NCPDP Testimony on Electronic Signature
December 8-10, 2004
NCPDP appreciates the opportunity to testify on the topic of electronic signature. During 2000-2001 NCPDP members and staff were very involved in the ANSI HISB “Multi-SDO Digital Signature Project”. This project began with involvement from ASTM, HL7, IETF, NCPDP, and X12N. NCPDP was very active in the paper that was being created and was one of the few submitters of use cases. There were many open issues that did not appear to have proven industry experience to help close the gaps. To our knowledge, the project is not active and the paper was never completed.
NCPDP member companies have participated in the DEA meetings regarding the security being considered for the prescribing of controlled substance prescriptions. Companies have expressed their concerns of the lack of healthcare industry experience and the costs involved in supporting the security being considered.
The NCPDP SCRIPT Standard supports signature fields that consist of three levels of sender and receiver identifiers and passwords. Other NCPDP Standards, some named in HIPAA, also contain sender and receiver identifiers. Although the healthcare information technology industry has discussed further identification methods over the years, further need has not been brought forward to NCPDP for the standards.
To prepare for this testimony, NCPDP convened a joint task group from Work Group 11 Prescriber/Pharmacist Interface and Work Group 12 Education – Legislation and Regulation. The testimony reflects their work.
NCPDP Electronic and Digital Signature Recommendations
For an E-Prescribing Environment
The recommended definition of electronic signature supported by NCPDP is as follows:
- An “electronic signature is an electronic sound, symbol, data string or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record”. NCPDP recommends that NCVHS adopt this definition of electronic signature so as to accept a variety of assurance solutions currently implemented in the industry and accepted by the state pharmacy boards.
- NCPDP believes that current business practices for authenticating prescriptions, which include user registration and verification processes provided by trusted partners, user sign-on authentication processes, secure message transmission, and auditing processes, are fully adequate for assuring the appropriate delivery of the prescriber’s intent to the dispensing pharmacy. NCVHS should recommend a minimum standard for assuring the secure delivery of prescriptions that include these basic processes for all prescriptions, including controlled substances (CII – CV).
- The utility of digital signatures depends on the development of a trust infrastructure, which reliably associates practitioners with public signature verification keys. To date, efforts to deploy PKI on an industry scale have been unsuccessful. Requiring digital signatures using authentication protocols such as PKI – either for all prescriptions or only for controlled substances – would significantly slow the adoption of electronic prescribing and is unnecessary for securing the electronic prescribing process. Other auditing or monitoring processes that do not include digital signatures could be employed to provide additional protections against fraud and abuse for controlled substances.
- NCPDP recommends that, for purposes of electronic prescriptions, the NCVHS recommend a minimum set of required properties for electronic signatures and situational properties to be accessible for use by business partners.
- NCPDP asks the NCVHS to recognize that there is no current requirement that the practitioner’s electronic signature satisfy strong forms of non-repudiation.
- NCPDP recommends that the NCVHS recognize that, for the purposes of an electronic signature on prescriptions, current assurance requirements can be satisfied by the imposition of a limited set of business rules upon parties utilizing the SCRIPT Standard. The pharmacy needs assurance that the identified practitioner intended to issue the particular prescription communicated in the NCPDP SCRIPT message. That the following business rules provide the required assurance:
- The electronic prescription application’s user interface must present the completed prescription request to the practitioner for verification prior to transmission.
- The electronic prescription application must protect against impersonation of the practitioner. Impersonation is precluded, in part, by a registration process that verifies the user’s identity and role in a way that reliably associates the user’s application access credentials with a practitioner’s attributes such as, name, medical license, DEA, NCPDP Provider Numbers and National Provider Identifier (NPI).
- Protection against impersonation further requires user authentication procedures to guard against unauthorized access to the user application. Where the user authentication is accomplished across a communication network, use of a secure transmission protocol that protects against masquerading, eavesdropping and replay attacks is needed to prevent opportunities for impersonation.