Raymond G. Kammer
National Institute of Standards and Technology
U.S. Department of Commerce
Subcommittee on Technology
Committee on Science
U.S. House of Representatives
March 30, 2000
Madam Chairwoman and members of the subcommittee, I would like to thank you for this opportunity to testify today on "The Changing Face of Healthcare in the Electronic Age". The National Institute of Standards and Technology (NIST), an agency of the U.S. Commerce Department's Technology Administration, plays an important role in the development of standards, tools, and technologies for the healthcare information infrastructure. Given the Subcommittee's topics of interest for today's hearing, my testimony will focus on three topics: (1) the barriers to integrating information technology into the healthcare industry; (2) the role of the Federal government in developing standards and related security measures that will assist the healthcare industry in implementing quality information technology strategies; and (3) the development of new information technologies that will reduce healthcare costs, improve quality, and increase global market share of new and improved products and services.
I want to note at the outset that the U.S. Department of Health and Human Services plays a major leadership role in this area. As many of you are aware, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 provides a national framework for bringing the benefits of IT to healthcare in the U.S. Enacted with the support of the health care industry and with bipartisan support in Congress, HIPAA directs he Secretary of Health and Human Services (HHS) to adopt national standards to support electronic interchange and administrative simplification in health care, along with national standards to protect the confidentiality and security of health information.
The industry estimates that the implementation of these standards could save as much as $9 billion annually in administrative costs. HHS has already issued notices of proposed rulemaking that outlined proposed national standards for a variety of electronic administrative transactions in health care such as claims processing, as well as proposed national standards for the industry that deal with the protection of health information privacy and security. Final standards are expected later this year. NIST has worked with HHS on the proposed security standard, with a primary focus on electronic signatures, and we will continue to work with HHS on this issue. In addition, HHS agencies such as the National Library of Medicine and the Agency for Healthcare Research and Quality have long established programs that support research in information technology and its applications to health and medical care.
As we move into the 21st century, we continue to see explosive growth in information technology (IT) worldwide with unprecedented advances in the processing power, transmission speed, and bandwidth of our information systems and networks. Global communications and electronic commerce are fueling the U.S. economy and fundamentally changing the ways government and industry does business. The healthcare industry, like other major sectors of the U.S. economy, will also be experiencing unprecedented change as it begins to take greater advantage of these new technologies to increase productivity and improve the quality of service. The new technologies will dramatically alter our healthcare system as it currently exists today.
Medical spending in the U.S. exceeded $1.1 trillion in 1998, and conservative estimates figure 20% of today's healthcare costs are related to the processing of information. Effective, secure, and reliable information technology systems will deliver substantial cost savings while also strengthening this important sector of the economy. Within the next few years, we will likely see a significant increase in the transition from the traditional paper-based healthcare system to a system that relies more and more on electronic-based medical records for managing patient information. Electronic-based medical information, both clinical and billing, will be used by both healthcare providers and patients. The Internet and associated web-based technologies give healthcare providers and patients an effective vehicle for communicating and sharing critical information. Information sharing and a reduction in paperwork through a fundamental reengineering of the healthcare system have the potential to help contain costs and provide timely, accurate, and secure access to medical information. Since Americans are looking for quality, cost-effectiveness, and personal satisfaction from their healthcare providers, and with a new healthcare delivery structure emerging to enable this, the work NIST is performing through our Information Technology Laboratory and the Advanced Technology Program uniquely positions us to assists in this transition.
While the new technologies provide great opportunities for creating a better healthcare system, several barriers exist to the effective integration of the technologies into the industry as whole. One obvious barrier is concern about the security and privacy of the medical information being processed, stored and transmitted within healthcare computer systems and networks. At the top of the list in this area is our ability to preserve the sanctity of the patient's medical record. We must, in the new electronic world, be able to ensure that a patient's confidential medical information remains private and secure. We must also be able to protect sensitive medical information needed by healthcare providers to conduct their daily business---such activities as the transmission of physicians' prescriptions to pharmacies, the processing of patients' insurance information, and the storage of important medical statistics and case histories. All of these activities, conducted on computer systems and over networks, call for protections similar to or even greater than those provided in the paper-based world.
To that end, healthcare professionals face a difficult challenge---that is, finding the right IT products that can offer cost-effective and appropriate protection for healthcare systems and networks. In today's information technology marketplace, there is a plethora of commercial products with different capabilities and limitations. Consumers are generally left with a confusing set of choices as they attempt to answer the following question: How do I choose the right products for my IT system to ensure I get the features I need with the appropriate level of security and trust? Trust is a measure of the confidence or assurance consumers have that particular products they select will perform reliably and to specifications even in the face of intentional or direct attacks. Building more secure healthcare systems starts with the use of fundamentally sound components---that is, the individual IT products.
NIST is taking a proactive role in working with the healthcare community to help overcome some of the barriers previously mentioned. I would like to discuss several NIST programs and initiatives in the area of IT security standards, IT product testing and validation, and cryptography/public key infrastructure that we believe can have a positive impact on the overall security of healthcare IT systems.
One of the most important initiatives championed by NIST during the last six years is the development of the Common Criteria for Information Technology Security Evaluation, the first truly international standard for IT security. The Common Criteria, or ISO/IEC Standard 15408 as it is now known, offers consumers and IT providers a uniquely flexible and extensible approach for defining security requirements in commercial IT products and systems. In addition to security specification, the Common Criteria provides a rigorous and comprehensive approach for testing IT products and systems using a common testing methodology. Thus, the Common Criteria provides an internationally recognized basis for specifying and testing the security features in a wide range of technologies including operating systems, database management systems, firewalls, smart cards, telecommunications switches, network devices, middleware, and applications---technologies that are important to building more secure healthcare IT systems.
In addition to having a common language to specify IT security requirements in commercial products, it is also important to have effective ways to measure what IT providers have produced. In 1997, NIST and the National Security Agency (NSA), in fulfilling their respective computer security responsibilities established the National Information Assurance Partnership (NIAP). The partnership combines the extensive IT security experience of both agencies to promote the development of technically sound security requirements for IT products and systems and appropriate measures for testing those products and systems. The long-term goal of NIAP is to help increase the level of trust all consumers, including healthcare consumers, have in their information systems through the use of cost-effective security testing and validation programs. In meeting this goal, NIAP seeks to:
- promote the development and use of evaluated IT products and systems;
- champion the development and use of national and international standards for IT security;
- foster research and development in IT security requirement definitions, test methods, tools, techniques, and assurance metrics;
- support a framework for international recognition and acceptance of IT security testing results; and
- facilitate the development and growth of a commercial security testing industry within the U.S.
To help patients, physicians, and other healthcare professionals ensure the confidentiality of medical information and also guarantee the identity of those they communicate with in an electronic environment, new security mechanisms must be employed. The handwritten signature and locked file cabinet are no longer sufficient in a world with electronically maintained healthcare forms and patient records.
Cryptographic techniques supported by a public key infrastructure, or PKI, offer some of the most promising solutions. Public key cryptographic techniques for digital signatures can provide assurance that electronic information, such as an e-mail message, has not been modified. When used with a PKI, digital signatures can be used to verify the signer of the electronic message as well. When combined with techniques for key management and encryption, healthcare professionals can establish secure communications between senders and recipients. This helps ensure the confidentiality of patient information as it is transmitted across the Internet. NIST is a leader in the development of a Federal Public Key Infrastructure and is working with industry to develop PKI technology. We have also led research and development efforts to support the creation of large and complex PKIs, worked with industry to develop government and Internet standards for PKI, and participated in ongoing PKI interoperability testing efforts.
In addition to its efforts in the PKI area, NIST continues its leadership role in the specification of cryptographic techniques needed by Federal agencies and industry. The Secretary of Commerce has approved a Federal Digital Signature Standard and a Secure Hash Standard, which support digital signatures and have also begun the process of standardizing key management techniques to support the establishment of secure communications. We are also working with industry to develop a new encryption standard, known as the Advanced Encryption Standard (AES). Our goal is that the AES can be used to protect sensitive information, such as healthcare provider and patient information, for the next thirty or more years.
I would now like to address some specific healthcare IT security initiatives. Both NIST and NIAP currently have complementary projects to work with the healthcare industry to find more effective ways to define security requirements for healthcare IT systems and to help healthcare consumers gain confidence that IT providers have produced the IT products and security features they need.
The first initiative supported by NIAP was the establishment of an industry-led healthcare security forum to bring healthcare consumers and providers together. In general, the participants discussed security requirements for healthcare IT systems, and the potential for developing specific sets of security requirements, or protection profiles, using the international standard Common Criteria. On November 18, 1998 an initial public meeting was held at NIST to seek the healthcare industry's interest in establishing such a healthcare security forum. The purpose of the meeting was to inform and educate the healthcare community about NIAP and the Common Criteria and to seek industry's interest in developing specific protection profiles for healthcare enterprises. The initial feedback from the forum attendees was very positive. Privacy and the protection of medical information were major industry concerns as well as how organizations could show compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and emerging Department of Health and Human Services (HHS) requirements.
In listening to the concerns of the healthcare industry, it appeared that the Common Criteria paradigm for specifying IT security requirements and the NIAP IT security testing program offered a promising approach for supporting organizations' efforts to meet healthcare laws and policies. It also appeared that the Common Criteria paradigm might provide a common structure to express healthcare consumer and healthcare provider security requirements and a method for comparing security-enhanced IT products produced by vendors.
In a related effort and based on the feedback from the healthcare security forum, NIST's ITL began an intramural research project in October 1998 with our Advanced Technology Program (ATP) to develop a methodology and healthcare security architecture for guiding construction of a family of Common Criteria-based protection profiles, or sets of security requirements, for healthcare IT systems. NIST wanted to demonstrate how healthcare providers could help address compliance with the security requirements articulated in top level healthcare policies or laws---that is, do the security features in particular IT products used in healthcare IT systems support the protection requirements?
Most of the Common Criteria efforts today focus on the development of generic security specifications, or protection profiles, for a particular product or product family, for example, operating systems, database management systems, firewalls, or smartcards. There has been little effort to date in developing protection profiles for an IT system supporting a specific community of interest, such as healthcare or banking. These systems-level profiles must support all functions in a particular business process area, (for example, patient billing, collection of clinical trials data, and insurance billing), and are therefore, more difficult to construct than the generalized, product-based profiles. The results of the NIST ATP research project are expected to provide a framework for defining healthcare security domains where specific protection profiles are needed, and to give guidance on how technology specific or product-level profiles, such as firewalls or database systems, can be incorporated to support the business's security objectives.
Another interesting aspect of the ATP project was the development of specific Common Criteria security requirements for processing Health Care Financing Administration (HCFA) data. In November 1998, HCFA published an Internet Security Policy (HISP) to provide guidelines on the appropriate use of the Internet to transmit Privacy Act-protected and other sensitive information. To incorporate the best industry practices for implementing the provisions of this policy and express them in a standardized language, a Common Criteria-based set of security requirements was developed. This set of requirements, or "functional package" as it is called, represents an aggregate of the security functional requirements expressed in Common Criteria language that captures the provisions of HCFA Internet Security Policy. This functional package can, in turn, be used by healthcare consumers and providers in creating protection profiles that specify IT security requirements for HCFA compliant products and systems. It also provides the necessary latitude for different IT providers developing systems to transmit/receive sensitive HCFA data, to implement the policy requirements through a variety of technical solutions.
Our Advanced Technology Program has played an important role in the emergence of healthcare IT technologies. The ATP has co-funded a suite of 32 projects with an estimated funding of approximately $140 million in ATP funding matched by nearly $140 million in industry funding. These projects were designed to develop critical information infrastructure technologies to enable enhanced, more fully integrated medical information systems across the healthcare industry, increasing accessibility and uniformity while greatly reducing costs and errors in handling medical information. The projects developed technologies for the development of an infrastructure for a private-sector-driven, nationwide information system, including:
- tools for enterprise integration, domain identification, and business process modeling;
- technologies to make such a system efficient and user friendly, including computerized knowledge-based systems, digital libraries, and natural language processing; and
- applications that directly meet healthcare users' needs, such as clinical decision support systems and consumer health information and education systems.
As these projects mature, we are beginning to see progress towards the building of an information infrastructure for healthcare. Specifically, trends include: movement from proprietary to open systems; acceleration of the development and acceptance of standards; and building critical mass through cross-disciplinary teaming. Also, the economic benefits associated with many of these projects are beginning to accrue. These benefits include reduced healthcare costs, improved quality of healthcare, and an increase in global market share of new and improved products and services. I would like to highlight a few of these projects.
One of the ATP awardees, Belmont Research, Inc, developed technology to help researchers transfer, query, and mine complex health care data from a multitude of scattered clinical and administrative databases, without requiring changes to the existing databases. A new software product which incorporates some of the technology, TableTransTM allows data managers and analysts to carry out database transformations and queries that are too complex for traditional tools, using a visual, step-by-step user interface. In addition to being useful in drug development, this software also had a further benefit in that it helped users identify Y2K data problems and convert data into a Y2K-compliant format.
Another successful project is a joint venture we co-funded with 10 participants led by the Advanced Technology Institute, formerly the South Carolina Research Authority. The focus of the project was to develop tools for healthcare information technology that would enable community care. For example, this project has greatly benefited healthcare delivery in rural areas. As way of illustration, consider Charleston Area Medical Center, a major healthcare provider in Southern West Virginia, which used results of this project to establish a teleradiology network to provide rural facilities access to a board certified radiologist 24 hours a day, seven days a week. This allows patients to stay close to their homes during treatment and greatly reduces the number of transfers and repeat exams required. Two years ago, during off-hours it took approximately 10 hours to receive a radiology report, frequently requiring the use of couriers to hand deliver films. What a dramatic improvement now, when a radiologist's interpretation is returned within 15 minutes of an exam! Plans are underway to expand the use of this technology to cardiology services and oncology services also. Another illustration of a tool developed under this joint venture to assist in healthcare delivery is that of remotely controlled, digital telepathology. This permits biopsy specimens taken at rural healthcare facilities to be examined remotely by a pathologist at a central site many miles away, within the clinically acceptable time frame of less than 15 minutes. This capability addresses the need of local healthcare facilities that cannot afford full time pathology services. Thanks to this technology, surgical procedures can be scheduled according to patient need and not according to pathologist availability.
The face of healthcare is indeed changing as we embrace this new information age. Another way it is changing through information technologies, which you may not have considered, is in advances in virtual reality for surgical training. In the past, simulation technology has not offered sufficient realism to mimic medical procedures, which typically have been learned through practice on cadavers, animals, and sometimes crude models. With co-funding from the Advanced Technology Program, a small company in Gaithersburg, Maryland, HT Medical Systems, Inc., has been able to advance medical simulation technology to a high level of realism at reasonable cost. They have developed the capabilities to model complex natural phenomena such as the cutting and bleeding of human tissues and the technologies for simulating minimally invasive surgery, including robotic tactile-feedback devices that replicate the "feel" of endoscopic and endovascular procedures. Several products have been commercialized based on the ATP-funded research. One of these, for example, combines visual and tactile elements to teach nurses the cognitive and motor skills needed to insert a needle properly into a vein - the most common medical procedure. To date, about 170 of these systems are installed in six countries. Research shows that this system costs less than plastic arm models and encourages more practice.
In summary, the barriers to effectively integrating IT into the healthcare industry do not seem to be insurmountable. We are making substantial progress in solving the difficult and challenging problems associated with the security of healthcare IT systems. NIST is actively engaging industry and employing its best technical resources to address the healthcare security and technology issues I have discussed in my testimony today. We believe that NIAP, use of the new international IT security standard (Common Criteria), the emerging IT security testing program, and new technologies can provide significant help to healthcare consumers and providers in transitioning to this increasingly paperless environment. Making more informed product choices should result in more secure systems and help healthcare consumers and providers meet applicable security requirements. Thank you and at this time I would be happy to answer any questions the subcommittee might have.