This article is reprinted with the permission of the Smart Card Alliance

As more and more protected health care information is stored or transmitted electronically and becomes network accessible, health care organizations have become increasingly concerned with controlling access to that information. HIPAA requires all health care organizations that create or maintain electronic health care information to secure the information from any use or disclosure, intentional or unintentional, that violates the HIPAA Privacy and Security Rules.

The use of electronic medical records offers many benefits to organizations throughout the health care industry, including lowering administrative costs, reducing errors, and improving an organization’s ability to measure and improve the quality of care. As a result, health care organizations are investing heavily in information technology each year. Access to patient data has expanded well beyond users in the organizations that gather the data to begin with.

The way health care is delivered today, through managed care groups, has also accelerated the demand for electronic health care data and changed the way information is accessed and shared. Integrated delivery systems (IDSs) consolidate data from various providers (such as hospitals, clinics, and in many cases, health plans) under one umbrella, providing multiple access points to the same data. Information is then shared among the different organizations that are members of the IDS. Health maintenance organizations (HMOs), which are often part of a larger IDS, rely on analysis of aggregated patient data to determine optimal care practices and measure costs for various treatments and services. Third-party accreditation organizations collect data on treatment and care of patients to develop quality reports for industry use. Pharmaceutical and medical device companies analyze patient data to improve their product offerings and remain competitive. Research laboratories analyze data in a clinical setting to determine the effectiveness of diagnostic tests and treatment methods.

To illustrate how health care data is accessed and used by various individuals and organizations in a managed care setting, consider a very large regional health care organization. Such an organization typically is composed of hospitals, clinics, physicians, caregivers, and a multitude of available health plans.

Over 60% of the data users within such an organization are part of the care delivery system. Those who have access to electronic patient data include physicians, nurses, and administrative personnel. Such a system typically also has HIPAA-defined business associates, such as paramedic services, who need access to patient data to bill their services. The health plan, or insurance, segment of such a system accesses patient data to process payments for care. In most instances, the patient’s medical record itself need not be accessed – just the patient’s ID number and the HIPAA code sets assigned to the treatment that the patient received.

Data transfer and access between organizations for claims purposes are typically accomplished within a closed electronic data interchange (EDI) network. But an EDI network can only be accessed by those within the managed care system and is relatively expensive for small offices or independent health care providers. Managed care systems might therefore employ health care clearinghouses to process data and claims from supported care groups that are not part of the primary care system.

Caregivers are the most demanding data users in a health care organization. They are also the most challenging to support from the perspective of information technology. This challenge will only become stronger as the use of electronic medical records increases and more health care organizations implement computerized physician order entry (CPOE) systems. A physician might require access to 20 or more applications to obtain the data needed to treat a patient or complete an order entry. The physician may be accessing the system locally, from a primary hospital or clinic, or remotely, from an out-of-network hospital or clinic.

In the health care environment, it is especially critical to balance the need to protect patient information with the need to access that information efficiently and ensure quality care.

Smart Card Technology and Health Care

Smart card technology can help organizations meet HIPAA privacy and security requirements, along with additional requirements imposed by the need to protect electronic information. Smart cards can also help health care organizations improve efficiency, lower administrative costs and improve patient access to medical care.

Enforcement of Security Policies. One of the biggest challenges for electronic information access management and control is ensuring that users follow security policies established to protect such information. Health care organizations are populated by users for whom the requirement to remember multiple passwords may be a distraction. As a result, users either circumvent the organization’s security policy or are not able to access critical data.

A smart card can store multiple passwords and access credentials. To access data, users simply insert the card in a card reader at a computer and provide the required verification information. Users take the same action each time, regardless of whether they are accessing a computer, a network, an application, or a Web site. Users also take the same action regardless of the verification method used, be it a password, digital certificate, dynamic password, or biometric. System administrators benefit by being able to enforce stronger security policies and employ a mix of credential types in their environment without forcing a change in the user experience.

To protect access to networked data, HIPAA requires that an electronic session be terminated if it is inactive. Software can easily be programmed to terminate a session after a certain amount of time passes without any activity. A smart card can enforce this requirement automatically, invoking the software when the user removes the card from the reader. If the smart card is also used for facility access, the user is motivated to remove the card when the user moves away from the computer.

Integration with Existing Facility Access Control. A single smart card can include multiple technologies to support requirements for facility access control. If an organization already requires the use of a card for facility access, there is minimal adjustment for the user, who will already be familiar with the credential. An individual’s picture can be printed on a smart card, visually validating the person’s right to access an area or facility. A single card can also support different electronic controls, such as magnetic stripe and barcode applications or proximity or biometric based controls.

Support for Information Availability, Integrity and Confidentiality. A smart card is the ideal technology for enforcing access controls and protecting information while making it simpler for authorized users to gain access and store or retrieve information. The user must “unlock” the smart card once only (with a personal identification number (PIN) or a password). The smart card then, using multiple technologies, enforces all required controls.

• Protection of the patient’s unique identifier. The unique identifier assigned to a user can be securely stored on a smart card. Because the identifier is stored on the smart card and not on a computer, the identifier cannot be stolen or used by someone else without the user’s permission.
• Protection of data. Standards-based encryption protects stored data and data in transit. Smart cards support various encryption technologies, including some of the strongest practical encryption algorithms such as Triple DES (Data Encryption Standard). Many available applications can provide smart card-based encryption and decryption of sensitive information, such as file, folder, and object-level encryption at a computer, email encryption, and VPN support. Encryption keys can be stored safely on a smart card and certificates can be generated on the card as needed, both for access and for encryption or decryption of stored data. The use of encryption keys can be combined with other technologies, such as PKI, to offer a convenient and secure method of managing private data.
• Assurance of data integrity. The use of a smart card combined with encryption and a digital signature is the strongest method currently available to verify that electronically protected information has not been altered or destroyed without authorization. When an encrypted and digitally signed document is opened using a smart card, any alteration of the content is immediately recognizable.

  Many situations in the health care environment require formal authorization. For example, dispensing certain medications often requires a handwritten signature. As health care providers move away from paper processes to electronic ones, there will be a need to replace paper signature-based authorizations with electronic equivalents. Digital signature technology provides an excellent solution. Digital signatures are fast and virtually impossible to forge. Smart cards are an ideal mechanism for transporting and applying the cryptographic keys used to produce and verify digital signatures securely.

• Strong user authentication. Robust security requires user authentication techniques to validate a user’s identity before the user can access protected information. Passwords provide weak authentication since they can be shared with others or stolen. However, smart cards combined with digital signatures or dynamic passwords can provide stronger two-factor authentication. The combination of something the user knows (a password or PIN) and something the user has (the smart card) provides a more reliable level of user authentication than a reusable password.

  Biometric technology offers an alternative for strong user authentication. The combination of a biometric (as a replacement for a password or PIN) and a smart card can provide additional convenience for the user. The user needs only to insert the smart card and present the biometric, thus eliminating the requirement to remember anything. A biometric can also be used in conjunction with a smart card and a PIN or password to provide three-factor authentication (something the user knows, something the user has , and something the user is).

• Secure and Convenient Information Access. Smart cards can meet a variety of needs for secure patient and health care provider information access, from providing emergency medical information to acting as a portable key to the patient’s medical history, automatically providing personal and insurance information.
• Remote Access. Many health care organizations today are employing VPN technologies both for remote access to corporate networks and for shared access to data on protected Web sites (extranets). Multiple independent organizations, including health care providers accessing patient records and insurance companies processing claims, can leverage shared extranets by using VPN access. A smart card protects a user’s VPN credential (regardless of whether the credential is a password or a digital certificate) because the credential is permanently stored on the card. The credential is never exposed by being available in software or on the network.

  Smart cards also increase efficiency for VPN users. Users can access the network securely from anywhere, because their credentials travel with them on the smart card.

Support for Audit Trail Generation and Transaction Accountability. HIPAA includes requirements for implementing mechanisms that record and support examination of activities in information systems that contain or use electronic health care information. The implementation method for auditing activities is to be determined by the health care entity, based on its risk management requirements. In situations where data need to be secure and private, smart cards can allow audit information to be securely logged and reviewed.

Support for Strong Privacy Policies. Smart cards, with on-card intelligence and processing capabilities, are uniquely capable of enabling compliance with strong privacy guidelines and of enforcing the privacy and security policies set by the health care organization. Smart cards can protect personal information that is on the card, provide authenticated information access, and authenticate the legitimacy of other components during a transaction. When used appropriately and correctly, smart cards are the most privacy-protective of any ID card technology and provide unique features that both improve the system’s security and protect the individual cardholder’s privacy.

Securing Patient Information on a Wireless Network. The mobile health care revolution is changing the way providers deliver care and how they access customer records. In order to quickly address patient needs and improve efficiency, health care organizations are using wireless networks in conjunction with laptop computers, handheld devices and PDAs, IP telephones, and tablet PCs. Patient information is streaming across unlicensed wireless radio frequencies. The protection provided by wireless device manufacturers, although enhanced in new wireless standards, is not enough to maintain the privacy of patient health information (or electronic health records).

Smart cards allow health care organizations to control access to wireless networks by providing strong, multi-factor authentication, supporting cryptographic protection for content, facilitating session key management, and allowing access only to authorized individuals. By providing wireless users with a smart card, a PIN and the appropriate credentials to define access, employees, patients and partners can uniquely identify themselves when accessing networks or applications – even when users share a device.

Smart Health Card Examples

Health care organizations around the world are implementing smart health cards for patients and providers, including national health cards in France, Germany and Taiwan and new health card programs in the U.S. The University of Pittsburgh Medical Center and Mississippi Baptist Health Systems programs are profiled below.

University of Pittsburgh Medical Center (UPMC). Faced with dramatic growth, UPMC found it difficult for their technology infrastructure to keep up with their business requirements. Given their size – 20 hospitals and a group of over 5,000 doctors in over 400 offices – processes such as verifying the eligibility of individuals while maintaining the confidentiality of sensitive patient information became increasingly difficult.

An initiative was undertaken to implement a solution that would integrate UPMC’s disparate systems and practices. The mandate for this system would be to:

• Solve the challenges of complying with data privacy and confidentiality legislation (i.e., HIPAA) requiring higher security.
• Enable patients to have access to their information and play a part in updating their data.
• Provide a portable solution capable of immediate access and consistent data flow.

UPMC determined that smart cards were the obvious choice as the centerpiece in this new system. Following a successful two-year pilot project, the UPMC smart card, called the Healthcare Passport, has now been distributed to 2,000 UPMC patients. For the patient, the immediate benefits include speeding the check-in process during office visits.

The cards enable better care through faster retrieval of important medical information, according to Scott Gilstrap, director for technology solutions at UPMC. “The smart card eliminates a lot of paperwork for the patient and makes the visit to the doctor more convenient and less stressful,” Mr. Gilstrap said. “It can be a true lifesaver, especially for the elderly who may not remember all of the medications they are taking. This information is stored, updated accurately and easily available on the card.”

Patients will no longer need to fill out their personal information each time they visit their doctors since the cards will contain pertinent critical information such as medications, allergies and chronic conditions along with demographics and insurance history. By inserting the patient card in a computer in the exam room, the physician can have instant access to accurate and up-to-date information on the patient. Patients can also check their stored information by using a computer kiosk in the physician’s office or they may purchase a card reader to use with a home computer. For the patient, a PIN is required to gain access to their data.

The smart card project is just one component of an ambitious information technology initiative at UPMC. The goal of UPMC’s information technology initiative is to improve the quality of patient care, to reduce errors and duplication of services and to be a more cost-effective system.

Mississippi Baptist Health Systems. Starting with two doctors in 1911, Mississippi Baptist Health Systems (MBHS) now comprises two hospitals (Mississippi Baptist Medical Center and Baptist Restorative Care Hospital), 500 doctors on staff, 110,000 emergency room outpatients a year, and a host of health-related services in the community. In an attempt to stay ahead of the legislated requirements of HIPAA, MBHS has begun work on a smart card-based program to replace their current magnetic stripe identification card system. The added bonus of being able to use multiple applications on a single card was also a factor in deciding to use smart cards.

To the 70,000 current card-carrying members of their system, MBHS hopes to reach new levels of patient convenience, safety and privacy with the smart card program. Their goal is to replace all legacy cards within two years of the institution of the new program. The cards will contain a subset of the patient’s medical record and demographic information. When visiting a doctor’s office, emergency room or clinic, upon presentation of the patient’s card, a form specific to the site visited will print out. The card will maintain a record of clinical history such as blood pressure, pulse, and medications. In the future, the cards will be used to fax medical records from incoming ambulances to the destination emergency rooms.

Summary

As health care organizations invest in new information technology to comply with HIPAA and support initiatives to improve access to and convenience of medical care, smart cards are expected to be a critical system component. Not only do smart cards provide capabilities that help health care organizations meet privacy and security requirements, smart cards can also provide significant clinical and administrative benefits that extend beyond HIPAA and help to improve the quality and convenience of patient care.

---

This article is based on content from the 47-page Smart Card Alliance report, “HIPAA Compliance and Smart Cards: Solutions to Privacy and Security Requirements,” developed by the Smart Card Alliance Secure Personal ID Task Force. Lead contributors to the report included: Alegra Technologies, Atmel Corporation, Datakey, Gemplus, IBM, Infineon Technologies, Lockheed Martin, MartSoft Corporation, Northrop Grumman Information Technology, Privamed, Raak Technologies, Security Sciences International, Smart Commerce, Inc., TecSec, Unisys.

The full report discusses how smart cards can help health care providers and insurance companies meet the requirements of HIPAA Privacy and Security Rules. Designed as an educational overview for decision makers, it summarizes the HIPAA privacy and security requirements, provides an overview on how smart cards work, describes how smart cards can be used to support HIPAA compliance and implement other health care applications, and outlines key implementation success factors. The report also includes profiles of smart health card implementations including the University of Pittsburgh Medical Center, Mississippi Baptist Health Systems, and the French, German and Taiwanese health cards.

---

To purchase a copy of the complete 47-page report, click here.