The power of PKI: PKI can be used to solve business problems, save provider organizations time and money, and streamline patient care - Biometrics/Authentication
Adding technology for the sake of appearing technology savvy won't cut costs, increase efficiency or improve patient care. Yet, healthcare executives look to technology to do just that.
Across the board, providers and payors alike have adopted labor-saving technology to stay competitive in the marketplace. Technologies being used include information systems for processing patient care information, the Web to share healthcare information, mobile computing devices to record and share information, smart cards for access, and telehealth.
Traditionally, identification, authentication, authorization and integrity services have been provided on an application-by-application basis. But managing healthcare as a business makes application-by-application implementation impractical and cost prohibitive. A comprehensive system for the distributed networks needed in healthcare should provide integrated, extensible and flexible services based on public interfaces.
One way is provided by an infrastructure and its components, shared among applications and users. The use of a Public Key Infrastructure (PKI) provides a common infrastructure that allows access to integrated delivery systems across an organization or across organizations. PKI can enable:
* use of smart cards or other secure methods to access patient information in hospitals, doctors' offices and payors' organizations;
* use of digital signatures in place of written signatures in submittals to federal agencies.
PKI can provide authentication of users to information systems and integrity of data for treatment, and can assist in scrambling information for confidentiality.
The purpose of a PKI is to establish trust among users. These can be individuals such as patients, physicians or Medicare reviewers, or organizations such as the radiology department, a payor or the new CMS. The theory behind PKI was developed in the 1970s, although its use only became practical within the last decade and cost-effective with the availability of commercial products and solutions.
Theoretically, the problems of authentication and large network privacy protection were addressed in 1976, when a mathematical system was developed to convert plain information into unintelligible information and back again. Up until this time and for two decades later, the system consisted of a method to use a single key that was kept secret. The new system employed a two-key system, with one key kept secret and the other public as in a phone directory. This is Public Key Cryptography.
Digital certificates were developed to be keepers of the public key, as well as other information related to the owner of the certificate. This information might include what systems a user can access, a biometric, the benefit plan a patient is covered by or the health plans in which a doctor participates.
Public Key Cryptography spawned other innovations such as the digital signature. Like a hand signature, it provides proof that an originator of a message is who the person claims to be (authentication). A digital signature is a summary (hash) of the message along with the signer's private key. This summary is unique for every message, just as a fingerprint is unique for every person. Techniques are available to show that the message was sent from that person (non-repudiation) and prove that it has not been altered (integrity).
A Public Key Infrastructure is the whole ball of wax including cryptographic keys and a certificate management system. The PKI enables secure transactions and private exchange of information, and provides privacy, integrity, authentication and non-repudiation for applications and electronic commerce transactions. The way for organizations to exchange this trust provided by PKI is through the use of Certificate Authorities (CA). Like a state Department of Motor Vehicles that issues drivers' licenses, the CA issues the digital certificate.
PKI's Business Potential
What business problems does PKI solve? Baltimore Technologies recently announced it is providing digital certificates for Australia's Health Insurance Commission eSignature Authority. The PKI is enabling secure communication and connection among doctors, pharmacists, hospitals, labs and health plans. According to Minister of Health and Aged Dr. Michael Wooldridge, "It will improve continuity of care through timely and secure transfer of patient information, for example between a hospital and a patient's local GP."
Kaiser Permanente is using PKI to support an organization-wide clinical information system with electronic health records. Kaiser is using the certificate to maintain professional credential information for access and privileges related to sensitive health information. In addition, they are exploring the use of PKI for secure e-mail between various entities, and perhaps for single sign-on across applications.
Most current PKI implementations support authentication of users to a single application or to Web-enabled accesses to sensitive healthcare information, but that only scratches the surface. PKI enables digital trust among healthcare organizations. One aspect of trust means knowing with confidence the identity, rights and privileges of those with whom we are communicating and transacting.
For example, take a nurse practitioner working in Washington, DC for an organization with locations in Virginia, Maryland and DC. Licensing requirements and the resultant abilities are different in the three jurisdictions.
In Virginia, a nurse practitioner cannot prescribe controlled substances, but in Maryland, a nurse practitioner can prescribe limited controlled substances. If the nurse practitioner work is licensed and he or she works in different locations in different jurisdictions, this can become a nightmare. However, if treatment is recorded in an electronic health record, then information about licensing and restrictions based on location can be maintained in a PKI and its related structures. This means the information is in a standards-based, common point of access not necessitating another application or another place of information storage.
Another example focuses on prescriptions. If each patient is issued a certificate by an insurance company, stored in a hard or soft token, the certificate must contain information about the policy or benefits plan in place. The doctor's certificate must identify those policies, health plans and insurance agreements that he participates in. The issue is not who generated these certificates or where they are stored, but that the ability exists to retrieve the certificates and compare them for compatibility in terms of what is allowed and what is restricted.
If a physician prescribes a certain heart medication and a certain antibiotic, it is more cost effective to determine allergies, incompatibilities and medical plan payment at the time of treatment--not at the time of claim submission. This same concept can be used in determining eligibility, obtaining pre-certification and making referrals. Imagine what time- and cost-savings would occur if these functions were managed electronically. PKI can enable these with a standards-based solution and common storage and retrieval of information, instead of proprietary solutions with inability to share information across applications or organizations.
Another example is in the design stage at the U.S. Department of Justice's Drug Enforcement Administration (DEA) with the ability to electronically generate controlled substance prescriptions. The DEA and Veterans Administration (VA) are working together to evaluate the effectiveness of technical controls, like PKI, to improve security of electronic prescription orders.
At present, physicians and pharmacists in many states already use Electronic Data Interchange technology to transmit prescriptions for non-controlled substances. However, current DEA regulations do not permit use of this technology for controlled substances. DEA is developing the design for a pilot PKI-based electronic prescription system for controlled substances that will be tested in a controlled, VA hospital environment. After evaluating the results, the DEA can develop and release revised regulations to allow for the electronic transmission of prescriptions for controlled substances.
The power in PKI is its ability to provide healthcare a common infrastructure with common and public information across a single healthcare organization or across multiple organizations. The power lies in allowing connectivity and sharing of access, authorization, authentication, integrity, encryption and non-repudiation information across the spectrum of healthcare organizations--providers, payors, employers and patients.