[This Transcript is Unedited]
Hubert Humphrey Building
200 Independence Avenue, SW
Washington, D.C.
Discussion - Subcommittee
DR. COHN: Would everybody be seated, please? Good morning. I want to call the meeting to order. I'm Simon Cohn. I'm Chair of the Subcommittee on Standards and Security for the National Committee on Vital and Health Statistics. I want to welcome the subcommittee members and the members of the National Committee and HHS staff and others that are here in person.
I also want to welcome those listening in on the Internet. I want to remind everyone here -- I'll be reminding you all from time to time throughout the day -- as we make comments and ask questions, we need to make sure we speak clearly and into the microphone, so people on the Internet can hear.
Now, the focus of the hearing over the next two days is HIPAA administrative simplification and electronic signature. The role of the NCVHS and HIPAA in electronic signature is twofold. One is that in complying with HIPAA administrative simplification, the Secretary is to rely on the recommendations of the NCVHS. Obviously, that is primarily what we are talking about today in relationship to the electronic signature. The NCVHS though has also been asked to track implementation for both HHS and Congress, and identify implementation issues and barriers, and recommend ways to mitigate those issues.
The overall purpose of the administrative simplification of HIPAA is to improve the efficiency and effectiveness of the health care system by establishing standards and requirements for the electronic transmission of certain health information.
Section 273 Subsection E of this particular subtitle is entitled electronic signature. I had to look in there to figure out what subtitle this was. It calls for the Secretary of HHS in conjunction with the Secretary of Commerce to adopt standards specifying procedures for the electronic transmission and authentication of signatures required in future HIPAA transactions.
As most of you are all well aware, there are currently no plans to specify electronic signature standards in any of the immediately upcoming final rules. Thus, the subcommittee and the NCVHS felt it was timely to hold hearings to visit the issues and opportunities of electronic and digital signatures for health care.
As we start these hearings, I first of all want to thank both Kepa Zubeldia and Stan Akmunson for their leadership and work in terms of putting this together. I appreciate your work on this. We obviously thank those of you who have come to participate. This testimony will obviously help the NCVHS develop recommendations to the Secretary.
With this rather long introduction, let me start with introductions around the table and then around the room. Karen, would you like to start?
MS. TRUDEL: Karen Trudel from the Health Care Financing Administration, staff to the subcommittee.
DR. ZUBELDIA: Kepa Zubeldia with Claredi, a member of the subcommittee.
DR. GELLMAN: I'm Bob Gellman. I'm a privacy and information policy consultant from Washington and a member of the committee.
MS. BEBEE: Suzie Bebee. I'm with the National Center for Health Statistics and staff to the subcommittee.
MS. BALL: Judy Ball. I'm with the Substance Abuse and Mental Health Services Administration and staff to the subcommittee.
MR. BEATSON: This is Rod Beatson from Cybersign. Sorry I missed the loop here. I thought it was maybe somebody over there.
MR. BARNETT: Dave Barnett. I'm a security architect with Kaiser Permanente.
DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and Quality, government liaison to the National Committee, staff to the subcommittee.
DR. BRAITHWAITE: Bill Braithwaite from HHS and staff to the subcommittee.
DR. FRAWLEY: Kathleen Frawley, St. Mary's Hospital, Passaic, New Jersey, member of the subcommittee.
DR. BLAIR: Jeff Blair, Vice President of the Medical Records Institute, Vice Chair of the Subcommittee on Standards and Security.
DR. ADLER: Jackie Adler, National Center for Health Statistics.
DR. COHN: Could we have others in the audience give us your name as well as affiliation?
MR. MANSON: Wayne Manson with the Electronic Privacy and Information Center.
MR. WRIGHT: Ben Wright. I'm an attorney from Dallas and author of a book called Electronic Commerce.
MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics.
MR. GREEN: John Green, National Association of Health Underwriters.
MR. CRUMPLER: I'm Stuart Crumpler with the Food and Drug Administration.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, NCVHS staff.
MR. LYNCH: John Lynch, Time Trust.
MS. McABEE: Rhonda McAbee, Care First, Blue Cross Blue Shield, information security.
MR. POHASICOP: Mark Pohasicop, Care First, Blue Cross Blue Shield.
MS. WHEELER: Gladys Wheeler, Health Care Financing Administration.
MS. EMERSON: Mary Emerson, Health Care Financing Administration.
MR. RUDDY: Dan Ruddy of the American Health Information Management Association.
MS. NEUMAN: Sherry Neuman, Iscribe.
DR. LU: Simon Lu with the National Library of Medicine.
MR. LAURE: I'm Mike Laure from Silanis Technology.
MS. MEDASSEN: Sue Medassen from HCFA.
DR. COHN: Let me just talk for a minute about how we are setting up the panels for today and tomorrow, as well as comment that for those of you who are around Washington, you know there is a thick fog out there this morning, so I suspect that some of our panelists may be struggling to come in through the fog.
DR. FITZMAURICE: What's new?
DR. COHN: What's new, eh? Actually, I haven't seen fog in Washington before. Usually it is a San Francisco phenomenon.
DR. FITZMAURICE: I think those that were flying in this morning may be affected -- their landings may be affected by the fog.
DR. COHN: Yes, exactly, which is something you're pretty used to in California. I haven't seen it before in Washington.
Having said that, we are going to be having two panels this morning, the first on the overall issue of electronic signature versus digital signature and what are the differences and what we need in health care. After a morning break at around 10:45, we will spend the rest of the morning on the second panel on the business case for electronic or digital signature.
This afternoon after our lunch break, we will be having a panel that talks more about government work around electronic and digital signatures, what sort of efforts have been going on, what sort of standards activities, what sort of pilots.
After that panel, we will be spending about an hour, hour and a half, talking about what we have learned. The point of these hearings today and tomorrow are to try to develop recommendations for the Secretary in this area.
Tomorrow morning, we will hear about reports on existing projects, then once again have a chance to talk further, and hopefully be adjourned by early afternoon.
Questions or comments before we start the panel?
With that, Dave Barnett, would you like to start?
MR. BARNETT: Sure, Simon. My name is Dave Barnett. I'm a security architect with Kaiser Permanente.
A little bit of a clarification. We have had several series of questions come across, and I'm not sure which format we want to use here. Should we stick with the agenda as published? I have answered more than that, but we can stick with that in order to keep in a timely fashion here. Okay.
The first question I'm going to answer is, what is the difference between electronic signatures and digital signatures. This is a very problematic question, because there are hundreds of definitions for both of these, so I'm going to use my personal composite, and things that I believe are generally acceptable, especially in the information security industry.
I define the electronic signature as any method that logically or physically associates electronic representation of the identity of a person with the content of an electronic document or record. This also implies acknowledged authorship or agreement.
One of the things that is important that I believe the American Bar Association has pointed out is, there has to be a conscious effort to sign a document. Many e-mail programs automatically sign documents, and this takes away from the intention. I think an automatic signature is not very meaningful. So part of this is the intentional acknowledgement that yes, this is my signature, yes, I am signing this document, and I agree with it or acknowledge it as an author.
In this context, tying my name at the bottom of an e-mail message or an electronic document is a signature. I think this is a problem in itself, because it is very easy to change that signature. Anyone can type any signature that they want at the bottom of a document. They can alter the document, they can forge a signature, erase it.
Generally with electronic records, it is very difficult to protect the content, and electronic signatures as I have just defined them have very low assurance; anyone can change them. So it is useful as identification, but it is not useful if you are concerned about the content or the authorship.
So I am defining digital signatures as a very special kind of electronic signature. They overcome this vulnerability and they tend to have the same force and effect as a manual or written signature. So I define a digital signature as a high assurance electronic signature.
Common usage. The phrase digital signature is usually reserved for these high assurance electronic signatures. A low assurance electronic signature, which is the normal one, is usually called an electronic signature. So this is logically complex, in that a digital signature is a type of electronic signature, but in common usage they are mutually exclusive. I just want to clarify that, because I'm sure I am going to use this in this context throughout my testimony here.
Some of the characteristics of a digital signature is, they provide reliable assurance that the message or content of the document has not been altered. They also provide signer authentication, which is a verified identity, non-repudiation, which is strong evidence of the validity of the signature and of the data.
Digital signatures have two essential technical characteristics. One is, they cannot be forged or altered without detection and two, if the content of the signed document changes or is altered in any way, the signature is invalidated.
In addition to these technical characteristics, we have two procedural characteristics. The first one is, the owner has sole control over his signature. The use of the digital signature requires an action by the owner, and the affixing of the signature is a deliberate act which serves to approve and consummate the transaction. These are procedural, not technical.
In the American Bar Association's digital signature guidelines, they also point out there is a ceremonial aspect to a signature. The act of the signing of a document calls for the signer's attention to the legal significance of the act. So whereas it may be acceptable in an ordinary electronic signature for a mouse click to affirm or affix the signature, I don't think it is acceptable for a digital signature. I think we need something a little more affirmative, do you agree, or are you aware of. At least two mouse clicks is the minimum, some way to affirm that you really, really mean this, that it is not an accident.
In defining digital signatures, a lot of times you will see the use of the term public key cryptography included in the definition. I really prefer a different approach to this. I think first, we shouldn't mix the requirements and the solutions. I think we need to decouple how we define a digital signature in terms of its requirements with ways in which we can implement it.
Secondly, a problem with adding a qualifier or public key cryptography, I think most people tend to assume that this implies a particular technology, in particular, PKI. I think this is very misleading. The digital signatures in themselves I believe are technologically neutral. The first instance of such a thing was published by Witt Diffy and Marty Hellman in 1976. It is basically a mathematics problem that is easy to set up and very hard to solve. These are usually called one-way functions.
Note here, the caution to this thing is not to get too technical, so if I do, someone raise your hand. I am a techie, so this is my stuff.
Since 1976, there have been three widely accepted families or approaches of these one-way problems that seem to work pretty well for digital signatures. This is definitely technical. There is a discrete logarithm problem, there is the integer factorization problem, and the elliptic curve problem.
A lot of these have been formalized as algorithms, but I'd like to point out, algorithms are formula-less, they are not technology specific. Part of the reasons for specifying an algorithm is, there are some security concerns that are very important with digital signatures, as well as encryption. That is why I think it is necessary to get to a certain level of specificity, so we know that these things work and they are generally acceptable as a good solution. This does not imply that it is technologically specific.
For example, in FPS 186-2, it points out that a digital signature algorithm may be implemented in software, firmware, hardware or any combination thereof. IEEE Standard 1363.2000, which is on public key cryptography, was developed to provide a reference for specifications for a variety of techniques which applications may select.
These are all very general frameworks. They are fairly neutral from a technological point of view. The importance of specifying them is, these are acceptable approaches in information security. We can rely on them. We don't want to have any old approach come in and say, we think this is secure. It would be much to the benefit of someone wanting to forge a signature to encourage the use of a weak scheme or schema for digital signatures.
It is extremely important that we be able to trust the scheme. That is why I think publishing the algorithms and specifying which methods are acceptable would be an important part of the definition.
I think we can do this without getting specific as to what kind of technology is needed to implement these. We are basically talking mathematics here, formulas, procedures. These can be implemented on any platform in a variety of ways, any language. It doesn't involve any particular vendor.
I want to stop before we get to a technical specification, which implies a protocol, like an Internet RFC or something, because that does tend to get technically specific. But we can stop before that and specify, here is the approach that is acceptable to us.
These algorithms for digital signatures can be implemented in code or in a product according to various technical protocols, specifications. They can be accompanied by a supporting infrastructure such as PGP or PKI. Then it makes more sense to say, this is a technology solution.
So I want to stop before we get to that point and list algorithms that are acceptable for use in a security setting that will allow us to do digital signatures. I think that is an appropriate place to stop. This will decouple the definition of digital signature from the algorithms, and then in turn we can decouple the algorithms from any specific technology.
In summary, electronic signatures are any means of affixing an identity by intention to an electronic document. Digital signatures are a special case of electronic signature. They are intended to have the force and effect of a written signature. A digital signature is a high assurance electronic signature that provides strong evidence for non-repudiation, verifiable authentication of the signer and prof of the content integrity of the document.
The only mature approaches today that are available for many of these requirements are based on one-way mathematical techniques which are often called public key cryptography. The algorithms themselves are technologically neutral.
Are there any questions on that part?
PARTICIPANT: David, you mentioned IPS. You mentioned IEEE, but I didn't know what IPS was.
MR. BARNETT: I'm sorry, FIPS, federal information processing standard.
PARTICIPANT: Say again?
MR. BARNETT: Federal information processing standard, from NIST. So it is NIST FIPS publication 186-2, is the digital signature standard from NIST.
DR. COHN: I just want to clarify for the panelists, normally what we do is, we let you testify, all of you, and then we will hopefully have a chance to have some questions and answers as we go along here.
MR. BARNETT: Okay. The next question is, what kinds of signatures should be used in health care and why.
I think there is a meaning for both electronic signatures in the low assurance sense as well as digital signatures of the high assurance sense in health care. For example, if I send an e-mail to my manager asking for the day off, he might respond, okay. I don't need a digital signature for that, unless I really don't trust my manager.
There are a lot of instances where a normal identification is perfectly acceptable. In some cases, for example, a fax is fine, and in other cases you want a written contract that is witnessed. There are many levels of assurance that are needed in any kind of business, and health care is no exception.
One of the advantages of electronic signatures or digital signatures is, they are very easy to implement, and they require little computational or organizational overhead. They are easy to do. Essentially, I can type my name, or you can put in some type of identifier in the e-mail. It is very easy to implement.
One of the problems with digital signatures is, because they require complex mathematics, they tend to have high overhead computationally, plus they tend to need a supporting infrastructure. We don't want to use them for just any old thing. Pick your cases where it is important to use a high assurance signature versus a low assurance. I think there is room for both in the industry.
So whether an electronic signature or a digital signature is used really depends on organizational needs, regulatory needs, that weighs the cost of implementing this against the needed function, and the need for reliance and trust. If we have a requirement to trust that a document has not been altered, and that the signer is who he or she claims to be, then a digital signature I think is appropriate.
This is often the case in a lot of health care things. Orders, requests for records; there are many instances where a digital signature is really the most appropriate method, but not all instances.
The way I look at it, wherever a written signature has traditionally been required by law, a digital signature would be appropriate. Or wherever it is necessary to demonstrate that an electronic record has not been altered since it was written, again, a digital signature is the best way to do this. Wherever it is necessary to demonstrate that a messenger document is authentic and was signed by whoever claims to sign it, the digital signature is an appropriate solution.
If we require digital signatures for all business functions, we have an unnecessary burden. In many cases, an audit trail, an electronic identifier or low assurance electronic signatures are appropriate ways to deal with this. But whenever it is critical to trust in the authentication of the signature and the content of the document, then a digital signature is what is required.
The next question is, what guidelines or standards for electronic or digital signatures are you using. The products that we employ follow the NIST FIPS publication 186-2, which is the digital signature standard, and FIPS 180-1, which is a hashing algorithm used in conjunction used in conjunction with a digital signature. Most of the products also follow FIPS 140-1 validation.
We use the American Bar Association digital signature guidelines, quite extensively. They have a nice explanation of the ramifications of digital signatures, and some good definitions as to what these mean, and the conditions that ought to be looked at.
For electronic signatures, I don't really see that there are any widely used standards. There are for digital signatures; electronic signatures tend to follow more along the generally accepted practices of an audit record -- that is, who did what, when, where, that sort of thing.
Other standards that we use. IEEE standard specifications for public key cryptography, which is IEEE 1363-2000, is a standard we use. One of the things that I like about that one is that it goes to great lengths to be technologically neutral. It separates out some of the definitions. A definition for a digital signature schema, for example, which is a method for authentication, then it will follow along with, in public key cryptography, this means. So they have done the decoupling that I favor. They have the definition, and then they list an approach and say, in this approach this is how we deal with that. IEEE 1363 went to a lot of trouble to keep this technically neutral; it was developed as a framework.
I think this is a very good approach. It doesn't limit us to any particular technology, which as we know changes quickly. But the basic procedures for secure digital signatures, authentication, non-repudiation, I think have to be examined carefully and specified.
Next question. Are there any ANSE standards for these signatures. There are several. Most of them come from the financial industry. For example, we have ANSE X9.31, which is a digital signature using reversible public key cryptography for the financial services industry, ANSE X9.30.1-1997, which is another public key cryptography for digital signatures, and ANSE X9.62-198.
The difference between all three of these, they come from the three types of families or three approaches. The RSA algorithm, the one that is referenced in X9.31. This usually is considered the de facto standard for digital and encryption signatures. It is very popular. That is based on the integer factorization problem.
The DSA, digital signature algorithm used in X9.30 was created as a royalty-free alternative to RSA, although with the expiration of the RSA patent last month, this is less of an issue. But DSA was designed as a signature-only algorithm and not for encryption. It is part of the discrete logarithm family. It is a little bit slower than the RSA, but it is an alternative to the RSA algorithm, and it can be implemented on comparable hardware, software. Otherwise, it is fairly equivalent.
One of the newcomers is the ANSE 9.62, which is based on the elliptic curve problem. One of the reasons the elliptic curve is very popular, it uses a smaller key. This makes it very compatible for mobile devices - PDAs, wireless devices, Palm Pilots, that sort of thing. It is a newcomer and it is becoming very popular. So those are three choices we have based on current ANSE X9 standards for the financial industry.
The next question, do these signatures comply with the requirements for the HIPAA security NPRM. Digital signatures as I have defined them, with a non-repudiation authentication, is a special case of electronic signature, do comply with the electronic signatures as described in the HIPAA NPRM. They satisfy the legal and time tested characteristics of a written signature.
This is how I used a digital signature. They are the version of electronic signature that do meet these criteria. They have the force and effect of a manual and written signature.
The last question, how does the e-sign act work with signatures. We haven't felt much of an impact yet, but we certainly expect to. The e-sign act prepares the way for full utilization of electronic patient records. This is very much aligned with what Kaiser Permanente used as a key strategy for providing high quality and affordable health care.
One of the concerns we have with the e-sign act is attempting to show favor or bias to any particular technology, it appears to forbid identifying specific standard approaches that meet these requirements. This is specifically digital signatures. I believe if we don't specify these approaches, we tend to weaken security. This is a critical issue for us.
Kaiser Permanente has been actively involved in committing to promoting standards in the industry that permit secure electronic interoperability between health care organizations and their business partners. We feel that the interoperability and security are vital to controlling costs and providing quality care in the e-commerce world. The digital signatures are an important part of this activity.
We are not alone in this belief. We are currently working with the California Medical Association to identify and resolve interoperability and security issues in these areas. The California Medical Association is very explicit that digital signatures are required, and anything else would be unacceptable. We need the non-repudiation and the authentication and the integrity services provided by digital signatures in order to trust the e-commerce activities or the e-health or e-care, whatever e-word you particularly favor is appropriate here.
Even though the e-sign act encourages electronic commerce, which is a really good thing -- it is great that it clears the way to allow us to use the electronic versions of signatures. But we are concerned because it is not adequately rigorous enough in defining and specifying high insurance signatures. That is why we feel digital signatures are a more appropriate solution than a normal electronic identifier, and we would like to see some specification about digital signatures and their use in regards to electronic health.
I believe that is the last question on the agenda.
DR. COHN: Thank you very much for your testimony. Ron Beatson.
MR. BEATSON: I am going to do this by presentation, if I can bring this up on the screen. If not, I will not.
I joined Cybersign in the last couple of months. Prior to that I have been involved in the electronic signature industry, and I will say electronic signature as opposed to digital signature industry, for the last 20 years, first in the U.K. and then since 1986, over in the U.S.
The basis of that is that I have been involved in various startups, developing electronic signatures, signature companies which have then gone on to develop the technology in different application areas.
So that is basically my background, and I will now explain what I mean by the traditional electronic signature, which in fact prior to the e-signup came into being has been used in many different applications, and I will explain the major one of those later on.
But essentially, the traditional electronic signature has three separate functions. It captures the signature as it is submitted by sampling the X-Y positions rapidly over time, and so you will therefore have a set of data which is a set of X-Y and sometimes pressure coordinates associated with that signature.
You can in certain applications compare that set of data against a reference template, which could be held on a smart card, hopefully on a client or a local server or even on a remote host.
Thirdly, having captured and possibly verified that signature, one can attach it to a document and bind that signature to the document by calculating an algorithmic based code, which takes into account all the data on the document and attaches that code to the document itself. So that, if in the future that document is changed, then the change will be known by anybody looking at it later, because the codes will not check out.
If I then look at the digital signature and I am going to concentrate a little on the public key infrastructure digital signature as opposed to any of the other algorithms that are used, essentially that public key infrastructure relies on a public key and a private key associated with each installation or each individual or each organization, depending at what level the digital signature is going to be used.
So if somebody is on an Internet, sitting at their work station, and wants to issue a document, the data associated with that document will be encrypted first of all with the sender's private key, and then by the recipient public key, which is known to everybody. A digital certificate will then be generated associated with that process, and issued by some trusted third party.
The data, because it has been encrypted, can then be communicated securely over whatever media it needs to be communicated to get to the recipient. Then when it gets to the recipient, the recipient says, this is encrypted data. It should have been encrypted by my public key and by the sender's private key.
So first of all, I will decrypt it by my own private key, and then by the sender's public key. If that is a sensible decryption, that implies that the document originated from some source -- and this is important -- some source that holds that sender's private key. It need not have been the sender. These private keys are this big. That will become important later.
We basically say that an electronic signature can identify you, the person, and you provide irrefutable accountability for documents that you sign using the process. The PKI takes over from there and provides the security going forward. It identifies the device that you sent it from, it secures the communication, it helps provide the digital certificate, but it does not identify you, the individual.
So then we have the electronic signature e-sign bill which came into being, and that as Dave mentioned broadens the scope of what the electronic signature is. It declares the validity of electronic signatures into state and international commerce. It embraces all technologies. What it does is, it prevents anybody denying that the legal effect of certain electronic documents and transactions signed by an electronic signature.
It also clarifies broad circumstances in which the electronic record satisfies any statute or regulation that mandates a record in writing. It also requires inquiries into domestic and foreign impediments to commerce in electronic signature products and services. So what we have now is a broader definition of what an electronic signatures is, which indeed does incorporate the digital signature, depending on how it is implemented.
So we now have to my mind an increased risk associated with the use of electronic signatures in commerce. We can base it on a password PIN, we can base it on any biometric method which is good, because that actually ties the transaction to the individual. You can submit any sign which indicates your intent to sign that document, and hence, a password protected digital signature would meet that criteria.
However, if we then go forward and say, supposing this document is created down the road and we want to actually see who signed it, it is important for us to be able to go back to that document and say, person A signed this or person B signed this. Therefore, it is very important to show who made that sign. Hence, I believe for that purpose, we revert to the use of the traditional electronic signature.
I believe that technologies for health care transactions need personal identity verification at the network access control level. We need personal accountability and document authentication at the point at which those documents are signed, and we need secure communication thereafter. Those three areas I think will insure the security of that information, as well as generating in my opinion some very significant economic benefits.
We can use the electronic signature in the context of an Internet to attach electronic signatures of the traditional type to documents. We can then use the digital signature infrastructure or the -- most often based on public key encryption to certify that that document originated from a specific source. We have a trust associated with that transaction, which will be accepted, I believe, worldwide.
If we go back to an electronic signature, basically we would use -- I don't know how many of you have purchased products at something like Circuit City, where you may use your credit card to sign on a device like this. That essentially is capturing an electronic signature and associating it with the credit card transaction.
There are today probably about two and a half billion electronic signatures captured each year to deal with that sort of transaction. I believe similarly, we can move that technology into health care to secure those documents.
Let me just talk very briefly about what the application for credit card signatures does. It captures the electronic signature at the point of sale in this sort of device. It encrypts and binds that post transaction to the signature, communicates it to a host, and it is stored electronically in encrypted form until it is archived off at some stage. But if there is what they call a request for copy in that industry, or a query against the transaction, that transaction is retrieved and printed out with the signature in place, and is used as evidence to associate the transaction with a particular individual. Then if there is still a problem after that, that document becomes part of the evidence of the dispute going forward.
One of the benefits apart from the security of this is that there are very significant point of sale savings to the large retailers who have installed this equipment, something of the order of $500 per terminal they install per year, based on costs associated with admin and what they call chargebacks. So basically, their investment is recovered in six months. I believe with the use of the traditional electronic signature in the health care industry, that very similar savings can accrue.
Just to point you to a book by Bill Gates, who has done some research in Microsoft. He reckoned that the paper cost of orders which they do were $145, and when they moved to an electronic order system, the costs grew to five dollars. So that gives you some sort of power of the economics of that transaction.
I wanted to talk a little bit about standards at this time. The standards for the electronic signature format as Dave said are not really -- there is not really a standard for that. but there is an emerging standard called the bio api standard, which is available at a website which is www.bioapi.org. That deals with how you interface biometric devices to your system. Indeed, the electronic signature if it is verified would be such a device.
That has NIST backing. It is government supported. It is intended to cover all platforms, and will be an ANSE standard at some stage.
Apart from that, different companies in the electronic signature field provide what they call plug-ins for the most widely used software, such as Adobe Acrobat and such as Microsoft Word.
For the electronic signature of the traditional type to be used, you need a device -- and this device is smaller and less expensive by the day. Now we have the pervasiveness of the Palm Pilot to consider, which will -- I think at last count there were about seven million of these devices out in the U.S., and they are going now to something like 700,000 a month. These devices would be perfect to actually capture the electronic signature on and attach it to documents with the help of the software which would be available from the various supplies in this area.
I was going to give you a small demonstration; I'm not sure we have time for that.
DR. COHN: No.
MR. BEATSON: With Adobe, we would create a document, capture the electronic, verify that electronic biometrically if it was necessary, attach the signature to the document and bind the signature with the document.
Adobe has software associated with it that cooperates with the plug-in, which would be part of their system, and that would enable the document to be stored and then we can -- prior to that actually, we can invoke the digital signature arena and transmit that document securely with a certificate to the intended party.
That concludes my testimony this morning, and I thank you.
DR. COHN: Thank you very much. Ann Gugel.
MS. GUGEL: Ann Gugel. I am with Baltimore Technologies. I am a market development manager for health care businesses in the U.S.
Baltimore is a leading provider of e-security solutions globally, and with a strong emphasis on public key infrastructure, technologies and services. I'm going to quickly go through the questions so we all have enough time here.
The first question is, what is the difference between electronic signatures and digital signatures. I have to say that I agree with Dave Barnett's definition. He did a great job in describing differences.
I just want to point out that he mentioned that electronic signatures were use for identification. I tend to disagree with that. I'd like to say that digital signatures are very useful for identification, because when digital signatures are used in a public key infrastructure, there is a lot of checks and balances and measures of trust in there that are not inherent in an electronic signature system that doesn't employ PKI. So those checks and balances include certificate authority and registration authority. That registration authority would provide the strong identification needed and a third party of trust that is standing behind that identification. Those are the benefits that a public key infrastructure brings to use of electronic signatures in digital certificates that is not available in other types of technologies. I know we want to stay technology neutral, but I did want to bring up that one point.
Digital signatures can be useful for both identity or encryption. You can separate your certificate and have two certificates, one for identification and one for encryption. We recommend for security reasons you want to have encryption in your system, but there are providers out there using digital certificates solely for identification.
The next question is, what kinds of signatures should be used in health care and why. This is really up to the type of data that needs to be protected and the level that the organization wants to protect that data. Of course, I believe that digital signatures are required for strong identification and strong authentication of the person with the trusted third party standing behind that. However, those electronic signatures such as a digitized handwritten signature also prove useful in health care, because a lot of documents, people want to see a signature for approval on it, and a system of approving documents and adding counter signatures. So there are multiple technologies that might need to be added together to provide the best solution for the electronic signature in health care.
The third question is, what guidelines or standards for electronic or digital signatures are you using. I see this question very similar to a further question that talks about standards.
The standards that Baltimore has developed include the ISO standard for digital certificates. X509 is the standard for the digital certificate in a public key infrastructure.
Also, we adhere to the IEEE standards that Dave mentioned, 1363-2000. As far as encryption goes, our systems provide DAS or triple DAS as well as RSA algorithm and elliptic curve technology or the newest algorithm approved by NIST, the advanced encryption standard.
Users can choose to use whatever algorithm they would like, so it is not mandated. We provide the capabilities, users decide how they want to use our technology. We also adhere to standards that aren't really open, but they are default industry standards because some of the major vendors like Cisco have developed these standards, and they are widely used with Cisco products, such as the SCEP certificate enrollment protocol.
There is another standard for certificate management protocol that is not really -- that is widely implemented as well throughout the PKI vendors.
The fourth question, what is the value or major benefits of using these guidelines or standards. Those benefits are that you have -- with the use of standards based products, you have a greater degree of interoperability among the vendors, and scalability can be enhanced. It also provides users strong flexibility, that they are not tied in to one specific vendor or one specific product when most of the leaders in the industry are adhering to those open standards.
The fifth one is, what are the limitations or the weaknesses of the guidelines or standards. We all know that it is how it is implemented. A poor implementation can happen with anything you buy. This is not plug and play technology. You don't just buy something from Baltimore or any of the other major vendors of the PKI, plug it in and expect to have a PKI system that is up and running, and all your policies magically appear just the way you wanted them in the system. Public key infrastructure is a combination of software, hardware, people, policies and the implementation architecture, and it does highly rely on the rest of the security of the system, including network security, audits, risk assessments to make sure that other holes are plugged in the system as well.
Are there ANSE standards for these signatures. Dave addressed that pretty adequately, so I'm going to move on to number seven.
Do these signatures conform to the ASTM standards for health care. Yes. I also have a copy of the E31 standards for the electronic signatures before me for referral, if anybody wants to take a look at those.
Do the signatures conform to the NIST 186.2. Yes. We give the option of using DAS or triple DAS.
Are there other widely used standards for this type of signature. Yes, there are. I addressed that a little bit in a previous answer, but it is PKCS standards and the PK standards are widely used by other PKI vendors for digital signatures in a PKI.
Do these signatures comply with the requirements of the HIPAA security NPRM. Yes, they do, but I do want to emphasize that no single vendor provides all the capabilities required in the security electronic signature NPRM. We may provide technology solutions, but we may not provide the training and awareness needed for that specific organization. I don't know of any vendor that provides all the risk assessment services, robust auditing of all the systems in combination with robust auditing. Auditing is one of the requirements right now. That includes auditing of everything, not just the process of requesting digital certificates or how those certificates are used for access control.
Auditing logs include all the logs from NT Solaris HP systems and consolidating that, so that requires a number of different vendors or professional service providers. That is why it is important that the major vendors have partner programs. We have extensive partner programs with probably hundreds of partners that we have done some interoperability testing with.
How does the e-sign act impact your work with electronic signatures. The e-sign act as described by the two gentlemen before me, it brings a level of legal validity to the transactions. There are a few cases specified in the e-signature act where e-signatures cannot be used, leaving all other cases available and open for the use of electronic signatures and having them hold in a court of law.
Unfortunately, the e-signature in the global and national commerce act is very broad in its definition of what an electronic signature is. I see a lot of weakness here, and a lot of room for lawsuits. It is going to be difficult for individuals to stand in front of a jury or a judge and try to defend the technologies they used. I don't see any technologies stronger than a PKI system for great scalability, global interoperability among multiple vendors and outside of a private network, that can provide all of the checkmarks needed that I would like to stand up in the court of law.
As I mentioned before, partners are very important in this. I would say that time stamping might be a very important feature to have when you are trying to defend a legal signature. In addition to that, in a PKI, you may be interested in having an OCSP server, which is an online certificate status protocol, where you can have instant validation and checking of the validity of a certificate.
So those are two pieces that off the shelf PKI might not provide, but there is a third piece, a hardware signing module. That is where the FIPS standards come in. There are FIPS standards for hardware security signing modules from level one through level four, four being the most stringent. So to have the highest assurance possible, you want to have all those extra pieces in a public key infrastructure, including a hardware signing module, OCSP server and some time stamping in there.
I'm going to skip down to 13. Is it possible to apply multiple signatures to the same document, and is it also possible to apply counter signatures. Yes, it is, but that requires maybe an additional piece. We have a product called Forms Secure. Our Forms Secure product allows you to put multiple signatures and counter signatures in there.
There are other vendors that focus specifically on this type of capability, and they would be partnered with digital certificate companies. That provides a real nice system of having counter signatures and multiple signatures for tracking through a system, along with the strength of a trusted third party and digital certificate.
The next question is, what kind of software is available to support this technology. Our system runs on NTs, NT 4 or 2000, HPS and Celeste systems, most of the larger implementations of operating systems.
Can signatures be used to apply to whole documents parts of documents, binary files and EDI files? Yes, and I specifically wanted to address the EDI files. A lot of the EDI vendors are now leaning toward XMLs as the EDI of choice. There is an electronic signature for XML signing, so it is possible to sign parts of an XML form.
How large is the install base for this type of signatures. We have two very large customers. We are a global company, so a lot of our implementations are in Europe, Asia and the U.S. We have large implementations in Australia, the Australia Health Insurance Commission as well as the Australian Tax Office are two of our larger customers.
One of the largest ones is in the financial industry, ABN Ambro is another one of our large customers. Baltimore is being used as the route certificate authority technology for the Identrus program.
This leads me into the next question. Do you think that there are digital signature solutions in other industries that can be used for health care. There are two that come to mind readily. The first is the Identrus model being used in the financial community, and the second is the federal CA technology that is being used in the government. I see that Rich Lido is on the schedule later today, so I assume he is going to talk further about bridge certificate authority, the concept and how they are using that, and the benefits of not having one route set, but having a bridge concept.
Does the verification of signatures require access to a central server such as OCSP. The answer is no, it does not, but that does bring additional assurance, if an organization would like to implement OCSP.
That is all I have. I tried to be brief.
DR. COHN: Thank you very much. Michael Laure.
MR. LAURE: Thank you very much. I think copies of the presentation or information regarding the answers to these questions are being passed out right now.
Before I jump into the questions, I just want to explain a little bit about who I am and who Silanis is. Silanis Technology is working on developing electronic signature technology as well as the market expertise for almost a decade now, so we have done the enormous amount of work of actually putting electronic signature applications into a whole variety of different industries and costumers, some of which I have listed here, that include not only government, but pharmaceutical, health insurance, financial and so on.
Just to mention myself, I am one of the co-founders of the company. I have watched the market evolve since about 1991, and it has been pretty interesting from the point of view of electronic signing as opposed to the digital signature aspect, which I will talk about in a moment.
Just to put a context around it, the products that we produce are based on a product called Approve-it. It is essentially an electronic approval management application that is based on secure electronic signatures and approval process automation. It uses electronic signatures however that are perhaps a bit of a hybrid of what you see. What they do is combine the digitized handwritten signatures with digital signature technology, and allows us to scale into all of the various technologies and standards, provide the security to these processes.
In our case, most of our customers use what we call captured signatures, which is an encrypted file containing not only imaging information about themselves, but also all the security technology to insure the authentication as part of that. And of course, we have had to provide the ability to use those signatures in a whole variety of signing processes, as well as different document formats.
So the questions. When I looked at these, the answers I have come up with here are from the point of view of our company and our customers, as opposed to the general marketplace.
The first question that I wanted to address, which I think has been interesting so far, and I think I wanted to add the comment that if you took all of the products and peoples' concepts in this room and put them together, you probably would have a pretty good product at the end of it.
The biggest problem that we are dealing with as a company who is actually out there selling this specific type of capability is the massive confusion between the terms between electronic signatures and digital signatures. So I would say the confusion right now is, most people perceive electronic signatures as the digitized handwritten signatures, for the most part. Occasionally they may perceive it as having biometrics built into it as well, but that is pretty much they way they see it, with no security. So that obviously is a problem.
The second type of signature we're talking about here, digital signatures, sometimes is perceived as, this is how I sign on to the computer or signing with a PKI, or maybe a few people really understand that there is cryptographic technology that we are talking about.
The reality of the difference between electronic and digital signatures is that electronic signatures is a computer based method by which we can express the same legal meaning as a paper signature. The interesting thing about this from a market point of view, because to a great extent what we are dealing with here is semantics, more than anything else, is that there is well over 100 pieces of state legislation, there is all kinds of pieces of federal legislation, and the vast majority of these pieces of legislation talk about electronic signatures. Within them, they may talk about digital signatures as the method by which we will do that, and in fact, the NPRM that we are discussing here today, this is exactly the approach that has been taken.
So from our point of view, electronic signatures represents the method by which we do the equivalent in the computer world of what we do with a pen. What that really means, one of the best places that we have found to find a definition of that is the Uniform Commercial Code, because this is what governs virtually all commercial and financial transactions at a fairly high level.
The Code defines a signature simply as a mark or symbol or signer's intention to authenticate the writing. So the intention to be captured and to authenticate the writing is key to it. That was actually how our company got started. Someone said, can they get a signature into this autocab drawing, and once it is in there, can we make sure that if it ever changes, that it invalidates the signature. We came up with a way to do it.
So that is pretty much what signatures is. If you look at the e-sign law, what they have come up with on a technology neutral basis is stating that electronic is bound to and will process attach to and logically associated with the contract or the record. And most importantly, executed or adopted by a person with the intent to sign the record. So we are just stating what UCC is saying, except now you can do it in the electronic world.
So in reality, I have an acceptable electronic signature that goes beyond the perception of a simple digitized handwritten signature. We have to have a process that captures the intent and then secures that result, that signature, so that it is bound to the signature record, using some type of security technology. By default today, the baseline for that is digital signature technology.
The reality with regards to the digital signature is the only place where you have clear and proper definitions of this is if you look in a cryptographer's book like Bruce Schnei, for example, who will tell you what an additional signature is. It is a cryptographic process that doesn't insure the integrity and the origin of data. I thought Dave Barnett did a good job of explaining that this is what it is. It is a technology, it is a horizontal kind of a thing.
By itself, it doesn't represent intent. It doesn't capture peoples' intent as part of that process. So to come out with something at the end, you have to put these two technologies together. I think the only thing I would say is, the way I would put those two together is that electronic signatures are in fact a subset of digital signature technology to some extent. If we look at digital signature technology, it is used for all kinds of things like VPNs, website access, secure e-mail, and of course electronic signing, which is an application of that type of technology.
In order to use it, it comes back to what we said before; it has to be incorporated into a computer based process that specifically captures the person's intent with regard to that data or to the document. You have to reproduce what you are doing on paper in the electronic world and make it at least as secure as pen and paper. Preferably, we would like to make it more secure, and that is certainly possible.
So that is our point of view on electronic and digital signatures. In the end, it is what we end up having to explain to a lot of our customers. If they go out with the idea, let's go out and buy digital signatures, and they call up say a company that has a toolkit like RSA for doing that, they probably wouldn't be too happy about having to write a whole pile of code in order to have an application. They want to have something that is an application that defines for them the signing process, so they don't have to worry about if they are doing it right or not.
To move on to the second question, what kind of signatures should be used in health care and why. Electronic signatures are inherently the equivalent of legally binding signatures. When you look at definitions coming back to all the legislation and various regulations, and the reality of what they are, this is what we use to sign. We have to get that intent, and we have to secure the intent as part of that signing process.
I use the word legally binding signatures here. Sometimes people tend to think of legal as only applying to contracts or something from this nature, and nothing could be further from the truth. Any piece of paper with a signature could end up in a court of law for whatever reason. It could be a timesheet, it could be a purchase requisition, it could be anything, and that signature has at that point a legal effect on it.
So in health care, in essence, you need electronic signatures. However, the electronic signatures will need to incorporate digital signature technology as the baseline of its security that allows us to insure that the signatures that are being applied to the document, not only have we captured the intent, but that we can also verify that that really is that person who signed it, and that the integrity of the document or data has not been modified since the signature has been applied to it.
So that means that on top of having digital signature technology to go with it, we also then have to start thinking about identifying the security pieces which Anne Gugel talked about before, and I think that her point was very well taken. If you are going to have this type of technology, you also now have to start incorporating the registration process into it.
What is the best way to do it? Well, digital certificates are a very good way to do it. There are other ways to do this as well, though. We found that there are different ways that you can take PKI technology, digital signature technology, digital certificates, and there are different ways you can put them together that don't necessarily result in a certificate authority.
CAs are good. It means that I am putting a certificate into every person's hand out there, and in many cases it becomes extremely cumbersome. There are other ways to do this, however. So by putting a specific technology or more specifically a specific kind of a product or implementation of technology into the regulation, puts an unnecessary burden on the regulation at that point. It means that you may be limited to one way to do it, which may prove to be very difficult. If companies come up with new and better ways to put those building blocks together, you're going to be locked out because the regulation has already been made.
So coming back to this, the digital signature technology has to be reinforced with digital signatures, which means that you are going to have to have a PKI system. It also means that you may in certain situations, depending on what you are dealing with, if a doctor is going around in a hospital, we want to be sure that they are meeting the right people, we want to give them something that they can identify themselves.
At that point, you have a choice of three things. You have passwords which can be used on lock certificates, which can be done in a very secure way, except for the fact that people tend to forget these passwords. Secondly, you can use smart cards, which are fairly easy and have become fairly common. I think the U.S. Department of Defense is going to have a really interesting experience with that over the next few months. Then finally, you can use biometrics as well, which adds a fairly high level of user authenticity to the process, but it still boils down to, can we get the technology to work flawlessly in this kind of environment.
A doctor or nurse or any other kind of a health care provider is not going to want to be struggling with technology all it is meant to do is simply sign something. At the end of the day, signing from most peoples' point of view has to be extremely simple and it has to work all the time.
So electronic signatures in health care, the next question that came up, was that they should provide manifestation of the signer's intent. In this case, we feel that a digitized handwritten signature is highly desirable in the documents that are being used in health care.
Part of the reason for this is, a lot of the documents are not being used inside of a closed system. They have to move around. They have to go between health providers, between hospitals and insurance companies, or they have to be documents that interface with the public. And throw into that that a lot of the people today who are working with this do not necessarily feel comfortable with a signature-less process. That means no handwritten signatures. So to some extent, it helps the transition process.
To another extent from the legally binding point of view, when I sign a piece of paper -- and the best example of this is a contract -- when I sign a contract, the validity of the contract, whether it will be enforced or not will depend on whether or not each of the parties understood what they were signing off in the first place. If it is not clear to them that they were even signing a document, and in the electronic world, with certificates being added to things like e-mail, this can become extremely confusing, to say the least, then it is possible that the person will not realize that they were signing the document, and the document will not be legally binding, or can be shown to not be legally binding as a result of that.
So the handwritten signature adds a great deal of value, because anybody who signs with a handwritten signature immediately understands what it is that they are doing at that point. So it is quite obvious to them. However, the process is there to automate and to some extent hide from the user what is going on in the background, which is security. That allows us to insure that the signatures are in fact valid in the highest sense possible.
The next question was with regards to what guidelines or standards for electronic or digital signatures is Silanis using. Well, to start with, before getting into actual guidelines, the thing that drives us the most tends to be what our customers are doing. A lot of the markets that we deal in are regulated or managed in some fashion or other. So we are talking about pharmaceutical, government, financial, telecommunications. In each case, if we are not dealing with a specific regulation such as the FDA CFR 21 Pub 11 or the DoD PKI standard or CHPIA, we are dealing with the insurance companies' requirements for how they need to have contracts signed, or the financial industry for how they need to have enrollment done, or any other company's requirements on how signing should take place. Signing in the end for them is dependent on what their business processes are. So we always have to make sure that we are meeting those specific requirements and guidelines that are coming from the markets and that customers are dealing with.
In addition to that, one of the guidelines that we use and we refer to frequently is the American Bar Association's digital signature guidelines, which was also mentioned by Dave Barnett before. Specifically, it gives a good definition of what signing is, but more importantly, it gives a fairly good definition of what the characteristics of an electronic signature should be.
We find this in some state legislation as well. One of the state regs that we use quite a bit is the New York State electronic signature and records act regulations, which are similar to the ABA's. They define the characteristics as requiring user authentication, requiring document integrity, but also capturing the intent of the person who is signing this.
The New York State reg actually goes a little bit further in defining user authentication as being something that is unique to the person who is signing, being under their sole control when they are using it, and then finally as being verifiable as belonging to them.
From a technology point of view, we use a lot of different technology, but the key standards that we follow on this side are the U.S. federal information processing standards, specifically FIPS 186-2, which defines the use of digital signature technology in the federal government.
In their case, they allow for the use of two specific algorithms. One is the digital signature algorithm as well as recently, they have added the use of the RSA algorithm, which is now what we use. We used to use the DSA, but we preferred to move over to the RSA, since it has such a wide amount of usage in the marketplace.
The other standard that is also part of this and is fairly important is FIPS 180-1, which deals with message integrity. That in itself is an essential part of the other standard and of digital signature technology.
So those two standards together basically define the basic technology that is required to implement everything else that rides on top of that, all of the building blocks that are put together.
In addition to that, we also follow one other standard, which is the X.509 version three standard for digital certificates. That is an important standard from the point of view of how am I going to identify who this digital signature that was put onto this document, where did it come from. The main way to do that of course is through digital certificates, and X.509 is a well established standard from that point of view.
Looking at electronic signature relative to these standards, I know this is a problem that you are wrestling with, our point of view on this is that there are a few basic standards define the core technology. Everything goes through these digital signature algorithms or through the authentication algorithms, and of course, the digital certificate is the other key piece that fits into this.
There are also symmetric encryptions such as DAS which we also use, which is also a federal government standard as well. Beyond that, everything else is taking these building blocks and putting them together so that they work together. But as long as I know that these standards are being used in the signing processes, I will always be able to go back to my signed documents and be able to verify the integrity and where those messages come from, and be able to access the information from it.
Being able to then use it for interoperability is also possible, and that obviously is going to potentially require standards at a higher level. But initially, you have to start building it at a lower level before you jump up to those higher levels, and allow the technology to evolve correctly.
What is the value or major benefits of using these guidelines and standards? The main value, the major benefit of this is that it provides not only us, but also our customers in the marketplace with clear business, legal and technical requirements as to what an electronic signature should do. Part of the guidelines and standards often tend to be focused specifically on technology, but we also have to be aware of what business requirements are, especially when you are talking about things like the insurance industry or financial industry, is going to be key, and of course the whole health care industry, the ability to be able to exchange data is absolutely key.
There was some discussion from Anne before about the use of XML. XML is going to be a core piece of being able to move data around within the health care industry. A digital signature standard on how I incorporate the use of digital signature technology based on the standards that we already talked about into that has already been defined to a certain extent by the W3CI. So that gives us an idea of how we can use that standard towards that end.
Also, just as a point for our customers in the marketplace, it is that it allows them to make informed choices about what those requirements are. So most of these standards are fairly clear in terms of what is required to be able to use them. However, the question comes right after, what are the limitations or weaknesses of these guidelines and standards. Well, there is a number of issues in them. The one that we run into often, because we do deal with the government, is that they are not always followed as they should be, and sometimes they are applied where there is no real need for them.
I would say quite often there are a lot of people who are not necessarily aware of what the standards are in the first place. So you really have a lot of inconsistency as you move about that, and it gets more complicated, once you go into industry, because within industry we have different groups who are all trying to regulate what they are supposed to do. In some cases it is dead clear. If I'm working for a pharmaceutical company, I am going to conform mostly to the FDA's regulations. If I am working in the insurance industry, it is getting kind of confusing. I've got state level regulations, I've got federal level regulations, and it is not always obvious as to which one is going to come into play.
From the point of view of electronic signatures, it gets even more difficult, because now I have to decide whether the state where I am working has a regulation that is supposed to apply to me, and there are other regulations that provide what the e-sign law says.
DR. COHN: If you could begin to wrap up, please.
MR. LAURE: Okay. The other points that I would like to point out is that sometimes the regulations tend to focus too much on the technology and tend to overlook the process issue, such as the requirements for registration and identification process, which I think Anne covered quite well before.
Industry and government standards, fairly quick comments about this. Are there ANSE standards? For the types of signatures that we do, there is nothing specific about it, but then again, we are basing our security on digital signatures and certificates. So all of the standards that were discussed prior to this apply in that case.
Do the signatures conform to the ASTN health care authentication standards. I have to say that our company was not familiar with these until we looked at this thing. We pulled out the standard and looked at it, and was able to find that we do seem to meet pretty much its requirements.
Do the signatures conform to NIST 186-2. Yes, we do. We use the RSA algorithm for that. We also conform to FIPS 180 as well.
In industry and government standards, are there other widely used standards for these type of signatures. With regards to digitized handwritten signatures, obviously there isn't, although the display of them is quite simple, and there is standardization for that. But again, the security comes back to the digital signature side of it.
Finally, do the signatures comply with requirements of HIPAA security NPRM. In our case, looking at the different components regarding the electronic signature security standard, there is a standard defined, there is required implementation features, and there is optional implementation features. We meet all of the requirements of all of those features within the standard.
As far as the legislation goes, how does e-sign impact our work with signatures? It really has no impact, since we already surpass the requirements of that legislation, since our product is made specifically for signing in the first place.
However, it will certainly force companies to move ahead and establish specific applications as the market leaders, so I think there is an impact it will have there.
The UCITA impact, again, it doesn't have an impact, because UCITA is consistent with e-sign, in the sense that it meets the requirements of e-sign to accept what it does in e-sign.
As far as the technology goes, there are three questions. Is it possible to apply multiple signatures to the same document? In our case, yes. Is it possible to countersign? Yes. Can signatures be applied to whole documents or partial documents, binary files, EDF files? Yes, these are all standard features built into our product, which was designed specifically for signing in the first place.
What kind of software is available to support this technology. Signing is an act that is taught in readable format, so the signature is in fact effective. Our products therefore have to interoperate with the electronic document and forms format. They are required to use these signatures in the first place, so as a result we support Microsoft Windows desktop applications as well as browsers. We support having the applications running up on an NT server as well as ASP applications, and we also support UNIX and Mac based web browser applications.
Does the verification of signatures require access to a central server such as OCSP and so on. No. The validity of the documents can be verified on a stand-alone basis. The verification of the certificate that is associated with it if you are using one and it is tied into one of these databases, can be verified as required or when the document is being verified. In essence, this actually mimics the entire paper process. When I get a signed document, I'm going to verify the signature at the moment that I need to do it.
How large is the installed base for this type of signature. I would say that overall, if you are talking about captured signatures, we are talking probably a half a million signatures. I can tell you that our base of signatures has tripled in this past year alone, so it is pretty significant.
The other industries that I feel really could have an impact here we that are very familiar with is the FDA regulated industries, where they have a fairly specific rule for these electronic signatures. There is a lot of work and a fair amount of implementations that have been done with those type of electronic signatures in that industry.
Finally, in conclusion, I would say that electronic signatures and digital signatures are both necessary, as they each provide the necessary parts of the solution. On the one hand, the electronic signature is automating the process for the capture of the signature's intent, and maintaining the authentication of the signed document as it goes through the approval process, whereas the digital signatures and associated technologies such as PKI will secure the integrity of the data as well as the authentication of the person involved in the signing.
In the end, a good electronic signature product has to be easy to use, has to be secure, and has to work anywhere. It will have to meet our customers' and our users' expectations, so that it will be accepted, and so it will be effective in the end.
That concludes my presentation.
DR. COHN: Thank you. Peter Waegeman, welcome.
MR. WAEGEMAN: Thank you very much. I would like to apologize for having been late. I haven't heard the first presentations, so I may say things again. Please accept my apologies. Also, I feel bad that I just have heard about the confusion about electronic signatures and digital signatures. I feel personally responsible; in ASTM about six years ago we created the distinction. We came up with the electronic signature.
Let me explain. In 1994, ASTM formed the subcommittee on electronic signatures, at that time on authentication of health care information. It was a very well attended group that we had at some point, 28 organizations represented in that organization. We had the joint commission, DoD, AHMA, American Bar Association, AAMT, ADA, the FDA, and the board of ASTM at the time. The various medical specialties, as well as the Justice Department. All of them were there.
Now, as we met for one year on a regular basis, almost every four or six weeks, we went into the various uses of digital signatures. As we went through it, we got to a point where particularly for medical specialties, a digital signature is a transition sometimes too cumbersome, and can be too expensive.
Out of it, we came up with the term of electronic signature. An electronic signature is something where you don't need all of the burden of a security infrastructure, including registration authority, certificates and so on.
The ADA particularly was very vocal in saying this, that a single dentist should not have to buy certificates at this point, but should be able to have out of their own organizational authority some kind of identification. So what we really have created is first of all is the standard which by the way has now been for five years a national U.S. standard. ASTM is one level up from the normal standards of the organizations we are dealing with, the ASC X12, which is an ANSE accredited organization. ASTM is the founder of ANSE, and therefore is a much higher level of an ANSE standard than any of the standards we normally deal with.
So as we move into a standard, we have pointed out after long discussions what are the specialties for health care, why do we need for health care specific standards, something which has been coming up in the meantime in many other countries. In my second talk, I will be talking about at least eight countries I am quite involved in, where in the last couple of years have bypassed what we are doing in the U.S. and are far ahead in the implementation of signatures and PKI. But all those have accepted what we just have heard from Michael, for instance, standards which apply to digital signatures.
In health care, you cannot function with general standards for that. Let me give you a few examples. If we just go into the major elements, if you look at a signature it has five elements. The first one is to identify a person in a way that cannot be faked or cannot be seen in different ways. This goes into PKI.
What we have to understand here is that health care has very different requirements than, for instance, banking or electronic commerce or any other field, where you just need to identify, is this person authorized. We need to know more in the future as we share information on a national and international basis, whether that one person who wants to access information or is writing information, is not only M.D., as he would be in electronic commerce, but is this person licensed in that state, what is the specialty, is he an attending physician to a patient.
We not only need to know, is this an M.D., but is it for instance a psychiatrist, or is it a pediatric psychiatrist. So we need to have identification attributes which are part of the standard 1762.
The second one is that we have in health care requirements for more signatures than one. It doesn't occur in banking or in any other area. The worst case we have identified, and I can't recall the details, are 17 co-signatures, someone is testing, doing research, and someone else is doing something else and so on.
We need to have a signature system which is specific to those requirements. The third part is that we need more than in banking or in e-commerce a specific document structure. A document structure means that we cannot see an amendment of a medical record which is only part of a note. The signature must require that this amendment comes up when the main document is seen at the same time. Again, this does not occur in electronic commerce or any other field.
If you look at the five elements which make up a signature, the first one is for identification. We have in health care way different means of identification. We have said in the interim period, we are willing to allow an electronic signature which has less identification requirements of PKI, which requires a registration authority, certification authority, and so on and so on.
The second part is for signing itself. The signature has to be done in a conscientious responsibility taking effort. It cannot be done as some commercial systems are doing, by default. You have a legal responsibility for it.
For the signature itself, there are many standards out there. I think you have heard of some of them. Most of them apply to the general e-commerce field and so on.
The third one is for the sealing process, encryption and sealing. Once a signature is attached, that document should not be changed in any way, and if it is just a transmission from one company to another one, and a couple of bytes are changed, the signature must be removed. It doesn't happen with many commercial companies at this point.
The last one is binding. A signature has to be affixed to a document in a way that no person, willfully or otherwise, can remove it. There are many ways where in some of the commercial systems right now you can find ways to detach a signature in one way or another.
The last one is what I talked about, the document structure, where one has to be clear about amendments and has to be clear about what is going on there.
So what we have to realize is that the electronic signature is allowed according to the ASTM standard, if there is an authority within an organization, for instance just one doctor. The moment the one doctor is in bilateral communication just with an insurance company, just with one hospital, that could be accepted. The moment this individual deals with a pharmacy in the wide range of the health care field, it will not be accepted. Then we need to get into what is called the PKI.
Now, let me talk a few minutes about PKI. I think they have probably explained it well, but just so we have a common understanding.
PKI is an infrastructure. It is not attached to a signature. It is a very shining concept similar to electronic patient record systems. No one has implemented a full electronic health record system, no one has implemented a full health care PKI at this point.
I spent last week a couple of days with the ministry of health in Singapore, which is probably one of the most advanced ones, and they are almost there. But there are so many elements of the infrastructure. So it would have been better to talk about this as a pure infrastructure than PKI. This is where we have to move to, this is what is really needed.
So to come back to the questions. I think I explained the difference between the electronic signature and the digital signature. The digital signature is part of the infrastructure of PKI. It is what we all need, but it is very difficult to get. It is somewhat complex to manage, it is cumbersome to manage with certificates and so on. Therefore, people are kind of holding back.
In my next talk in the next panel, I will be describing what the impact of that is. I personally see that a switch to PKI is the same situation we had 250 years ago, to go into a general banking system and printed notes. At that point, people just had individual coins, they couldn't see why you are going into this cumbersome system, where you have to go to the bank and where you have ways where you can go anywhere in the world with your printed bank notes and do that.
It is similar in scope. It is not easy, it is complex, it is difficult. However, the longer we wait, the longer we will just have wasted health care costs. I will be showing in the next presentation that the savings are between $50 and $80 million, and it is much bigger in savings than what the paper transactions are trying to do at this point.
So if you look at that, you can see the differences. Electronic signatures can be a transition part. However, I should say that many of the countries I am talking with who are currently implementing PKI systems, Canada, Australia and so on, are saying why did you ever come up with an electronic signature, it makes it so much more confusing. I feel that the ministry of health should just say it should be digital signature and PKI, period. So I have to admit that I bear some guilt here.
What kind of signature should be used in health care? If I would have to decide today, I would say if we could, probably we would move more towards a digital signature and PKI than allowing an electronic signature. However, taking in the fact that we have many signature systems being installed and many being marketed, and very few of them complying with the requirements we have in health care. It may be worthwhile that we see these as a stepping stone to get into PKI and digital signatures.
ANSE ASTN standards are nationally and internationally recognized standards in this field. This applies to 1762 as a general guide as well as a specification for digital signatures.
At the same time, we should recognize that ISO TC215 is moving strongly into an international standard for signatures. It is based largely on ASTM standards and people like Dave Barnett are very much involved in that. People from major countries of the world from Japan, from Australia, Europe and so on are following the lead of the U.S. standards for what has been done in ATSM and is being done right now.
So in regard to standards, we have a good number of standards. Remember, those are for health care. I will show in the next presentation that we need to override the state laws. We need to look at some of those issues, because we have to focus on what are the health care requirements.
When we look at the e-sign act, I will pass out later on a document from the standard magazine which says clearly, e-sign act makes electronic or digital signatures legal. It does not validate them. So what we have to realize is that we can now have electronic signatures, but it does not mean that they apply in health care or documents signed under these general guidelines, would pass as a health care legal document and legally signed.
I think we have been late, and I will keep it short at this point.
DR. COHN: We may have a chance later on to also make comments. We are a couple of minutes late here, but I think we should provide questions and an opportunity to ask questions of the panel before we take a break. Questions?
DR. ZUBELDIA: I want to thank the panel for the wonderful job they have done. I was going to come out of this with a common understanding of electronic and digital signatures, and it is better than that; I have five common understandings now.
The general theme that I am hearing is that there are several parts to a signature. There is the ceremonial part of the individual voluntarily signing, and that can be expressed by a biometric, because you cannot delegate, or it is difficult to delegate that.
Then there is the signature card concept, of a third party -- the registration as to who the signature belongs to, and the certificate authority PKI concept. Then there is the document management part that Peter explained so well, where if a document is signed, it is signed forever, you can't remove the signature. If the document changes the signature it is invalidated.
Is there any these technologies or methods that incorporate the three aspects? Maybe Silanis is the one that comes closest. One thing I noticed in Michael's presentation, you were saying that his meets the larger requirements of HIPAA. Peter Waegeman was saying no, no, no, no, no. Is there a conference of all this that leads into something that could be adopted as a standard?
MR. LAURE: I don't know that there is a standard that just exists and meets all the requirements of HIPAA. In order to meet many of those requirements that are in there, you have to write an application that can manipulate the security technology to perform a number of those things. Some of the basic requirements -- or the very basic requirements are met by a digital signature to some extent, but a digital signature does not guarantee that the person who applied the digital signature is in fact who they say they are. That is probably one of the noticeable aspects in the HIPAA rule that you might expect to see. At least you see it in the state legislation. It talks about digital signatures, but it doesn't talk about things like certificate authorities or registration authorities or how we are going to handle that aspect of it.
There certainly are products and methods to do that out there. But some of the optional requirements of it actually should be mandatory requirements. For example, putting mandatory signatures onto a document doesn't seem like an optional thing for most documents. I think you have to have -- there are a lot of documents that absolutely have to have multiple signatures.
The concept of counter signatures, where I have to know the order the signatures are applied, is mandatory in many business processes. So the problem that we found in implementing our product was that we can take whatever technology, whatever the standards are, and apply it to a specific document structure, and we can make it so that the signature becomes a permanent part of it, but we also have to make sure that it is capable of performing the business processes that are involved with that document.
So if that document is a five-part form, and it requires four signatures and it has to allow for sections to be filled in between the signatures, then the application has to be able to manipulate the technology to do that.
In the end, that is pretty much what we do. We are an application that makes use of that technology and the standards that are out there. The results of an electronic signature that ends up going into the document is based on standards, to the extent that I can verify the signature because it uses RSA for their digital signature and it uses SHA 1 for the hashing of the data, so I can verify the integrity of the document as well. If it has got a certificate on it, I can go and check it against the database.
But the way I put those together to put it into the document, there is no standard for that. It is hard to build a specific standard, because you are trying to build it to apply to all these different business documents or processes that are happening out there. That is pretty much what we run into in dealing with our customers. There are thousands of different types of documents that have to be signed in all kinds of different ways, depending on the industry that you are dealing in, and it becomes virtually impossible to separate the business process from the technology required for the electronic signature itself.
So I don't know if necessarily what we were saying is different. One of the salespeople who works for me had a good expression, which was, basically it sounds like we are all in violent agreement here, and we are just coming at it from different directions as to how that actually happens.
So I don't know if that answers it from our point of view.
MR. BARNETT: I think the thing that comes closest to this is PKI, as far as a standard, as well as ETS work on PKIX, which are closely related. They don't specify the technologies to the extent necessary to guarantee interoperability. So what we end up doing is a lot of common understandings. There are standards that are being worked on with an ASTM E-31, ISO TC-215. We are trying to get to some common understanding of how to do this.
Kaiser has invested heavily in PKI, because we think this is the most cost effective approach, but there really is a lack of standards in the area that take care of everything, meet all the requirements.
One of the problems with this is, we get down to technology specific implementations. Biometrics for example are something that we are looking at, and we are very interested in it. That is only one method of authentication, something you have, such as a token, something you are, biometrics, and sometimes people have the category of something you do, such as handwriting analysis. These are all authentication approaches, and we need at least one for authentication and probably two, for strong authentication.
When you get to how you do that, we are getting into technologies, and that is an area I think we have to tread very carefully in. So PKI comes very close to being a comprehensive standard, even though X509 is a framework in the recommendation, it is not really a standard. It is pretty close to what we think is what the answer is going to be. But we are still dependent on common understandings with our peers and business partners and within our community of interest. So it is a problematic area.
MR. BEATSON: I wanted to address the front end of this process, which is essentially, you begin with a document, and you want to get a signature on that document. You then want to secure that document and you then want to transmit it to somebody securely.
The actual document management associated with getting the signature on there is available in numerous -- well, I won't say numerous, but certainly well used software packages, such as those offered by Adobe Acrobat and indeed, Microsoft Word. Now, most businesses, I am absolutely sure, use these software vehicles for their document generation and management.
So what the electronic signature industry is doing is making available to these well-used packages the capability of adding an electronic signature verified biometrically if you so desire, to that document. Thereafter, the digital signature part and the PKI part and the encryption part can be handed over to the digital signature people, who offer systems for that. So I'd say it is two parts.
MS. GUGEL: I have one comment on this. I want to provide a little background. The health care industry itself has a lot of custom legacy applications that are not enabled to accept digital certificates for authentication. That is one issue.
There are a lot of vendors out there creating new type of applications such as electronic patient record applications, that need to be PKI enabled, especially if we are going to mandate the use of digital signatures for the health care industry. So that requires the use of either a toolkit or some customized integration.
Some of that customized integration has been done by companies such as Silanis or Cybersign, because these companies have recognized the need for adding multiple signatures and counter signatures and document control with signature control throughout the whole process.
I consider those applications that are PKI enabled. There is a host of other applications out there in the industry that need to be PKI enabled or able to accept and recognize an X509 version three certificate for authentication.
So if we are going to mandate digital signatures, then there is a lot of work to be done in the industry for enabling the applications. But there are a lot of tools out there for them at their disposal. Baltimore RSA and some of the other vendors offer tools for developers to PKI enable their applications. There are some other niche companies out there that are going ahead and enabling the major applications like the ERP systems, and then you can buy these snap-in products, so that you have PKI enabled applications.
The main applications today that are readily enabled are pretty much the mail systems using S MIME web access control, web based access control to accept digital certificates. Most of the VPNs are out there, so you have extra-net solutions. Some of these industry specific applications, like a lot of the ERP systems, that have not been PKI enabled yet, they are looking at this technology and what HIPAA is going to say about it before they move forward.
I do want to make one comment about what Peter addressed. You said that there are not a lot of large-scale implementations of PKI in health care. One of those reasons is, there wasn't a driving force like HIPAA yet and a lot of them are waiting.
Some of our customers include the Australian Health Insurance Commission. It is a relatively new customer, maybe since June, so they are not in widespread use yet, but they are gearing up for very large implementation, since it is a national health care system, much larger than any one health insurance company in the U.S. So that will probably be our largest health care implementation of digital certificates.
As far as installed base, we have the two cases I mentioned earlier, ABN Ambro and the Australian Tax Office, have each over a million issued certificates, so we have some large scale proven PKI systems outside of the health care industry.
DR. BLAIR: First of all, in the tradition of the NCVHS, any time there is a testifier or a standard or a vendor where we have direct association for public disclosure, we wind up by indicating that. My good friend and my employer, Peter Waegeman, is one of the testifiers, so I wanted to indicate that.
Then I have a question for -- I think it is Ron. Ron, I think that you indicated that when you use PKI technology, it identifies the source, but not the individual. That left me a little bit confused, because I thought with the certificate process that it did identify the individual, maybe not directly, but at least -- I can't even say it is indirectly.
Anyway, could you please clarify for me what you meant when you said that?
MR. BEATSON: Yes, in fact, I did say that. Let me put this in the context of a particular situation that might occur. If you are sitting in a work station on an Internet and you generate a document and that document is then -- goes through the digital signature process and it goes to the other end, the only thing that that person at the other end knows is that the private key associated with that transaction was submitted at the source end.
Now, that private key typically is not entered by the individual at the work station. That private key typically resides somewhere on a work station or a server. So if you are sitting on an Internet, actual work station, conducting transactions, and walk away and leave your P.C. on, and somebody else could -- not at all likely, but could come and conduct a transaction at that work station. It would not be clear whether that transaction would have been conducted by you, the normal user at that work station, or not. That is the point I was getting to.
DR. BLAIR: If that is the case, then that is new information to me. Could I get comments from the other panel members, acknowledging whether that exposure is in fact correct?
DR. COHN: Maybe I'll just start out, since I practice clinical medicine. Ron, what you are saying is probably not an uncommon practice. I think if everyone tries to have computers turn off when somebody leaves the use of that computer, there is nothing that turns off every time you don't use a keystroke in two seconds or whatever. So obviously there is that exposure.
MR. BARNETT: As Rod points out, there is exposure within a digital signature structure or PKI. That is why it is important to identify and specify the procedures involved for your identification and authentication.
For example, I have a class one verisign certificate that I paid I think $9.95 for, and I just gave them my e-mail address and they sent me one back. How well does this identify who I am? Well, I paid for it, and it's a good credit card, anyway. On the other hand, I can download a certification authority toolkit from a particular large vendor of PKI products, and create my own certificate. So I can make up and put in just about anything I want.
The technology allows me to do this sort of thing. Where it is important to identify the procedures -- this is maintaining the ownership of the signature and those kinds of procedures, I think that is the area we need some regulations and some standards in. How do you identify a doctor? One of my standing jokes is, on the Internet, nobody knows you're a doc.
But the no authentication problem is very difficult, and we need to come up with some way in the regulation of the standards of trusting who is that person who owns that certificate, and how do you know they are controlling it properly, and how do you know they are not leaving the work station logged on all day so that anyone can use it. Those are some of the issues where it would be appropriate for us to identify the standards and the regulations.
DR. GELLMAN: I want to ask about this from a somewhat different angle. Let us assume somewhere down the road that we have some sort of full-scale PKI system with certificate authorities and registration authorities, whatever. I am looking at this from the angle of privacy consequences of all of this.
The first thing that makes me a little nervous is that the digital signature may in some way become effectively a universal identifier; you need to have this to do anything. The second thing I'm worried about is that the verification process, which a couple of people talked about, at least mentioned, creates an incredible surveillance system. As I go somewhere, I show my identification, which gets verified, and now whoever is doing the verification has basically an audit trail of my life. They know where I was, they know what I was doing and they know when I did it.
Does anyone want to comment on that? Has there been any thought given to some of the consequences of all of this information that may accumulate?
MR. WAEGEMAN: Yes, you're right, we are moving toward patient identification. However, from my point of view, and I consider myself as a patient advocate in the field of signatures, as you probably know, Bob, I have been very outspoken in that field, this is one way which seems to be a solution. It seems to be very acceptable that we have not -- all the arguments we have had in the past for universal patient identification systems, all of the negatives are falling by the wayside, and we have a positive way of identifying.
However, it would be wrong from my point of view to focus on that right now, because that is not a political issue, and it is the second step. The first step is to create a PKI for caregivers. This by itself provides much higher security from the point of confidentiality.
I agree with you, electronic health record systems today are not safe and not secure, and confidentiality is in a sad state. PKI will really make a difference. So the only way at this point where we can say we clearly can identify who is accessing information, who is originating information, who is taking responsibility for information.
DR. GELLMAN: But I am getting at what we are doing potentially. Don't leap to conclusions that this means that I don't think we should do it; I just want to have these issues discussed. We are creating potentially a new database that essentially surveils people as they move through the health care system or as this broadens in the economy, we have an entirely new entity here that has a tremendous amount of personal information on people, and it is something that never existed before.
There may be benefits to all this in terms of protecting the confidentiality of records. I am skeptical about that, but it is a possibility. I want to focus on this new thing that is getting created.
MR. BARNETT: One comment I would make about that is, I am hearing those same concerns. One approach which is somewhat similar to what is being done today is having more than one certificate.
For example, the certificate that identifies a person as a physician should probably not be the same one used to purchase things over the Internet. A list of people with M.D. after their name might be a very sellable item to certain junk mail lists.
I think we really need to separate out our identities, depending on our roles, to some extent. Surveillance within the medical community, it is a bad word, audit trails, are probably appropriate, especially with medical records. It might be a very good identities of you as a consumer versus you as a physician, and not have one certificate that is your universal identifier. That is one approach.
DR. COHN: How many certificates do you think the average individual would have to carry?
MR. BARNETT: I'm thinking at least a dozen. I'm trying to get the number as small as possible, because the other approach is, you have too many, and it is just as bad. So somewhere there is a happy medium between the maximum and minimum number of certificates necessary to do business over the Internet and electronically.
MR. WAEGEMAN: I currently have six different health cards. That means I am in six different databases for my personal identification. It may be with PKI that there are four or five. It will not be that there is probably one national or international authority. These authorities can be handled in a much better way than any open system of patient identification as we have been talking about.
But one point I wanted to make as we probably will come to that, I had not talked about my function as the chair of ANSE HISB, American National Standards Institute, Health Care informatics standards. We have identified that there are between 12 and 18 different approaches right now in the United States of creating PKIs. We have representatives here from three companies, I see another four or five, out of 15 or 18.
I just want to set the record straight that we may not even have the most active one in health care. We do not have a full representation here.
We are trying to coordinate, we are working on a voluntary basis of the major companies out there and also organizations such as Kaiser and Chime, and I am inviting of course anyone else to participate. But we are trying to come up with the issues and moderate and come to a mediated approach of one acceptable health care approach in that field.
We have to understand that yes, there are still some holes in PKI. It is a very complex issue. However, the longer we wait, the more it will hurt. I will be talking in the next panel what Canada and Australia and all those countries are doing.
DR. FRAWLEY: I just wanted to make a comment, because I think it is important just to reinforce what we heard this morning.
The first thing in terms of disclosure, I have to disclose that I was a member of the original E 31.20 subcommittee that developed the standard on E 1762.
DR. COHN: You have to give the name as well.
DR. FRAWLEY: Electronic Health Care Information. But I do want to follow up on a comment that Anne made, and I think it is important that we recognize this morning. Most of our clinical information systems in this country as Anne pointed out are legacy systems. Most of them would not support a digital signature application.
Probably more troubling to me right now is the fact that many of the products that are coming on to the market again would only support an electronic signature, and would not support a digital signature.
I just happened to look at a new product from my hospital two days ago, and we talked about HIPAA, we talked about electronic authentication, and basically this product would only support an electronic signature.
So I just want to bring that up, that unfortunately right now, most of the users in our health care delivery system in this country that are using some type of electronic signature would not meet any digital signature requirement under HIPAA.
The second thing I want to raise is many of the vendors that bring the products to the marketplace are really only bringing products that would provide for an electronic signature. I don't know how you would be able to transition from these products.
MS. GUGEL: That is why I brought it up. A couple of things. First, they are waiting to see what HIPAA does require, and they know they have two years, two or three, two at least.
There are a lot of toolkits out there, and Baltimore is one of the vendors that provides these toolkits. The toolkits -- since the RSA algorithm patent just expired, and toolkits are now, as of September 11 or 21, whatever the day of the expiration was, they are now more readily available worldwide at a much lower cost, and easy to purchase by vendors other than RSA and Baltimore.
Before the RSA algorithm expired, products were much higher cost. Now we have a huge amount of interest from vendors in all different industries who want to PKI enable their operations. They know they would like to, but before it might have been cost prohibitive. So now it is very low cost and very easy for them to purchase these toolkits, and we are getting a lot of interest in the health care industry as well. They want to enable their applications, so they will move in that direction if the requirements do require digital signatures.
MR. LAURE: If I may add a comment to that, most of the competitors that we deal with are electronic signature vendors. I would have to say that any of the ones that we compete against all incorporate digital signature technology into their products. Anybody who doesn't, we don't end up competing against them, because our customers would not buy such a product in the first place; it would be insufficient from the security point of view.
So I just wanted to add that as a comment.
DR. COHN: Kepa would like to finish with one final question, and then I think we will try to give everybody a break. We are very far behind time, but I think we're okay.
DR. ZUBELDIA: Thank you. Peter, with HISB trying to coordinate an international standard, all these PKI efforts to come out with one solution that we can adopt, I would like to ask the whole panel if they think -- what would be a time frame for coming up with a solution that we can adopt in this country, as a HIPAA standard for digital signatures, not just PKI, but looking at both PKI and electronic signatures. Is there such a thing as a solution that could be adopted? And what is the time frame we are looking at?
MS. GUGEL: I'd like to at least start on that. I believe that the solution is not just one technology, but a combination of technologies. Since three of us represent different vendors, of course we would like to sit here and say we can do that for you. But that is why I mentioned early in my testimony that the partner programs that we have are so important, because I really think that both technologies are important in signing documents and tracking the signature through the system.
PKI provides the trust for identification authentication of an individual through the digital certificate. But even my own company makes another product that tracks multiple signatures on forms, called Form Secure. So it is not one product, but it is a combination of more than one product.
MR. LAURE: I'd like to add to that. I agree with Anne, and I would add to that, if I look at the experience that we are actually involved in right now ourselves in the Department of Defense, where they have defined their own standard for PKI, and have implemented it -- I'm not sure that everybody is necessarily happy with it, but it has been done. It actually is quite usable and works with our product at this point.
The approach there is that we have implemented a PKI. What PKI gives you is managed certificates. In other words, everybody gets certificates that are controlled properly, so you all have your identifiers. Now what you need is PK enabled applications which allow you to use those certificates to sign whatever it is that you need to sign.
In the end, it boils down to adding support to all of these different applications to be able to use that kind of an identifier. So I think the key standard that really is the issue in the end is having -- if you are going to go with something like certificates or PKI, then you've got to define that and roll that out to people so that they have their digital I.D.s, and at the same time, you've got to encourage vendors to implement the applications to put the signing capability into it, and put it in a method that represents an acceptable way of signing.
What that boils down to is, go back to what a signature is. It captures a person's intent to authenticate the writing. That's it.
DR. ZUBELDIA: Time frame? Two years? Five years?
MR. LAURE: You could start that this year, if you wanted to. The applications are there, and PKI applications are definitely there as well. Baltimore I'm sure would be more than happy to come in and implement a pilot in a hospital or whatever to put PKI into place. But to say that it is going to roll out across the entire country, I don't know, probably 10 years. I think I have heard that it takes 10 years for a new certificate to apply itself across in a widespread kind of way. So if that is the case, then I think you could see the same thing from the point of view of health care. And of course, there is the fact that you are dealing with thousands of different corporations here in essence, as the marketplace goes.
MR. WAEGEMAN: I agree, the technology is there. We could do it today. Secondly, there are installations today happening in Chime in Connecticut. You will hear this afternoon. If you look internationally, the province of Quebec has it fully implemented, Finland has it fully implemented. In Australia, people have implemented it in and in three Asian countries.
One could say it is not quite ready, but let me compare to when HIPAA came out and we were struggling, what should be the messaging standard. There were holes. We needed implementation. In the same way we could say today, let's adopt PKI, and yes, in six months or in nine months, in the same way as what happened with HIPAA, we could have all the holes filled, because these are policies, these are issues of how to implement them.
The technology is out there, but it is a very complex infrastructure, where we really need some leadership in what can be done. But it is being done in other countries, because people realize the earlier we are doing it, the more we can save to the country and the more we can make systems confidential and secure.
MR. BARNETT: One of the issues here is to what level of detail are we going to specify. First of all, I think it is extremely important to start blocking out what we need to define, because that helps us converge. If we just let everything go until we have all decided what the answer is, it is going to be too late, and we will have hundreds and maybe thousands of different kinds of implementations.
The first level of digital signatures, I think that is where it is today. IEEE Standard 1363 and FIPS 186 are well defined. They list algorithms that are technologically neutral. The next level down perhaps might be PKI. That is also pretty well defined and fairly mature. It is a well known technology. There is a framework. I think we could go with that if we say for infrastructure.
The third level down, health care PKI, is still up in the air to an extent. Kaiser is implementing a PKI, Chime implemented a PKI, several standards committee which I am a part of are working on what are the details, what needs to be in a health care PKI certificate, for example.
Those are some issues we are still working on, but we are trying to converge very quickly, because we all have a business need to get it down as soon as possible so we don't have to redo the technology.
MR. BEATSON: I'm just going to look at the front end of this again, and say that the actual identification of the individual, there is an emerging standard through the bio api consortium, which again is being supported by NIST and is government supported. I suspect that any biometrics which are used in this process or in the other process going forward will eventually adhere to that standard.
DR. COHN: Jeff, do you have a comment or a question? Because if you have a question, we are going to need to adjourn this panel.
DR. BLAIR: Okay.
DR. COHN: I really want to thank the panelists. It has been a great panel. We are going to adjourn for 15 minutes.
(Brief recess.)
DR. COHN: I'd like to welcome our second panel to talk about the business case for the electronic or digital signature. Jean Naricisi, would you like to lead off?
MS. NARICISI: My name is Jean Naricisi. I am the Director of the Office of Electronic Medical Systems for the American Medical Association. It is my pleasure to appear today on behalf of the AMA before your subcommittee, and I'd like to thank you for this opportunity to testify.
The growth of online health care services could be dramatic in the next few years, as physicians, hospitals, pharmacists, insurance companies and others move to streamline their actions with each other and with consumers. Effective and affordable user authentication will be a key enabler of this business growth, providing the foundation for high level privacy and confidentiality that are essential in the health care industry.
The authentication in the electronic signature process must be simple, quick and reliable, and be flexible enough to authenticate users across a complex network of health care websites. However, the use of computers as well as the use of the Internet by physicians has not yet caught up with that of the other industries.
Physicians are reluctant to jump online, and rightly so. Despite the wonders of the Web, its wide accessibility has posed security challenges, especially when it comes to private medical records.
As background information, I'd like to share with you the following findings of the AMA study. In 1997, the AMA conducted a large scale benchmark survey of physicians in the U.S. to determine the penetration of web usage in the physician population. This study sought to identify physicians' patterns and habits in Worldwide Web usage. In 1999, the AMA conducted a framework survey of physicians to determine changes in web usage.
For the purpose of both studies, a web user is defined as someone who uses the web him or herself or for personal or professional purposes.
Since the benchmark study in '97, the proportion of all physicians who have access to a computer remain virtually unchanged, at 43 percent versus 41 percent in '99. This means that 59 percent of all physicians reported they do not use a computer. Of those that do use a computer, the proportion with access to the web however nearly doubled from 20 percent in '97 to 37 percent in '99. Of the web users, 27 percent of physicians indicate that they had a website in '99, which is up from 17 percent in '97.
The '99 study indicated that the majority of the physician web users consider the web most useful as a communication tool. Other uses include accessing medical information, news and information resource, as well as a drug information resource.
As for security, the '99 study indicated that 67 percent of physicians believed it was risky to give their credit card numbers out over the web for purchases, and 83 percent indicated they have concerns about data security and confidentiality of medical records on the web.
I'd like to provide the following information in response to your questions. What sort of health applications to electronic signatures enable? The AMA is working with the Intel Corporation to deploy a new form of electronic identification called the ANE Internet I.D. It will protect physician and patient privacy and confidentiality when using the Internet to send and receive medical information.
Intel introduced Intel Authentication Services, AIS, which develops and operates authentication services for associations, organizations and any health sites that want to offer branded e-health digital certificates to their users. The AMA entered an I.D. to uniquely identify physicians over the Internet, providing a reliable authentication technique with passwords for secure Internet transactions. The AMA I.D. functions online the same way drier's license, passports or other trusted documents.
(Recording interrupted.)
-- the validity as traditional paper signatures, and explicitly forbids the denial of an electronic agreement simply because it is not in writing. The law also forbids in the state statute a regulation that limits, modifies or supersedes e-signing in a manner that would discriminate for or against a particular technology.
However, e-sign does not supersede the state laws in the area of the retention of medical records. The retention of medical records in some states may become an obstacle for physicians when using electronic signatures, because some states require that medical records be stored for a very long time, for instance, after death or even until a child turns 18. This would require paper or microfilm storage.
In addition, the e-sign law has very low security standards, and as a result, it appears that electronic signatures could be repudiated easily.
How does the computer information transactions act impact? This law that is intended to govern all contracts involving computer software and information that can be obtained electronically. It also stretches easily to cover computers, printers and other computer peripherals. This proposed law grants no intellectual property rights to software and information publishers beyond those of the United States copyright and patent laws. It would make it almost impossible to hold vendors of defective products accountable for defects and misrepresentations. This could put more liability on physicians, which could create even another obstacle to the use of electronic signatures.
Are health care requirements for signatures different than for other industries? Medical information is private, confidential and it is not replaceable. It is not the same as credit card information. Protecting confidentiality and privacy is imperative to insuring the strength of the consumer trust in a changing technological health care environment. Electric communications are drastically changing how patient information is stored and transmitted. But what hasn't changed is the physician's responsibility to maintain the confidentiality of patient records, and electronic patient records are no different from paper medical records, in that they contain privileged information that may not be divulged without permission from the patient.
The AMA Internet I.D. comes at a time when there is a growing awareness of the threat to breaches of medical privacy, confidentiality and security of the medical record in the digital age. In addition, levels of security, reliability and quality of service are necessary for health status to use the Internet need to go way beyond those needed for typical e-commerce.
Do you think there are digital solutions in other industries that can be used for health care. Authentication technologies are evolving rapidly to meet new business requirements. Like other online businesses, health care service providers will need to adapt their content and security procedures to address the requirements of new access devices such as PDAs, cell phones and other Intel devices. In addition, many PCs and other digital equipment will soon come equipped with fingerprint scanners, eye scanners and other biometric authentication systems. The AMA Internet I.D. and other Intel IAS infrastructure are designed to be extensible, so they can smoothly accommodate these in the future.
AMA and Intel are currently working to integrate a few new features in Internet I.D, which includes delegation. This service enables professionals to delegate staff members to act in their behalf in authenticated online transactions. In addition, they are working on enhanced fraud detection. Fraud management enhancements are likely to include automated monitoring of activity logs with flagging of potentially fraudulent activities.
As online health care evolves, AMA and Intel are committed to providing a high level of authentication integrity that will be combined with procedures and tools to make it easy for businesses to deploy and administer their authentication services, as well as make it increasingly simple for end users to obtain secure access to the information and services they need.
Thank you.
DR. COHN: Thank you very much. Sherry Neuman.
MS. NEUMAN: Good morning. I'm Sherry Neuman. I am going to be speaking to you from the perspective of a health care provider. My entire career has been spent in hospital-based practice with specialties in drug use evaluation and investigational studies.
Recently, I joined a small startup company in Silicon Valley that has produced the hand-held technology on Palm Pilots or pocket PC devices for physicians to write prescriptions, and then electronically transmit those prescriptions to pharmacies. In addition, we are responsible for providing the physician with enough information to prevent harm to the patient. For instance, if the newly prescribed drug has a potential for a drug interaction or a duplication of therapy or a drug disease contraindication, we want to be able to provide that information at the point of care, so that that can be averted before it happens.
What that means is a lot of personally identifiable information has to be provided amongst providers of health care. So the security and protection of that patient information is very, very important. The transmission of that information from provider to provider to provider is also very important, and we have to make sure that the person who is receiving the information that we are providing is the person who is authorized to get that information, and also, that person who is sending the information back through our serv