< Return To Hearing
David C. Miller
December 4, 2007
Chairman Leahy, Ranking Member Specter, and distinguished Members of the Judiciary Committee, I want to thank you for the opportunity to discuss electronic prescribing of controlled substances. Given the fact that all types of communication in our country are shifting away from face-to-face in favor of electronic media, it is vital that we consider the advantages of electronic commerce in all areas of the economy. This holds particularly true in the healthcare industry where controlling costs, protecting privacy and sharing information effectively will have an impact on every United States citizen.
In the years that I have been working as a security expert at EDS, IBM, General Motors, and now with Compuware Covisint, I have become very familiar with the challenges related to securing transactions on the public internet, considered by some to be an inherently insecure network. Covisint was created to leverage the internet in a secure way, such that automotive companies could take advantage of the technology without being exposed to this risk. As a result, Covisint's solution evolved as a unique information sharing hub providing a service for communities of interest to collaborate and securely exchange information.
The concerns of the automotive industry parallel those of the DEA in e-prescribing controlled substances, albeit for different reasons. In building a secure information sharing hub, the Covisint solution had to manage these electronic communications; it was our responsibility to create a system that could support the secure communication issues of a diverse community while keeping cost and implementation time to a minimum.
As Covisint expanded its business landscape and grew into other industries (healthcare, law enforcement, financial services), we saw the same sort of challenges. Healthcare systems need to interact with each other, sending highly personal data back and forth, while maintaining compliance to HIPAA regulations. In law enforcement, Covisint helped create an information-sharing pilot for the Department of Justice to use in sharing sensitive terrorist-related information between law enforcement agencies. In each case, the challenge was to balance security with implementation cost and complexity. In a nutshell, a security solution that cannot be implemented or is only partially implemented may be worse than no security at all. What we have done for these institutions is to find that balance.
Electronic Communications Offer Security Advantages
In days past, we always went to the same doctor and always visited the same pharmacy. Doctors had relationships with pharmacists such that a voice and signature were readily recognized. Even doctor's prescribing habits were recognizable by pharmacists. Pharmacists often picked up the phone to verify or inquire about the validity of a prescription. The days of tight relationships between doctors and pharmacists are quickly disappearing. And the weakening of these relationships weakens the ability of pharmacists to validate signatures, recognize prescription patterns and otherwise ensure security associated with the paper process.
So what is the solution? Electronic transactions, whether on the internet or over a private network, offer us the best alternative today. With a set of electronic transactions, the prescribing activity of physicians can be tracked and monitored. Electronic transactions minimize human error and detect irregularities in activity. Electronic transactions are easy to store and allow extensive search capabilities. Processes in the electronic system can be highly controlled via predefined workflow. Electronic systems offer a variety of methods for authenticating the user and ensuring the user's authority to perform the transaction.
In terms of checks and balances, electronic transactions:
- can be supplemented with physical signatures, which can be faxed and appended to the transaction.
- can incorporate alerts and triggers in the workflow, for example alerting doctors of certain physician activities, such as prescribing a controlled substance. This is known as a closed loop transaction.
- can monitor pharmacies and warehouses to ensure their accuracy and honesty in filling and shipping prescriptions.
As demonstrated by these examples, it is important to remember that information security looks at both "bad guys" who are intruding on the system and "good guys" who have legitimate access but may abuse their access.
1. An audit trail
With an electronic log of what is sent, when it is sent and who received it, you can provide true audit capability. This is important when you need to understand the patters of prescribing for physicians.
2. Real-time tracking
Electronic methodologies happen in real time. With paper-based systems it can take weeks for a trend or abuse to surface. In the electronic world, these activities are visible as they happen.
In the electronic world, there is always an audit trail; a physician or pharmacist cannot hide their activities. This generic visibility creates transparency. Transparency is also a deterrent, as users are aware that they are constantly being monitored. The paper world offers opportunities for people to mask their activities.
4. Event alerts
As a result of the electronic nature of e-prescribing, monitoring for abusive behavior takes place real-time and provides alerts that can be acted on prior to dispensing the medication. With paper transactions, people need to be involved, and they become the bottleneck.
5. Trend and historical pattern analysis
Often the only way to see abuse is to discern patterns in historical data. This historical data could be millions of records over many months. In the paper world, managing this amount of data is difficult at best, impossible at worst. With electronic transactions you can do trend analysis in seconds instead of months.
Complexity of Securing Electronic Transactions
When considering the approach to secure these electronic transactions, the temptation is to implement the most sophisticated and secure technologies that are available to the industry. This can often be the death of an implementation. I have seen many cases of the security of the implementation being so complex that the users of the system have either found ways around the system, thus defeating the security implementation, or have made up excuses as to why "it won't work," and thus abandoning the system altogether.
In information security today, Public Key Infrastructure, or PKI, is that "sophisticated and secure technology." Although PKI- based authentication methods provide some superior functionality, the current state of the technology brings with it major implementation and usage challenges:
- The heart of the system relies on a very long numeric key. This key would be impossible for a user to memorize, so it is stored on a device called a container. This container can be a PC, or a card that understands PKI (e.g. a smart card). The key requirement is that the container if physically available to the prescribing physician. Thus, if the physician forgot his card or his PC is broken, no authentication can occur and no prescribing can occur. The physician is unable to perform a key task until the container is recovered. In addition, many PCs cannot handle the PKI container requirements and would need to be upgraded.
- Because the container or device holds the key, it too must be secured. In most cases, this requires some sort of pass phrase or password to use the key which unlocks the container. So in the end, a password is the true security method. Anyone who shares that password and allows others access to the container can circumvent the security.
- Access to the container is paramount. If you are out of the office without your PC, then you would not be able to access the system. At face value this may seem like a good thing, but experience tells us that in today's world you cannot guarantee where a person is located when working. Many times physicians need to access their e-prescribing system while on call after hours, but without their work computer present at home, or wherever they may be, they cannot utilize the system. Or imagine if after Hurricane Katrina no physicians in New Orleans could provide healthcare because their computers were all underwater.
So if solutions such as PKI won't work, what alternatives do we have? I believe that by combining technology, process and oversight a solution can be provided that allows for appropriate levels of security for controlled substances while providing all of the advantages of e-prescription. This technique will allow for the authentication, integrity and non-repudiation, which we all want.
The components of this solution include:
- A robust authentication capability
a. Users write down good passwords (difficult to guess)
In my experience there are additional technologies that can mitigate this. Multi-factor technologies allow an added degree of protection while still allowing for reasonable implementations.
Another type of authentication is knowledge based. In this model the user is asked a set of random questions that only he would know. This along with the password provides a two-factor system. This is exactly what is being used in many web banking systems in direct response to guidance from the FDIC.
- A group of trusted identity providers
- Third party "trusted broker"
- A consistent policy
- An oversight organization
Ultimately, the success of any system is all about adoption. Getting the constituents to adopt a new methodology will require selection of a cost-effective, simple and secure solution. I believe that there are simple-to-use authentication technologies, which--when partnered with policy and oversight--can achieve adoption within the whole healthcare community. This approach can also overcome the security concerns associated with enabling the e-prescribing of controlled substances. I have seen this approach work successfully in many industries over the past seven years and believe it has real merit and deserves further consideration.