Secure Exchange Standards For Health Information

24 June 1999

Standards for Secure Exchange of Health Information

Highly secure information sharing is becoming more available to health service providers.

At the end of July, health providers will be able to choose to move to a more secure method of accessing information from the National Health Index (NHI), via an internet protocol (IP) based service.

Ministry of Health Chief Advisor for Health Information Nick Manson said the New Zealand Health Information Service (NZHIS) had spent 18 months formulating and testing the practicability of a bundle of technology standards to lay the way for secure transmission of health information.

The NZHIS co-ordinates and maintains the National Health Information Systems including the NHI.

The standards have been tested in several pilot projects by a variety of health providers including hospitals, GPs and Plunket, and is now ready for use by health professionals. A technical review by independent specialists found that the proposed and tested standards are consistent with current world best practice.

Access to the service has been driven by a demand from Hospital and Health Services (HHS) for better information sharing between professionals.

"There is considerable demand from the health sector to migrate to these standards," Mr Manson said.

"However, the pilots found that further consideration needs to be given to the development of applications, a means of governance and associated processes to ensure compliance with the standards prior to their adoption by a health organisation.

"For example, the process of identifying senders and recipients of electronic health messages (certification) needs to be tailored to the structures and responsibilities of health organisations."

Mr Manson said the capacity to share information securely and privately was seen as paramount and a prerequisite for the improved coordination of health service delivery.

In order to ensure continued progress, the following documents are being made available:

a brief background paper (attached)

a short discussion paper to seek comments from anyone who may be interested in the adoption of these standards; (attached)

a report by Kaon Technologies Ltd that reviews the proposed standards. (this may be found on the NZHIS website - www.nzhis.govt.nz).

Background Paper: Standards for Secure Exchange of Health Information

The Ministry of Health's New Zealand Health Information Service (NZHIS) has spent the last eighteen months formulating and testing the practicability of a 'bundle' of technology standards (refer to attached document) to lay the way for secure transmission of health information using internet protocols (IP).

The demand for investigating the migration to IP technology was originally driven by the Hospital and Health Services (HHS). Subsequently, several HHS's, Independent Practitioner Associations and other health service providers were involved in pilot projects to look at the issues related to this enhancement of health communications.

The upshot of this process is as follows:

· the proposed and piloted standards are consistent with current world best practice;

· there is considerable demand from the health sector to migrate to these standards;

· a governance body and processes need to be instituted to ensure compliance with the standards prior to their adoption by a health organisation;

· there is scope for health information system developers to provide applications for health messaging;

· the process of identifying senders and recipients of electronic health messages (certification) needs to be tailored to the structures and responsibilities of health organisations;

· the NZHIS will make available both the existing X25 and a secure IP based service for access to the National Health Index (NHI) for interested health service organisations by the end of July 1999.

In order to ensure continued progress, the following documents are being made available:

· a short discussion paper to seek comments from anyone who may be interested in the adoption of these standards; (attached)

· a report by Kaon Technologies Ltd that reviews the proposed standards.

(this may be found on the NZHIS website - www.nzhis.govt.nz/projects/kaonrep.html) Discussion Document

Secure Transmission of Health Messages: Standards for Using Internet Protocols (IP)

Audience : IPAs, HHS's Privacy Commissioner, Vendors, SSC, Media

The purpose of this document is to inform you of recent discussions between Government Health Agencies and to seek any comments you may have.

In recent meetings between the Ministry of Health, New Zealand Health Information Service, Health Funding Authority and the Accident Compensation & Rehabilitation Corporation the following principles were agreed:

there is a need for high security in the electronic transmission of health messages relating to individuals (eg. when patients are referred from one clinician to another; when diagnostic results need to be shared between clinicians to coordinate or consult on the provision of care; when a clinician makes a claim to a funder for a service provided; etc.);

there will be benefits if this secure transmission is based on 'open' standards (i.e. standards available for anyone to use and incorporate in their systems.) Please see attachment for a listing of the proposed standards;

it is important to accept that there may be cost implications with the implementation of these standards to ensure good security for health messaging;

that the health sector/industry will need time to migrate to full adoption of these standards (up to 18 months may be reasonable);

and that the standards referred to only constitute means for the secure electronic transmission of data and will need to be balanced with commensurate development of health service staff and practices to ensure data security and privacy.

These statements have been made on the basis of extensive investigation, the trial of IP standards and technologies within New Zealand (the Health Intranet Pilot: now completed) and with reference to international experience and direction. A technical review of the standards has been completed and is available on the New Zealand Health Information Service website (www.nzhis.govt.nz) for those who are interested.

It may be of interest that the approach and standards described above are consistent with the direction being developed within other government agencies.

We are now seeking your comments or queries on this proposed direction. In particular we are interested in the level of interest and support for your own organisation or in your role as a stakeholder in health information.

Your responses will be used not only to inform information service development within the central agencies, but they will also be fed into the national health information strategy development process which has recently started and which is expected to produce a document for consultation in the last quarter of 1999.

Appropriate Standards

The following is a list of recommended standards for use on the Health Intranet.

It should be noted that the standards shown are not product specific.

Means of Identifying Individuals & Organisations

Digital Certification

X.509v3 digital certificates with a minimum of 128 bit public keys.

Standards for Secure Email

Mail Extension

Secure Multipurpose Internet Mail Extensions (S/MIME) version 2 using X.509v3

digital certificates for email and signed documents issued by the NZHIS

authorised Certificate Authority.

Standards for Encoding/Encrypting Data

Encryption

RSA public key algorithm for key lengths of 128 bits or less

SHA-1 digest for hash number generation

Triple Des or 3 Des encryption for tunnel encryption

128 bit Secure Socket Layer version 3 with RSA

Standards for Interactive or Real Time Communication

World Wide Web and Hypertext Transmission

HTTP version 1.0

128 bit secure HTTP (HTTPS)

Java 1.1.3 compliant Java Virtual Machine

HTML version 2

Standard Smartcard

Smartcards

RSA PKCS 11

Standards to Protect Local Computers from Undesired Access

Firewall

ICSA Certification

These standards provide a core set of requirements.

© Scoop Media