As a military healthcare organization with patients and providers literally around the world, we are faced with some unique problems as a result of the Health Insurance Portability and Accountability Act (HIPAA).
One of HIPAA's major requirements is the implementation of technical safeguards to secure all electronic Protected Health Information (ePHI). And while HIPAA does not mandate encryption specifically, it does dictate that you protect all ePHI.
Any individually identifiable health information that is transmitted by or stored in electronic media is regarded as ePHI. One area of ePHI we needed to protect was its transmission. To achieve this, unique user identification, authentication, integrity and encryption all played their part in helping us to protect our patients' health information and satisfy HIPAA requirements.
To meet these obligations when sending data via email, we decided to use a Public Key Infrastructure and the Common Access Card (CAC) – a hardware token that contains your private key to encrypt the data and digitally sign the message. The CAC is now used as the identification card for both soldiers and Department of the Army civilians.
Additionally, the CAC incorporates biometric identification into the process of setting or resetting users' PINs. The encryption is done using the Triple Data Encryption Standard (3-DES), while the digital signature uses Secure Hash Algorithm (SHA-1). This provides identification and authentication, confidentiality, data integrity, and non-repudiation. To implement this solution, all users were issued a CAC, hardware and software was installed on each computer, and then users attended various training sessions.
Issuing the CAC presented some challenges. We had to schedule this with the military post's ID card section, which issues the card to all active duty soldiers and civilian employees. Because this was a new process, there was only one device for creating the card on this installation, so this became a very time-consuming endeavor.
Installing the hardware was the most challenging task. We were an NT-based network when the serial smartcard readers were ordered. This meant having to visit every machine to install the card readers, drivers, Active Gold software and Root certificates. For each machine, we then had to configure Microsoft Outlook to use a digital signature and encrypt the data. When you set Outlook up for digital signatures and encryption, this becomes the default. We added two icons to each user's Outlook toolbar to turn these features off when not required.
And this brings us to the last issue: user training. Users needed to be trained on what the CAC is, how to use it and, most importantly, when to use it. Since the default is to digitally sign and encrypt every message, users must know which emails require signatures and encryption and how to turn off this feature when not required.
Currently, we have completed issuing the CAC and installing the hardware. Software installation and Outlook configuration is partially finished. We will be able to complete this leg of the deployment by pushing the software to the desktop. And, of course, training is ongoing.
Looking back at the process, we did learn some lessons. First, don't attempt this with an NT network. It prohibits pushing the software to the desktop, so as a result we have since upgraded. Once we upgraded, we found that the serial smartcard readers do not work with plug and play. The plug and play found the reader and installed what it thought was the correct drivers, which in turn killed the printers the first time any user utilized the CAC.
Second, don't use serial smartcard readers; the best solution we found is a keyboard with an integrated smartcard reader. If you don't want to use that, then use a USB smartcard reader. This will enable you to push the software and the Outlook configuration.
Finally, probably the most important lesson is that we should have started training our users before we began the installation process. This would have helped users to a better grasp of what exactly their newly installed smartcard reader was, and would have allowed them some time to get familiar with the idea of using the CAC.
Once this process was understood, teaching them how to send a digitally signed or encrypted email was easy – they just needed to know that the CAC had to be inserted in the reader before they could enter their PIN.
A more difficult task to master for some of our users was how to retrieve other users' public keys. We had to make sure they understood how to go to the PKI directory and search for a user's public key and import it.
Despite some of the problems deploying this solution, it works well for us and allows us to meet just one directive mandated by HIPAA. To determine whether or not this might be the best solution for your organization you should mull over carefully the time, work and budget that might be required.
James Angle is deputy chief of data management at the Moncrief Army Community Hospital, Fort Jackson, SC
