Innovations in Digital Signature. Rethinking Digital Signatures

Innovations in Digital Signature Rethinking Digital Signatures

Agenda 2 Rethinking the Digital Signature Benefits Implementation & cost issues A New Implementation Models Network-attached signature appliance Improvements and benefits The AR CoSign Product Product features and architecture Product Walk-thru

Perspective for Analysis 3 Discussing benefits of using a digital signature to accomplish an electronic signature purpose Take an Enterprise perspective Signers are part of the workforce or affiliated individuals Enterprise maintains the signature applications Enterprise is the primary party relying on the signature

Terminology Electronic Signature is Defined By Law 4 Authoritative legal reference: US public Law 106-229, Electronic Signatures in Global and National Commerce Act (E-SIGN) Is technology neutral Legal requirements can be achieved using a number of methods for recording and retaining an electronic signature Digital signatures are a Safe Harbor under ESIGN

Terminology 5 Digital Signature is Defined by Technology Standards Rely on cryptography In particular, the digital signature is an encrypted hash of the electronic record using the signer s private signature key There are a number of normative and consistent standards including: FIPS 186-2 (government) X9.31 & X9.62 (financial services) ASTM E1762 & E2084 (healthcare)

Why Consider Electronic Signature 6 Reduce Cost Significant paper cost associated with collecting, retaining, transmitting, and recovering signatures New regulations emphasize better documentation and record authentication Support Re-engineering Paper and handwritten signatures resist successful engineering latency & discontinuity due to need to bring paper to signer Enable signature collection and retention within the application process itself Improve signature compliance results Ensure Compliance CPOE will require signature at order entry DEA signature requirements Electronic Medical Records

Current Esign Practice A Computer Code (or pin number) Current practice utilizes a practitioner computer code Signer is requested to enter a pre-assigned code 7 Entry of the computer code is used as indication of the signing intention There is no signature representation maintained within the application Validity Accepted as compliant for regulatory signature requirements Approved for most state requirements for medical practice, medical record, and medical order signatures Accepted by JCAHO

8 Current Practice Leads to a Dead End

Current Practice Leads to a Dead End Limited support for liability defense 9 Asserting the signature effectively requires demonstration of the totality of the security of the system creating the signature Provides weak non-repudiation Difficult to defend a disputed signature without the signer s corroboration

Current Practice Leads to a Dead End 10 Unlikely to meet future regulatory requirements DEA rules Electronic prescription of scheduled drugs (narcotics) DEA requirements will impact implementation for any sort of electronic prescription application Future HIPAA Standard Congressional mandate includes requirement for signatures which are transportable FDA Very costly approach to FDA CRF 21 part 11 compliance Encourages continued reliance on paper and handwritten signature Workflow and document management improvements will require a different approach

11 Why Consider Digital Signatures

Moving Past Misconceptions 12 Digital signature requires a full blown PKI Mostly a red herring Not necessary for digital signatures in an enterprise environment where the enterprise is the primary relying party Already can authenticate signer s within its enterprise Signature verification can be established thru agreement based on the Direct Trust model Most third parties acting more as an auditor of enterprise procedure than as independent relying party Will trust the digital signature provided the enterprise meet certain standards.

Moving Past Misconceptions 13 Cost of integrating with healthcare legacy apps Really a function of implementation Historically overstated due to proprietary lock on tools Patent expiration has resulted in competitive tools market Some vendors now supporting digital signatures natively Cost of end user support Inexperience drives end user support New products making digital signature more transparent

Signature Keys 14 Key for every signer Every practitioner and support staff that signs documents will need a signature key Requires a security mechanism to ensure use of the signature key restricted to its assigned party Privacy key uniqueness and exclusive use are required as a matter of compliance to healthcare regulation Physical key deployment Typically, signature keys are deployed to end user workstation or other device (e.g. tablet or pda)

Signature Keys 15 Key protection assigned to end user Typically, end users assigned responsibility to protect token containing the signature key Where keys are installed in software, key protection becomes a matter of workstation security & password management Where keys are installed in hardware, key protection involves end user maintaining physical possession

Challenges 16 Signature Key Protection Relying exclusively on end user for signature security is unsound Poor policy to assign technical responsibilities to those least able to implement them Signature keys always at risk when relying on end user discipline for device, password management Particularly acute when dealing with community physicians Reasonable and Appropriate measured relative to competence of implementers ~ limited non-repudiation where security scheme depends upon end user diligence

Challenges Signer Mobility Healthcare practitioners are mobile 17 Mobility requires the signature key be available for use at multiple workstations, devices, locations Increases the key management issues when signature keys must be deployed to each device from which a practitioner signs records Personal hardware tokens may not be the best answer Signatures are needed, even when the token has been left behind

Need for a Better Model Goal 18 A Sign Once approach for any document using a common signature mechanism Better solution for key protection Relieves individuals from key protection burden Minimizes key distribution requirements A Fresh Approach reconsider conventional wisdom regarding signature keys need to evaluate solutions in terms of stated rather than assumed regulatory, business and technical requirements

A New Model for Digital Signature Implementation The Network Attached Signature Appliance

Goals 20 Ensure all the desirable digital signature properties Minimize technical responsibilities assigned to end users Preclude challenge to a signature on basis that the end user failed to apply sufficient diligence Make the cryptographic operations transparent to the user Guarantee signature key availability Protect against key loss Provide support for mobile users

Goals 21 Increase key protections Minimize dependency of key security upon end user behavior Allow the enterprise to manage and certify signature key security Ease the requirements for application integration Abstract signature functionality for integrators Minimize configuration issues for use with multiple workstation OS and end user devices

Network Attached Signature Appliance 22 Implement signature keys in hardware crypto module (the appliance) Only a single key copy is ever necessary Ensures uniqueness of signature key Store the appliance at enterprise data center Shift the key protection from the end user to the enterprise Permit key protection to be consistent with enterprise policy

Network Attached Signature Appliance 23 Access the appliance over the enterprise network Signer authentication sets user context for appliance use Allow the management of signature capability to leverage existing enterprise network security controls Signature key is invoked using standard API Mitigate integration issues Permit the signature to be computed on the appliance rather than at workstation or user device

Is the model efficacious? 24 Some digital signature properties are independent of implementation choice for key storage and invocation Any digital signature implementation can be expected to provide Uniqueness Transportability Persistence Independent verifiability The real question is about Non-repudiation will users enter into non-repudiation agreements? can exclusive control of signer assertions be upheld?

Signer Acceptance 25 Signer Attestation Agreements Currently practitioners enter into an agreement prior to signature by computer code use Effectively acts as a Non-repudiation Agreement Legal requirement of electronic signatures for clinical orders in many state Requirement of JCAHO IM standards when using electronic signatures with medical record entries The new model provides greater signer protections Use of cryptographic keys versus a PIN Actual signature representation versus reliance on enterprise enforcement of application s business rules Practitioner buy-in to non-repudiation agreement should be straightforward

Non-Repudiation Strength 26 With this model, strength of non-repudiation is a function of demonstration of signer s exclusive control over signature key Number of relevant security factors Appliance security NIST certification Signer authentication Enterprise security admin Network communications Enterprise security admin security End user interface Application design

The Value of Certification 27 Under new model, the appliance is responsible for key protection To assert a signature, enterprise must be able to demonstrate Keys can t be removed from the appliance Keys can t be tampered without detection Further, need to demonstrate integrity when appliance is subject to network attack or physical tampering

NIST Certification (FIPS 140) 28 Certifies cryptographic modules at increasing levels of assurance Level 1 only of the correctness of basic crypto operations Level 2 that there will be evidence of tampering Level 3 that keys cannot be removed from hardware Level 4 any unauthorized access, under any environmental condition, can be detected

Application Integration 29 The appliance model simplifies integration All digital signature operations performed on a common network device (the appliance) No need for crypto computation (digital signature) within application Application still needs to certain functions: organize signature manifest, construct UI acquiring signer approval, marshal signature parameters No need for upgrade of workstation or end user device to ensure suitable computing resources Avoid poor performance of resource limited PDA when computing digital signatures Model leverages enterprise network authentication and privilege management Signature becomes just another user resource

Standard API 30 Standard programming interfaces for devices containing cryptographic keys CAPI (Microsoft) PKCS #11 (RSA) platform agnostic Both API abstract out the implementation details for the key store and cryptographic operations Very general rules for definition of providers allows a large degree of device independence: hardware or software tokens, local or network access

Standard API There are number of competitive CSP vendors Software versions from Netscape, Microsoft, Sun. Hardware versions -- Rainbow, Crysallis. and AR 31 Programmer uses CSP by invoking the crypto objects and methods defined in the API Leaving the enterprise to simply acquire the token and configure the end user devices

Cost effectiveness 32 Dramatically reduce end user support costs No reliance on end user diligence for key protection Reduces end user training and responsibilities Simplified PKI registration model No need to distribute keys to end users User I & A becomes part of network administration Digital signature is just another privilege Can be managed in concert with other privileges Keys reside at enterprise data center Signer authentication leverages existing network authentication