The healthcare industry increasingly relies on accreditation associations and their initiatives to help streamline and accelerate how trusted solutions for cyber-transactions and electronic data exchange systems are created, selected and deployed in a variety of applications as well as IoT use cases for medical device security. By relying on these accreditation associations, healthcare organizations can acquire and implement solutions that have been proven to comply with HIPAA Privacy and Security requirements, cybersecurity best practices, and relevant federal and state rules and regulations.
Through their independent third-party review process, accreditation associations are also raising industry standards for quality, privacy, security and confidentiality while defining deployment best practices for an industry that is among the most vulnerable to cybersecurity threats. At the heart of these solutions are digital certificates that provide much greater information security than password-based solutions.
Role of digital certificates in accreditation programs
Today’s digital certificates electronically store a validated identity and provide digital credentials for secure access to websites, networks, systems or application. They enable strong, two-factor authentication that is critical for regulatory compliance and protection against cyberattacks. They also provide a method for creating digital signatures that are integral to processes and practices in the pharmaceutical and healthcare industry, such as digitally signing ePrescriptions for controlled substances in compliance with DEA EPCS rules aimed at combatting America’s opioid crisis and other prescription drug abuse.
Numerous accreditation associations have embraced digital certificates as a central element for giving healthcare organizations greater confidence that the solutions they deploy will be acceptable across industry and regulatory bodies. These associations include:
• Electronic Healthcare Network Accreditation Commission (EHNAC) Direct Trusted Agent Programs (DTAAP-CA and DTAAP-RA, which have evolved for 2020 into accreditation offerings by DirectTrust): This organization’s goal is to ensure interoperability among Health Information Service Providers (HISPs), Trust Agents and other Direct Project participants, reduce risk to Protect Health Information (PHI) and secure communications for scalable and standards-based direct exchange, or the process of sending authenticated, encrypted health information directly to known, trusted recipients over the Internet.
• SAFE-BioPharma Association accreditation program and its digital identity and signature standard: The standard was created by the biopharmaceutical industry and its regulators to provide global high-assurance identity trust for cyber-transactions throughout the pharmaceutical and healthcare community.
• Trusted Network Accreditation Program (TNAP) collaborative: Was developed to directly align with the Trusted Exchange Framework and Common Agreement (TEFCA) required by the 21st Century Cures Act. The goal of TNAP is to promote interoperability by assuring the security and privacy of trusted networks and the use of enabling technologies in the healthcare ecosystem, and to provide third-party review with accreditation for Trusted Exchange participants.
The industry’s solution and technology providers are rallying around these healthcare initiatives. As an example, HID Global has completed full re-accreditation for the company’s IdenTrust digital certificates to the specifications and protocols established for certificate authorities (CAs) and registration authorities (RAs) through the DTAAP program that is now administrated through DirectTrust. These same digital certificates have been certified compliant with SAFE-BioPharma Association’s digital identity and signature standards. And six healthcare industry organizations, including HID, are working together as beta candidates for the draft accreditation program being developed by the TNAP collaborative.
IoT use cases
There are also IoT use cases to be considered. Healthcare organizations need to be assured that their ecosystems of connected IoT devices are trusted and secured. This requires authentication and data encryption for these medical devices among other capabilities. Depending on the system, digital certificates can be used in these “Internet of Medical Things” applications to:
• Ensure integrity of communications and data streams between connected medical devices and protect the confidentiality of those data streams and the data that is stored in the devices. Digital certificates are used to sign transactions and encrypt data to prevent interception and modification of information.
• Authenticate these connected medical devices and servers in the field by providing trusted device mutual authentication. Digital certificates provide the mechanisms for controlling access to devices and prohibiting the origination of fraudulent data or communication.
• Control access to connected medical devices to ensure that all software updates to them are secure.
• Ensure the security and integrity of connected medical devices software through code signing.
• Provide remote services around key management or rotation, software and application deployment and management of device data and information.
Digital certificates can be installed in a connected medical device at the manufacturer’s facility before shipment or a human sponsor can install them in equipment on-site or in the field. There are two deployment models: 1) Individuals associated with a healthcare organization who manage devices go directly to the certificate provider’s website to apply for device certificates, and the supplier does the rest, or 2) healthcare organizations can opt for customized solutions through which they can determine how little or much of the certificate lifecycle that want to manage using a software-as-a-service delivery platform and other tools.
Digital certificates will be increasingly important for ensuring that healthcare solutions meet HIPAA and other federal and state requirements. Numerous industry associations are developing the standards and best practices that will enable healthcare organizations to purchase accredited solutions that they can be confident will comply with these requirements. Digital certificates are playing a central role in delivering this confidence, in both traditional healthcare applications and IoT use cases for connected medical devices.
Vishvas Patel is the vice president and chief architect with HID Global, Identity and Access Management.