directly ask the system for the needed electronic credentials in lieu of an ID/Password login.
Administration will continue to be a huge issue as more applications and critical patient data are exposed to external constituencies in the form of doctors, specialists, and insurers. The ability to utilize one credential to gain secure access to many systems will have a drastic impact on system administration costs, especially given the fact that upwards of 60% of an organization’s security budget is spent on administrative tasks like resetting passwords. Reduced administrative costs would allow for money to be spent on other critical medical functions.
Securing the Healthcare Industry
While PKI is slowly gaining popularity, it is important that the thousands of applications used throughout healthcare today become PKI-ready. Applications must be designed to ask users to sign data, and know how to validate that data using the certificates. Tremendous progress has been made recently to extend PKI to the application level, but there is still a long way to go. E-mail, a key business application, provides rudimentary support for digital certificates, yet it’s still very complicated to use. Third party software providers allow enterprise applications such as Documentum and Lotus Notes to support PKI. As PKI becomes a widely-used technology, it will be possible to bring the healthcare industry to the Internet in a secure manner, resulting in more effective and efficient patient care.