Objective of Meeting
Summary
Outputs
Next Steps
Links

 

Sponsoring Forum

Messaging

logo for Booz Allen Hamilton

Sendmail

tunitas logo 150 sim.gif (2734 bytes)

Tumbleweed Communications

syntegra logo

Secure Messaging in the Healthcare Community

Objective of Meeting

The meeting set out to explore the specific requirements of the healthcare community for secure messaging and the extent to which existing products meet those requirements, and the value of The Open Group S/MIME Gateway Certification program.

Summary

Mike Lambert, Director of The Open Group Messaging Forum briefly introduced the session and outlined the structure of the session.

The morning started with two presentations giving the user view of the challenge that needs to be addressed:

  • Ben Littauer in a presentation with the title An Illuminated Look at e-Mail Security for Healthcare represented the experience and requirements of the Massachusetts Health Data Consortium. He summarized the major need for communication between Healthcare organizations as being confidentiality of email combined with ease of management. The presentation reported on a pilot Secure Messaging Gateway which has led to a multi-vendor interoperability certification project.
  • Howard Conrad from Booz Allen Hamilton represented the requirements of the US Food and Drug Administration (FDA). In it, he addressed the need for the FDA to move from a traditional paper-driven process to an electronic process to improve responsiveness. Several major projects have been implemented, despite the lack of a clearly defined Public Key Infrastructure and any agency decision on Digital Signature technology, including secure messaging systems based on secure links to drug sponsors via encryption at the domain gateway.

Blake Ramsdell of Sendmail Inc., who is also the Technical Editor of the IETF S/MIME specification set, presented the Role of Standards in Addressing the User Challenge, discussing how the S/MIME specifications are being used as the basis for a solution to the requirements of MHDC, and in particular how the joint project between The Open Group and MHDC is adding value to the underlying specification through the "nailing down" of options in the specification and the addition of a testing regime.

Bill Pankey of the Tunitas Group facilitated a panel of solution providers who addressed the topic of how products are addressing the user challenge. Firstly, he invited the vendors present to give a short presentation and then led a discussion based on the specific needs of the Healthcare Community in California.

The following presentations were made:

  • Jon Callas of PGP Corporation presented PGP Universal, a server product that operates at the network level. It is standards-neutral, supporting SMTP, POP, and IMAP. It is transparent to desktop users and email systems and supports both server and client-managed keys. The use of short-life certificates eliminates the need for CRLs.
  • Sean Steele of Tovaris in a presentation entitled An Introduction to Seamless Secure Messaging described the Tovaris SecureMail Gateway product. 60-70% of Tovaris' business is currently driven by the Healthcare Market. Tovaris plans conformance with the SMG specification by Q3/2004 and Tovaris SecureMail Gateway supports both user and domain-level S/MIME and is already interoperable with Tumbleweed "out of the box".
  • Brian Shell of Tumbleweed Communications presented the use of Tumbleweed Secure Redirect to Protect Email in Healthcare. In addition to describing the capabilities of the product, Brian identified a number of interoperability challenges.
    • Is HIPAA compliance a real priority?
    • There are ~400 million S/MIME capable email clients. This has not resulted in broad deployment of secure email
    • Managing IDS for individuals at a business partner is difficult.
    • Knowing what method of key exchange a trading partner can support is often difficult.
  • Eric Jacksch of ZixCorp in a presentation entitled Secure eMessaging for Health Care analyzed various approaches to secure email, all supported by ZixCorp technology and indicated how they relate to specific requirements, including: 
    • Security to the desktop
    • Perimeter gateway solution, including TLS
    • Secure Web portal, the only really acceptable solution for B2C relationships

    Eric stressed ZixCorp's commitment to mature standards that meet customer requirements.

  • Robin Ehrlich of Syntegra presented the Syntegra Messaging Platform. Syntegra Sentinel provides a full email product including Spam/Virus checking in addition to secure email. The product supports client-to-client encryption and PGP, but the current focus is gateway-based because this does not require special client software and because it allows for Spam/Virus protection, and requires much less maintenance than client-to-client. Syntegra has been involved in the MHDC/SMG work from first pilot interoperability trials.

Significant points arising during the subsequent discussions:

  • (Jon Callas) IPSEC/TLS between routers is a possible solution that does not require any specific email system changes. However, this does not work where mail is being relayed.
  • (Jon Callas) Gateway to gateway is already pretty well protected (by TLS) so why the focus on this? Because this is the part of the link that is referenced by HIPAA.
  • (Bill Pankey) Historically there has not been a tremendous demand for secure email. HIPAA is now the big stick.
  • (Jon Callas) HIPAA rqeuires "best effort" only. There is a trade-off between the cost of secure email and reverting to paper/fax.
  • (Kathryn Lawder - Sharp Healthcare) There is a lack of understanding of secure email in the healthcare community. HIPAA is forcing the change, but without the necessary knowledge in place.
  • (Eric Jacksch) Standards are too complicated to implement. They have defined the underlying technology, but not manageability.
  • Healthcare organizations are focusing on outbound messaging, rather than inbound. 
  • This is a largely a business process problem, rather than a technology problem. Policies to prevent mail going out unencrypted by accident are needed.
  • There is a need to be able to flag messages as containing PHI to allow policies to be enforced. There is an opportunity to develop a data classification scheme.

Finally, Mike Lambert presented an overview of the proposed SMG Certification program being developed by The Open Group and MHDC. Certification provides buyers with a guarantee that products conform to specifications. The SMG Certification Program involves:

  • The definition of a profile of S/MIME that ties down some of the options in the underlying standard
  • A simple interoperability testing protocol
  • The use of a registered trademark in association with products that conform to the agreed profile

Outputs

This report, together with the associated presentation materials represent the major output from the meeting.

Next Steps

SMG Certification

The joint MHDC/Open Group Certification Program will continue, with the target of finalizing the specification before the end of Q1/2004 and the availability of products that conform to the standard sometime in Q2.

Secure Messaging

The Open Group Messaging Forum will continue to work on all aspects of Secure Messaging including:

  • Supporting the deployment of the US DoD External Certificate Authority program for encryption and authentication of email
  • Guidance and education on all aspects of Secure Messaging

Links

PatientSite: http://patientsite.bidmc.harvard.edu

Massachusetts Health Data Consortium: http://www.mahealthdata.org 

US Food and Drug Administration: http://www.fda.gov/ 
Home · Contacts · Legal · Copyright · Members · News
© The Open Group 1995-2012  Updated on Monday, 23 February 2004