Electronic Submission of Medical Documentation (esmd) CDA Digital Signatures January 8, 2013
Wet Signatures Standards and legal standing Standards are based on legal precedence Non-repudiation inherent in wet signature Audit requirement None Often requires an attestation to determine validity Timing of Signature Applied at any time (timing policy cannot be enforced) Fraud protection none Short of forensic evaluation of original signed document unable to determine when signing occurred
Electronic Signatures Standards and legal standing Standards are based on technology and legal precedence Currently there are no technically mature techniques that provide the security service of nonrepudiation in an open network environment, in the absence of trusted third parties, other than digital signaturebased techniques.(hhs) Audit requirement Require audit of signing system (e.g. EMR) installation, policies, and audit logs May require an attestation to determine validity Timing of Signature Record of time of signing Can be applied at any time timing determined by EHR Fraud protection None/Limited all required a physical audit and attestations
Digital Signatures Standards and legal standing International and US Federal standards Standards based on cryptography Audit requirement Audit required as part of identity proofing and certificate issuance Timing of Signature Time stamp on document is evidence of when signing occurred OCSP response is external evidence of timing and certificate validity Signature when document is complete Fraud protection Absolute assuming that PKI policies are followed
S&I Framework esmd emdr Overview Payer Entity Contractors / Intermediaries Payer Payer Internal System Provider Directories Registration Authority esmd UC 1: Provider Registration Includes Digital Signature esmd UC 2: Secure emdr Transmission Includes Digital Signature esmd AoR Level 1 Digital Signature on Bundle esmd AoR Level 2 Digital Signature on Document(s) Certificate Authority Provider Entity Agent Provider (Individual or Organization) User Story All Actors obtain and maintain a non-repudiation digital identity Provider registers for esmd (see UC1) Payer requests documentation (see UC2) Provider submits digitally signed document (bundle) to address request by payer Payer validates the digital credentials, signature artifacts and, where appropriate, delegation of rights If Documents are digitally signed, then payer validates document digital signature artifacts
General esmd Flow Transport Adapter In/Out Validate Signature and Integrity Transaction Processing DMZ for Payload Scan Application Databases 6
AoR -- Phased Scope of Work Level 1 Current Focus Digital signature on aggregated documents (bundle) Focus is on signing a bundle of documents prior to transmission to satisfy an emdr Define requirements for esmd UC 1 and UC 2 Signature Artifacts May assist with EHR Certification criteria in the future Level 2 - TBD Digital signature on an individual document Focus is on signing an individual document prior to sending or at the point of creation by providers Will inform EHR Certification criteria for signatures on patient documentation Level 3 - TBD Digital signature to allow traceability of individual contributions to a document Focus is on signing documents and individual contributions at the point of creation by providers Will inform EHR Certification criteria for one or multiple signatures on patient documentation 7
Definitions Identity (Proposed) A set of attributes that uniquely describe a person or legal entity within a given context. Identity Proofing (Proposed) The process by which a CSP and a Registration Authority (RA) collect and verify information about a person or legal entity for the purpose of issuing credentials to that person or legal entity. Digital Signature (NIST) The result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin authentication, data integrity and signatory non-repudiation. Data Integrity (NIST) Data integrity is a property whereby data has not been altered in an unauthorized manner since it was created, transmitted or stored. Alteration includes the insertion, deletion and substitution of data. Non-repudiation (NIST) Non-repudiation is a service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party. This service prevents an entity from successfully denying involvement in a previous action. Delegation of Rights The ability to delegate rights or authority to another to act in a specific capacity on behalf of the grantor of the right. Must include the digital identity of the grantor, the digital identity of the grantee, the rights granted, duration of grant in a format that is usable in transaction and AoR signature events and is verifiable by a third party for non-repudiation purposes. 8
esmd Requirements Topics UC1: Registration UC2: emdr AoR L1 Bundle Identity Proofing Required Required Required Digital Credential Management Digital Signatures & Signature Artifacts Required Required Required Required Required Required Delegation of Rights* Situational Rarely Situational Characteristics of Solution Non-Repudiation Required Required Required Data Integrity Required Required Required * Required if the action of the responsible party is being represented by a third party
Sub-Workgroups 1. Identity Proofing Define required process for identity proofing of healthcare individuals and organizations for esmd Proof of identity requirements Allowed proofing processes 2. Digital Credentials Define required process for issuing and managing digital credentials for esmd Credential Life Cycle (issuance, maintenance and revocation) Credential uses (Identity, Signing, Proxy, Encryption, Data Integrity) Specific use credentials (e.g. Direct) 3. Signing and Delegation Define process, artifacts and standards for transaction and document bundle digital signatures and delegation of rights for esmd Signature and Delegation artifacts Workflow issues Delegation process Deliverables from all SWGs include: Statement of problem and assumptions Review of Standards Recommended standards Operational/Implementation Considerations Analysis of Gaps in standards and policy
11
electronic Determination of Coverage (edoc) Generic Workflow Patient Licensed Clinical Medical Professional (LCMP) [e.g. Physical Therapist} Physician Specialist / Service Provider Templates and Rules Payer 12
Author of Record Level 1 Digital signature on bundle of documents 1) Standards a) PKI: X.509v3 Signing Certificates (FBCA Medium) b) IHE DSG (XAdES) c) SAML Assertion for delegation of rights 2) Environment 1) Created as part of sending documents from provider to payer 2) Validated upon receipt 3) One signer (submitter) only for the full bundle of documents 4) Delegation of rights as required to support authorization chain 13
Author of Record Level 2 Requirements 1. Digital signature on documents for provenance (clinical and administrative) Meets requirement for encapsulated non-repudiation Note: electronic signature requires validation of system configuration and audit log review 2. Signature should be applied at time of document creation, modification, review (Administrative must be applied prior to claim submission) 3. Multiple signatures on same document 4. Certificate must be validated at time it is used (OCSP or CRL) 5. Support for validated delegation of rights assertion 6. Signature and delegation of rights must travel with document 7. Signature bound to signed document for life-time of document 8. Supports transition from unsigned to signed documents over time Example: Multiple signatures in a pdf document (decoupled from transport) 14
Provider with Signed Documents Document with embedded signature and delegation Accepted and stored by all regardless of AoR support Document Delegation Signature Signature and delegation only accepted by systems with AoR support May drop only signature and delegation or error on entire transaction 15
Signature on CDA Solution: Add signaturetext attribute to Participation occurrences for legalauthenticaor and authenticator in the CDA Header to hold Digital Signature and Delegations of Rights Assertion artifacts -- exclude these Participation occurrences from the calculated digest Structured Body CDA Document Header Authenticators and Digital Signatures Structured Body Text Entry Entry Entry Entry Text Entry Entry Entry Entry Unstructured Body CDA Document Header Authenticators and Digital Signatures Unstructured Body e.g. PDF 16
Implications of Digital Signatures Once signed, the content may not be altered without voiding the Digital Signatures Digital Signatures will not work on anything where the structure will be altered Must address individual contributions can do this through a combination of author participation declaration, signature role, and signature purpose
CDA Digital Signatures
C-CDA R2/R1.1 Document Templates 1. Continuity of Care Document 2. History and Physical 3. Consult Note 4. Discharge Summary 5. Diagnostic Imaging Report 6. Procedure Note 7. Operative Note 8. Progress Note 9. Unstructured Document 10. Care Plan (new) 11. Referral Note (new) 12. Transfer Summary (new) Note: Document Templates 1-8 were updated in R2 C-CDA R2 12 Document Templates 79 Templates 108 Entry Templates 1 PDF Document 1 C-CDA R1.1 9 Document Templates 60 Templates 66 Entry Templates 1 PDF Document 1 CDA R2 ~110 Templates ~200 Entry Templates 17 PDF Documents 19
C-CDA R2 Additional Attachment Templates 1. Complete Encounter 2. Complete Hospitalization 3. Complete Operative Note 4. Complete Procedure Note 5. Time Boxed New 5 Document Templates 4 Templates 4 Modified Templates 8 Entry Templates 20
CDA Digital Signatures
Document Encounter Documentation collected via EHR forms and templates and stored in the EHR Database CDA Document EHR Forms/Templates Header Structured Body Authenticators and Digital Signatures History and Physical Vital signs Orders / Treatment Visit Summary Text Entry Entry Entry Entry Text Entry Entry Entry Entry History of Present Illness Vital Signs Lab Orders/Results Text Entry Entry Entry Entry Allergies Medications Text Entry Entry Entry Entry EHR Database Textual reports Demographics 22
Prior to or at time of signing create CDA Create CDA Create CDA 1) May be structured (e.g. Operative Note) or unstructured 2) CDA sections and entries are populated or use appropriate nullflavor CDA Document EHR Forms/Templates Header Structured Body Authenticators and Digital Signatures History and Physical Vital signs Orders / Treatment Visit Summary Text Entry Entry Entry Entry Text Entry Entry Entry Entry History of Present Illness Vital Signs Lab Orders/Results Text Entry Entry Entry Entry Allergies Medications Text Entry Entry Entry Entry EHR Database Textual reports Demographics 23
Universal Time Long term validation Digest Signing Module Authenticate Write Signature Sign CDA Notes: 1) Signer may authenticate and then review/sign multiple documents at one session 2) Authentication via acceptable two factors -- something you know, something you hold, something you are (e.g. biometric), etc. CDA Document Header Structured Body Authenticators and Digital Signatures History and Physical EHR Forms/Templates Vital signs Orders / Treatment Visit Summary Text Entry Entry Entry Entry Text Entry Entry Entry Entry History of Present Illness Vital Signs Lab Orders/Results Text Entry Entry Entry Entry Allergies Medications Text Entry Entry Entry Entry EHR Database Textual reports Demographics 24
Physician Experience
Provider Setup for Digital Signatures 1) Individual provider supplies IDs and other information as part of credentialing or to a standalone Registration Authority (RA) 1) Registration Authority 2) 2) RA verifies credentials 3) Certificate Authority (CA) receives providers information from the RA 4) CA issues access information (e.g. hard token) to the individual provider 5) CA issues encrypted key to the signing application key store 4) 3) Certificate Authority 5) Provider Signing Application
Signing Process 1) C-CDA created for activity to be signed (system or on demand) 2) Signer views list of documents (C-CDAs) to be signed 3) Signer reviews documents and indicates ready for signature and where appropriate role and signature purpose (will most likely be defaulted based on signer) 4) Signer authenticates to Signing Application 5) Signer signs list of all reviewed and accepted documents Header CDA Document Structured Body Digital Signatures Text Entry Entry Entry Entry Text Entry Entry Entry Entry Text Entry Entry Entry Entry 1) 2) History and Physical 3) History of Present Illness Allergies Text Entry Entry Entry Entry EHR Database EHR Forms/Templates Vital signs Orders / Treatment Vital Signs Textual reports Visit Summary Lab Orders/Results Medications Demographics Patient Visit Date Document Role Purpose Rev Ready James, Sandy 8/15/2013 Complete CDA MD Legal Authenticator X X Stanford, John 8/14/2013 Procedure CDA MD Legal Authenticator Stanford, John Sign selected documents... 8/15/2013 Complete CDA MD Co-Signer 5) X X 4) Provider Signing Application 5)
HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1
HL7 Digital Signature IG Defines Use of signaturetext to store Digital Signatures Use of Digital Signatures and Delegation of Rights on a CDA Method to calculate the digest Digital Signature Artifacts Delegation of Rights Artifacts Role and Signature Purpose Validation of Signatures Text representation of Signatures
S&I Digital Signature IG
S&I Digital Signature IG X.509 v3 signing certificate requirements Identity Proofing Certificate Issuance and Management Certificate content Signing attestation and artifacts Use of Author Participation Use of Participant Use of Digital Signature Role Use of Digital Signature Signature Purpose Specific XAdES-X-L element content Delegation of Rights Appropriate Use Validation