HCFA may allow cyber-communication

New guidelines for security and appropriate use

The Health Care Financing Administration (HCFA) in Baltimore may be reversing its policy precluding the transmission of HCFA data over the Internet.

In a meeting last month, HCFA showed representatives of the Joint Healthcare Information Technology Alliance (JHITA) the draft of a policy that will allow the transmission of data — provided that proper steps are taken to maintain an acceptable level of security for the information involved, JHITA reports.

Previously, HCFA had prohibited the use of the Internet for the transmission of its Privacy Act-protected and other sensitive information because of security risks as well as the need to research security requirements. The Privacy Act of 1974 mandates that federal information systems must protect the confidentiality of individually identifiable data.

The Internet is an inexpensive way to transmit data, though, and the demand for its use has resulted in HCFA reconsidering its policy.

The draft policy is intended to establish the basic security requirements for transmission of HCFA data. The draft also addresses the means of documenting that those requirements are met through a self-certifying process. Alliance members who attended the meeting were pleased with the draft, says Chuck Meyer, informatics standards liaison for HBO & Co. in Atlanta. "The policy is straightforward. It makes use of existing technologies, and it should not be overwhelming for users in that it accepts readily available commercial solutions."

HCFA hoped to have Gary G. Christoph, PhD, HCFA CIO and director of the Office of Information Services, approve the draft, complete final staffing and release the new policy within a few weeks, JHITA says.

This policy covers "all systems or processes that use the Internet, or interface with the Internet, to transmit HCFA Privacy Act-protected and/or other sensitive HCFA information." Non-Internet Medicare/Medicaid data communication processes, such as the use of private or value-added networks, are not changed or affected by the Internet policy.

The draft permits the use of the Internet for transmission of HCFA Privacy Act-protected and/or other sensitive HCFA information, as long as "an acceptable method of encryption is utilized to provide for confidentiality and integrity of this data and that authentication or identification procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive such information."

As of September 1998, a level of encryption protection equivalent to that provided by an algorithm such as Triple 56-bit DES for symmetric encryption, 1024-bit algorithms for asymmetric systems, and 160 bits for the emerging Elliptical Curve systems is recognized by HCFA as minimally acceptable, the draft explains.

The acceptable encryption approaches listed in the draft include the following:

Hardware encryption

While likely to be reserved for the largest traffic volumes to a very limited number of Internet sites, such symmetric password "private" key devices are acceptable.

Software-based encryption

o Secure Sockets Layer (SSL). Sometimes referred to as Transport Layer Security (TLS). Implementations — at a minimum SSL level of Version 3.0, standard commercial implementations of PKI, or some variation thereof, implemented in the Secure Sockets Layer.

o S-MIME — Standard commercial implementations of encryption in the e-mail layer.

o In-stream — Encryption implementations in the transport layer, such as pre-agreed passwords.

o Offline — Encryption/decryption of files at the user sites before entering the data communications process. These encrypted files would then be attached to or enveloped within an unencrypted header and/or transmission.

The draft also details acceptable authentication and identification approaches. The acceptable approaches for authentication include:

o Formal Certificate Authority-based use of digital certificates.

o Locally managed digital certificates, providing all parties to the communication are covered by the certificates.

o Self-authentication, as in internal control of symmetric "private" keys.

o Tokens or smart cards — In-band tokens involve overall network control of the token database for all parties.

The acceptable approaches for identification include:

o Telephonic identification of users and/or password exchange.

o Exchange of passwords and identities by U.S. certified mail.

o Exchange of passwords and identities by bonded messenger.

o Direct personal contact exchange of passwords and identities between users.

o Tokens or smart cards.

Out-of-band tokens involve local control of the token databases with the local authenticated server vouching for specific local users.

Once the final policy is released, any organization wanting to use the Internet for transmittal of HCFA Privacy Act-protected and/or other sensitive HCFA information must notify HCFA of this intent, the draft says. The draft includes an e-mail address that should be used for that acknowledgement.

(Editor’s note: For more information on the HCFA Policy on the Use of the Internet for HCFA Data, visit JHITA’s Web site at http://www.jhita.org.)