Smart Card Talk : May 2011 : Feature of the Month

Getting to Meaningful Use and Beyond: How Smart Card Technology Can Support Meaningful Use of Electronic Health Records

One of the primary reasons smart card technology is positioned to become such an integral piece of the new healthcare technology landscape is because of its ability to assist in meeting meaningful use requirements: providing the technological capability needed for providing secure storage and access to electronic health records (EHRs), enhancing and improving EHR functionality and workflows, and ensuring security protocols meet and/or exceed the requirements of certification. This month’s article reviews how smart card technology can fulfill the security requirements of meaningful use and also address specific functional gaps in the offerings of existing EHR products on the market.

Meaningful Use and Security Requirements

The basic security components that a Certified EHR technology must provide to meet meaningful use requirements include the following [1]:

  1. Provide access control measures
  2. Provide emergency access measures
  3. Provide an automatic log-off feature
  4. Provide an audit log
  5. Ensure integrity of data
  6. Provide for authentication of users and access
  7. Provide general encryption standards
  8. Provide encryption for all data transmitted through health information exchange channels

Smart card-based systems can help healthcare institutions and providers meet meaningful use security requirements.

Each criterion is presented in the table below, along with examples of how a smart card-based system can support a healthcare provider or facility in achieving meaningful use.

EHR Certification Criteria and How a Smart Card-Based System Meets the Requirement

Certification Criterion How a Smart Card-Based System Meets the Requirement
1. Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information Patient and provider smart cards can be used to provide strong two- or three-factor user authentication (a combination of physical smart card, secret PIN and/or biometric identification) for access to electronic health information.
2. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency Authorized users (first responders [2], emergency room personnel, and other healthcare data users ) can use offline portable readers to access information stored on a patient smart card. Authorized users can also use healthcare provider smart cards to authenticate themselves and confirm their right to access information.
3. Terminate an electronic session after a predetermined time of inactivity Electronic sessions could be implemented to only be active when the provider’s smart card is present.
4. Encrypt and decrypt electronic health information according to user-defined preferences (e.g., backups, removable media, at log-on/off) A best practice for healthcare systems, whether non-protected health information (NPHI) (i.e., data that has been stripped of identifiers or that is common to a large demographic group, such as zip code) or protected health information (PHI), is for all data to be encrypted and be capable of being decrypted via standard protocols. Encryption should also be required for all ancillary devices, such as smart card readers, removable media, mobile devices, and kiosks. The smart card provides the secure mobile platform for data and can both store encrypted data and encrypt/decrypt data when it’s being transmitted. Smart card-based systems can support a wide variety of encryption/decryption protocols.
5. Encrypt and decrypt electronic health information when exchanged All exchanges of non-protected as well as PHI data can be encrypted during transport or exchange in the method described above. Network layer security and encryption can be configured end-to-end, route-to-route, or edge-to-edge.
6. Record actions (e.g., deletion) related to electronic health information (i.e., audit log), provide alerts based on user-defined events, and electronically display and print all or a specified set of recorded information upon request or at a set period of time For portable mobile data that is stored on a smart card, smart card-based systems can provide audit logging capabilities.
7. Verify that electronic health information has not been altered in transit and detect the alteration and deletion of electronic health information and audit logs Smart card-based systems can support digital signatures and other cryptographic techniques that can enforce non-repudiation and provide high data integrity.
8. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information Patient and provider smart cards can be used to provide strong two- or three-factor user authentication to electronic health information (using a combination of physical smart card, secret PIN and/or biometric identification), and be used by the smart card-based system to determine authorization to access information.
9. Verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information Patient and provider smart cards can be used to provide strong two- or three-factor user authentication to electronic health information (using a combination of physical smart card, secret PIN and/or biometric identification), and be used by the smart card-based system to determine authorization to access information.
10. Record disclosures made for treatment, payment, and healthcare operations (optional) Discharge information can be stored securely on the smart card or the smart card can be used to securely access discharge information on a healthcare portal.

Smart Card Solutions and Data Security, Identity Management and Data Exchange

Smart card technology can help meet many meaningful use requirements. However, smart card technology also provides unique capabilities that address specific functional gaps in the offerings of existing EHR products on the market.

Current systems have functional gaps addressing data security, identity management, and data exchange across networks. This section describes how smart card technology can be used to support healthcare providers and organizations to address these areas and satisfy the HITECH Act’s meaningful use requirements.

Data Theft

It is no secret that data theft is the fastest growing Internet crime. And within the identify theft realm, healthcare data theft is rising faster than any other sector, a 112% increase from 2008 to 2009. [3] According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion–or approximately $20,000 per victim. [4] In addition, the latest Ponemon Institute study finds that “data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected.” [5]

With the country’s push toward electronic medical records, healthcare is quickly becoming a major target of cybercrime and the industry is seeing a tremendous increase in data breaches.

The specific area of data security and/or the relevant criteria from the HITECH Act are described as “Meaningful Use Stage 1 Objectives,” including “protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”

The way to stop medical identity theft is to improve patient and healthcare provider identity verification and provide enhanced data protection. Strong identity proofing at the time of enrollment, along with ongoing user authentication and data encryption are methods that can achieve these goals. To address medical identity theft, solutions need to provide higher levels of assurance than today’s processes, whether the interactions are in person or remote. Solutions that incorporate smart card technology can be used to address the security and privacy challenges facing the healthcare industry.

Strong user authentication is a critical step in addressing medical identity theft. All personal health record (PHR) providers, health record banks, health insurance and hospital Web portals should provide two-factor authentication mechanisms to their end users to help secure access to personal health information. In two-factor authentication schemes, individuals typically use a card, token or mobile device to access their health information or prove identity when obtaining healthcare services. The safest and most secure two-factor methods are based on smart card technology, where a tamper-resistant chip with security software is embedded into the card, token or mobile device (like a mobile phone). A smart card allows patients to unambiguously identify themselves to their healthcare provider when accessing patient records or requesting healthcare services.

Data encryption also plays an important role in the protection of protected health information (PHI) and is now mandated as part of the breach notification laws. Encrypting PHI protects against access by intruders; smart cards provide a robust set of encryption-enabling capabilities including key generation, secure key storage, hashing and digital signing.

Smart cards also add strong authentication capabilities that ensure only authorized users are able to access PHI. These capabilities can be used by a healthcare system to protect privacy in a number of ways. A doctor can use a smart card to digitally sign orders or prescriptions, protecting the information from subsequently being tampered with and providing assurance that the doctor was the originator of the information. The fact that the signing key originated from a smart card adds credibility and a greater legal stature to the record. The smart card provides two major benefits: one, it securely holds and protects the keys; and two, it is portable, so it stays with the doctor and not in the computer where someone else might be able to fraudulently use it.

Smart cards can also put patients in control of their private information. Patients can use their smart card to securely store personal health information, authorize provider access to that information, and secure transmission of data to healthcare systems.

Issuing secure patient and provider identity credentials based on smart card technology will help to reduce medical identity theft, and will also bring numerous efficiencies to existing healthcare administration systems. Authentication solutions based on smart card technology will provide an ideal foundation for improving the security and privacy of health information systems and electronic health records.

Identity Management

In December 2008, the HHS ONC issued a Nationwide Privacy and Security Framework that established a set of principles to govern health information exchange (HIE). [6] The ONC established two Health IT Policy Committee workgroups to specifically address privacy and security in EHRs: the National Health Information Network (NHIN) and the Privacy and Security Tiger Team. In a NHIN workgroup presentation in early 2010, they suggested five essential elements that would overarch this trust framework in enabling a national health information exchange: (1) agreed-upon business policy and legal requirements, (2) transparent oversight, (3) accountability and enforcement, (4) identity and authentication, and (5) minimum technical requirements. [7]

While each of these elements is important to create this trust, none of them individually is sufficient to create the total required framework. A strong combination of all listed elements is intended to provide a foundation for this framework, creating security and confidence for providers, payers, and patients and the freedom to move information within public and private exchanges.

Identity management is the foundation of the entire future of healthcare data management. With respect to the identity management infrastructure, healthcare today is where the financial industry was forty years ago (think back to the days of passbook savings accounts), with mostly antiquated, paper-based systems that afforded little security or identity protections and that were expensive and labor-intensive to operate and maintain. In the current Internet-era, information on millions of citizens can be stored on a memory chip that is smaller than a postage stamp, and that data can be moved globally in seconds. Paper-based systems do not stand a chance at effectively protecting data, sharing data, or conducting commerce in today’s world. To be effective, the American healthcare industry must adopt Internet-era technologies to protect its patients, providers, and payors. Smart card technology has already been globally proven to be effective at protecting identity, privacy, and commerce in today’s Internet-era world, and is well-suited to the challenges of the American healthcare system.

Two important issues to address in healthcare identity management are: initially establishing the correct patient identity; and then providing ongoing patient and provider authentication when accessing electronic health records.

Patient Identity. It has been reported that over 195,000 deaths in the United States occur annually because of medical errors. [8] Of those, almost 60 percent were attributable to a failure to correctly identify the patient. [9]

Accurately identifying patients and linking them with their medical records are significant challenges today for hospitals, healthcare providers and payors, with the government representing one of the largest stakeholders in this industry. Improper patient identification can occur for many reasons including common names, misspellings, phonetic spellings, numeric transpositions, fraud, as well as patient language barriers which can lead to errors in a patient identity. These identity errors result in undesirable financial and clinical issues for the hospital, provider, and patients.

In December 2010, the ONC Privacy and Security Tiger Team held a hearing on patient matching, also known as patient identity management. Part of the work of the Privacy and Security Tiger Team is to provide policy recommendations on privacy and security issues associated with linking or matching patients to their information within healthcare entities in order to support information exchange across healthcare entities.

According to the published presentation [10], information exchange between different healthcare entities depends on an ability to match patient identities without benefit of common identifiers. The presentation highlights the following:

  • Correctly linking patients to their health data is a vital step in quality healthcare;
  • Accuracy, integrity and quality of the patient data are also critically important; and
  • Internal data issues must be resolved before tackling the larger issues involved in exchange.

The presentation concludes by stating the role of the ONC in privacy and security in patient identity is to:

  • Broaden the discussion to cover data quality
  • Define and understand the ecosystem and patient linkage opportunities
  • Shift emphasis to data quality
  • Support conversation about development of standards for minimum data set
  • Promote transparency and consumer education/communication (addressing) a process for sharing how patient matching is conducted, accuracy of the matching, and challenges in health information exchange

Identity Authentication. Multi-factor authentication is critical in verifying patients and providers when accessing electronic health records. The United States Office of Management and Budget (OMB) has defined four specific levels of identity authentication “assurance” for establishing: “1) the degree of confidence in the vetting process used to establish the identity of the individual to whom a credential is issued (covered in Section 3.1.2.1 above) and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.” [11] The National Institute of Standards and Technology (NIST) developed electronic authentication guidelines for implementing the OMB-defined levels of assurance. [12] While these guidelines are currently in use within U.S. government agencies, [13] they are best practice models for use in defining authentication policies and practices for other programs. According to the October 15, 2010, ONC Privacy and Security Tiger Team meeting presentation, [14] the Tiger Team is considering tailoring this NIST/OMB e-authentication framework for use in healthcare information exchange. Within the currently-defined OMB and NIST guidelines:

  • Password tokens can satisfy the assurance requirements for Levels 1 and 2.
  • Soft cryptographic tokens may be used at authentication assurance Levels 1 through 3, but must be combined with a password or biometric to achieve Level 3.
  • One-time password devices are considered to satisfy the assurance requirements for Levels 1 through 3, and must be used with a password or biometric to achieve Level 3.
  • Hard tokens (such as smart cards) that are activated by a password or biometric can satisfy assurance requirements for Levels 1 through 4.

Deven McGraw, co-chair of the Privacy and Security Tiger workgroup, said at the group’s November 12, 2010, meeting, “We have a lever in certification to make sure the systems have the capability to be authenticated and digitally credentialed.” Later in the meeting, workgroup member Dixie Baker affirmed that: “eventually we’re going to have to put in place a standard and security and certification criteria for two factor authentication of EHRs.” [15]

Electronic prescribing regulations already mandate a minimum of Level 3 authentication standards. [16] One could extrapolate from this that access to sensitive PHI data (for example, related to conditions or treatments such as psychiatric, cancer or HIV, or health records of celebrity or publicly recognizable patients) could warrant Level 4.

As an increasing amount of information is stored online and wider access to it is achieved, strong authentication and auditability of access rights to confidential medical information will be critical for the healthcare identity management infrastructure.

Smart Cards and Identity Management. A smart card can be used to securely hold patient identity information, and to provide two-factor or three-factor authentication. Smart card technology enables distributed and federated applications in lieu of a central database of all patient identity and other personal information. The use of smart cards and federated data with standards-based protocols would allow medical practitioners to have access to data across multiple data stores with an assurance that: a) the patient identity is authenticated; b) the records retrieved match the patient; and c) only those that have need of the data have access to it. In the case of data access, proper security controls must also be implemented around the applications, databases, and environments that house electronic medical data. Smart cards can be effective in supporting healthcare applications with or without a unique patient identifier. Smart cards can serve as a secure way to aggregate multiple identifiers across many different systems or organizations, linking them all on the smart card.

Data Exchange

The idea of data exchange is at the very core of the federally funded NHIN. The NHIN is essentially a network of networks established to allow unrestricted flow of medical information by and among certified (authenticated) healthcare providers. Elemental to safe data exchange is data privacy. According to the Health Information and Management System Society (HIMSS) web site:

“Information and data exchange is a critical to the delivery of quality patient care services and effectiveness of healthcare organizations. The benefits of appropriate sharing of health information among patients, physicians, and other authorized participants in the healthcare delivery value chain, are nearly universally understood and desired. A RHIO, or regional health information organization, is a group of organizations with a business stake in improving the quality, safety and efficiency of healthcare delivery that comes together to exchange information for these purposes. The terms RHIO and Health Information Exchange, or “HIE, are often used interchangeably.”

In April 2010, the NHIN Direct workgroup was established, with the directive to “create the set of standards and services that with a policy framework enable simple, directed, routed, scalable transport over the Internet to be used for secure and meaningful exchange between known participants in support of meaningful use.” [17]

In a White House report published on December 8, 2010 by the President’s Council of Advisors on Science and Technology (PCAST), ONC and CMS were directed to develop the technical definitions and descriptions for the standard language and include them in requirements for meaningful use of electronic health records in 2013 and 2015. [18] The administration is absolutely committed to achieving interoperability, and it’s “not a minor issue” for them, Blumenthal said at a standards committee meeting on December 17, 2010. “We are going to move forward with a great deal of aggressiveness on health information exchange and interoperability, and even faster than we had expected based on the council’s report,” Blumenthal said. [19]

However, he added, it will be up to the committee to pick a path that is “technically as refined and as open to innovation, but as reliable, as we can make it.” John Halamka, co-chair of the Health IT Standards Committee noted that all data exchanges “would have to incorporate patient privacy protections.”

Thus, data exchange is predicated on the ability to secure data and to provide authenticated access to the data by authorized parties. Information must not only be protected during transit, but also while “at rest” on systems. Encryption and multi-factor authentication are critical to the data exchange processes, which, as described in Section 3.1.1, smart cards can support .

Data encryption and identity authentication can be managed in both small and larger ecosystems. The Federal government and other industries are using a public key infrastructure (PKI) to issue the digital certificates that are used for encryption and identity authentication, with the Federal Bridge Certification Authority enabling interoperable use across organizations. It is expected that a PKI-based infrastructure will be used in NHIN initiatives.

Another difficult challenge with health information exchange is management of the patient consent process, which allows medical information to be exchanged among providers with the permission of the patient. A smart card could be used by the patient to provide consent and give the patient control over what information is exchanged.

Summary

The Smart Card Alliance believes that smart card technology and smart card-based systems meet a number of criteria for meaningful use:

  • Smart cards augment the security of EMRs/EHRs by providing strong authentication which corresponds to at least Level 3 Assurance of the OMB’s 04-04 Memorandum.
  • Smart cards can carry PKI certificates which provide the highest level of trust identity management for data interchange across networks.
  • Federal standards are in place for identity verification and data access and security which use smart cards (the FIPS 201 Personal Identity Verification (PIV) standard for Federal employee and contractor identification cards).
  • Smart card software is commercially available that can improve the quality, safety and efficiency of healthcare delivery while improving care coordination and data access.
  • Smart card technology can help institutions manage a qualified EHR by integrating information from other external sources.
  • Smart card technology honors the goals of certification criteria by: promoting interoperability, promoting technical innovation which embrace adopted standards, keeping implementation costs low, considering best practices, and providing a modular solution.

As the industry moves forward in the pursuit of meaningful use in EHR implementation, standard best practices will include sharing data from various media across multiple networks. For information to be useful, it must be accurate, secure, and related to a single individual. Access to sensitive medical information must only be granted to known (authenticated) individuals or institutions that can supply valid identity credentials and that are authorized to access the information. Information must be able to be updated and must be synchronized across all networks in real-time. Individuals or entities that access, document and modify medical information (e.g., by adding to a medical record) must provide credentials to demonstrate that the resulting data can be trusted and is accurate. Finally, confidence in the technology, by the healthcare industry, providers and facilities, and consumers, is a requirement for success. Smart card technology can be used to address all of these requirements, with a long history of global success that can help build confidence in the new healthcare systems.

Smart card technology can augment existing EMR/EHR systems to provide the critical functionality necessary to achieve meaningful use, as well as to address important security and privacy gaps that could compromise the future use and utility of emerging regional and national health information networks.

References and Notes

[1] Federal Register 45 CFR Part 170 Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule Final Rule Text:* 170.302(o-w).

[2] The Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), and Federal Emergency Management Agency (FEMA) have worked together to develop specifications for the First Responder Authentication Credential (FRAC)–a secure, interoperable, smart card-based identity credential designed for the emergency management community nationwide. The FRAC is now being issued in many states to first responders. Additional information is available at /resources/lib/ERO_Credentials.pdf.

[3] EMR Data Theft Booming, InformationWeek, March 26, 2010

[4] Survey conducted by the Ponemon Institute, February 2010.

[5] New Ponemon Institute Study Finds Data Breaches Cost Hospitals $6 Billion; Patient Privacy in Jeopardy, FierceHealthcare, November 9, 2010

[6] Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, Office of the National Coordinator for Health Information Technology, December 15, 2008

[7] Comments made by David Lansky, Chair, HIT Policy Committee, ONC, Department of Health & Human Services, April 21, 2010 presentation on “HIE Trust Framework”

[8] In-Hospital Deaths from Medical Errors at 195,000 per Year, Healthgrades, July 2004

[9] Robin Hess, “Identity Crisis,” For the Record, January 17, 2005

[10] Privacy and Security Tiger Team Meeting, December 10, 2010

[11] OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, December 16, 2003

[12] Electronic Authentication Guideline, NIST Special Publication 800-63, April 2006

[13] CMS System Security and e-Authentication Levels by Information Type, CMS, April 20, 2010. CMS has defined eleven information types processed on or by CMS information systems. For each information type, CMS used FIPS 199 to determine its associated security category by evaluating the potential impact value (i.e., high, moderate, or low) for each of the three FISMA/FIPS 199 security objectives (i.e., confidentiality, integrity and availability). For each information type, CMS also used OMB M-04-04 to determine its e-Authentication assurance level (i.e., Levels 1−4) by evaluating the degree of authentication confidence required to protect the information.

[14] ONC Privacy and Security Tiger Team Meeting, Discussion Materials, October, 15, 2010

[15] HHS Privacy and Security Tiger Team Meeting Transcript, November 12, 2010

[16] Code of Federal Regulations, 21* 1311.105

[17] Direct Project HITSC Presentation, October, 2010

[18] Report to the President: Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward, President’s Council of Advisors on Science and Technology, December 2010

[19] Blumenthal to set aggressive pace for health data exchange,” Government Health IT, December 20, 2010

About this Article

This article is an extract from the Healthcare Council white paper, Getting to Meaningful Use and Beyond: How Smart Card Technology Can Support Meaningful Use of Electronic Health Records. The white paper outlines the ways in which smart card-based systems can better position healthcare organizations and providers for meaningful use of electronic health records, while addressing many of the security and privacy challenges that come with electronic health records and health data exchange.

Council members involved in the development of this white paper included: CSC; Gemalto; Giesecke & Devrient; IBM; IDmachines; LifeMed ID, Inc.; MasterCard Worldwide; Mount Sinai Medical Center; Northrop Grumman Corporation; Oberthur Technologies; OTI America; SCM Microsystems; XTec, Inc.

About the Healthcare Council

The Healthcare Council is one of several Smart Card Alliance Technology and Industry Councils, a new type of focused group within the overall structure of the Alliance. These councils have been created to foster increased industry collaboration within a particular industry or market segment and produce tangible results, speeding smart card adoption and industry growth.

The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on the how smart cards can be used and to work on issues inhibiting the industry.

The Secure Technology Alliance is Hiring

X