Post Hearing Questions
Submission by NIST
Question 1: As part of Administration's FY2001 budget request, $50 million has been requested for NIST to establish a new research and development grant program through the Institute for Information Infrastructure Protection. Do you see any critical research needs in the area of healthcare privacy and security that the new grant program might address?
Response: NIST conducts research in many areas of information technology security that can be applied in a wide variety of industry sectors. The work done at the Institute for Information Infrastructure Protection, will expand IT security research efforts in several areas, some of which could be used to support the healthcare security infrastructures and related information. NIST has been working with the Office of Science and Technology Policy to support a PCAST (President's Committee of Advisors in Science and Technology) study on the Institute, and we are refining our proposed model to respond to concerns that have been raised by the PCAST panel.
Some of the areas of research that are being considered are new architectures and methodologies for next generation internet and e-commerce applications in such areas as security of telecommunications "convergence" (e.g., voice, data and video), intrusion detection, end-to-end techniques between different security domains, PKI, etc. These areas of research would also support the needs of the healthcare industry.
Question 2: One of the long-term goals of the National Information Assurance Partnership (NIAP), according to your testimony, is to facilitate the development and growth of a commercial security testing industry within the United States. Are there any commercial entities in existence today that provide adequate testing programs for healthcare IT?
Response: NIST is not aware of any current commercial entities that provide testing programs specifically for healthcare IT. Currently, the National Security Agency is operating the Trust Technology Assessment Program (TTAP) for conducting selected trusted product evaluations. These product evaluations are conducted by TTAP authorized commercial evaluation facilities. The TTAP is an interim program established to provide a smooth transition to the emerging National Information Assurance Partnership Common Criteria Evaluation and Validation Program (jointly run by NIST and NSA). The NIAP testing program, which is expected to become fully operational within the next couple of months, will utilize commercial Common Criteria Testing Laboratories (CCTLs) accredited through the NIST National Voluntary Laboratory Accreditation Program (NVLAP). These CCTLs will be capable of testing for a wide variety of security enhanced IT products. It is expected that many of these validated commercial products will be employed in healthcare IT systems.
Question 3: Why is the healthcare industry so far behind other industries, such as banking and securities, in implementing security and standardization technologies?
Response: The banking and securities industries have a long history of dealing with the security issues and the information technologies needed to support their industry and thus are more focused than the healthcare industry. As such the banking industry seems to be better organized and automated. The healthcare industry is a very large, complex and diverse industry requiring healthcare information to be exchanged among a variety of different types of industry segments, which often use varied types of information and data storage formats. Further, there has been considerable debate on the privacy rules that should be employed for protecting the patients' healthcare information. The resolution of the privacy rules are needed, in part, to help define the type of security mechanisms and information technologies needed to support these rules. Much work and many standards are needed to support the varied healthcare industry segments, and the industry in many areas has been slow to reach consensus on where standards are needed. All of these uncertainties tend to result in the healthcare industry as a whole to be behind in automating IT systems and in implementing security and standardization technologies.
Question 4: What is your view of the proposed Health Insurance Portability Accounting Act (HIPAA) rules as they relate to the privacy and security of electronic healthcare records and transactions?
Response: Privacy – The HIPAA privacy Notice of Proposed Rule Making (NPRM) is completely separate from the Security NPRM. The Privacy NPRM is essentially a legal and policy issue, not a technological issue. NIST was not involved in the development of this NPRM, and it is NIST's policy and practice not to comment on security issues unrelated to technology issues. The Security NPRM, it was recognized, has a relationship to privacy rules; security mechanisms are needed to help ensure that privacy rules can actually be enforced. The NPRM developed by the Security committee does not attempt to specify all the individual physical, technical, and administrative security measures that must be taken to protect healthcare information in all its forms and environments; that would clearly be an impossible task. Rather, the Security NPRM details general security requirements (i.e., security objectives to be met) in several broad situations in which healthcare information may be handled. These requirements must be supplemented with specific decisions on the part of providers, clearinghouses, or other entities that handle healthcare information. It is expected that each of these 'subcommunities' of the healthcare industry would develop more detailed security standards.
It should be noted that NIST was represented on the Security NPRM technical committee, and we believe that the approach taken by that committee was sound.
Question 5: What role does electronic authentication play in eHealth? There have been claims that most healthcare data and transactions will not need to be electronically authenticated; in your experience is this generally the case?
Response: First, it must be noted that HHS has not yet issued the portion of the NPRM intended to address 'electronic signatures', which is the area to which the issue of 'electronic authentication' relates. At least part of the reason for not issuing rules in this area is the fact that other parts of the Executive Branch (e.g., the Federal PKI initiative), the Congress, and the IT and electronic commerce industries are actively involved in developing the technical standards needed. The committee also felt that any 'electronic signature' standards adopted for healthcare must be based on and compatible with the existing and emerging standards, particularly those adopted by the voluntary industry consensus standards bodies. That being said, the question remains of whether or not to authenticate electronically healthcare transactions. Additionally, there is still considerable difference of opinion within various legal and policy making communities as to the type of 'electronic authentication' needed for various situations. There are a wide variety of technical approaches, ranging from sending a facsimile signature, using biometrics, or a cryptographic-based 'digital' signature.
Here again, NIST does not make or comment on the legal and policy issues surrounding such matters. However, we observe that it is important that many healthcare decisions, which will be made and documented electronically, be traced to an individual, such as a doctor prescribing medicine. In such cases, the benefits of electronic authentication are obvious.
Although the Electronic Signature NPRM has not been finalized, note that the HIPAA Security NPRM committee (which was originally tasked to address the electronic signature issue) agreed that digital signatures should, in general, be the only acceptable method of electronic authentication in those situations where electronic authentication was deemed necessary. It should also be noted that HHS/HCFA early in the HIPAA rule making process decided that none of the several standard healthcare transactions to which HIPAA applied actually required authentication.
Question 6: NIST established an industry-led healthcare security forum to bring healthcare consumers and providers together to discuss security requirements for healthcare information technology systems. What have you learned from these forums and how is this information incorporated into the HIPPA rules?
Response: We have learned from the forum meetings that vendors, hospitals, clinics, accrediting organizations and others are working to understand how to develop strategies to implement emerging HIPAA policies pertaining to security, and are uncertain of the acceptable methods to assure compliance with security policies. Part of the forum's mission is to educate the healthcare community on the ISO 15408 Common Criteria standard and provide an example how it can be use to support healthcare. The Common Criteria standard not only provides a catalog of security functional and assurance requirements from which IT security needs can be defined, but also provides a standardized structure for expressing those requirements.
There seems to be general agreement among the forum attendees that the Common Criteria Standard is capable of meeting many of their needs for defining technology from high level policies and for providing a means of measuring compliance. At the last forum meeting the attendees were very interested in making sure that the ISO 15408 Common Criteria standard be included as one of the standards in the HIPAA rules.
Information of the activities of the forum can be found at http://www.healthcaresecurity.org/
Question 7: From NIST's perspective, do the security and privacy rules developed under HIPPA provide as much guidance as standards develop by private voluntary standards organizations?
Response: The HIPAA security rules generally attempt to provide higher-level guidance without dictating the use of particular technologies or detailed technical specifications. Standards developed by private voluntary standards organizations on the other hand tend to define requirements more specific to a particular technology solution. The guidance expressed in HIPAA rules provide general security requirements (i.e., security objectives to be met) in several broad situations in which healthcare information may be handled. This has the advantage of leaving latitude for rational and adaptive decision making on the part of industry for developing more specific standards appropriate to specific environments.