24 June 1999
Standards for Secure Exchange of Health Information
Highly secure information sharing is becoming more available to health service providers.
At the end of July, health providers will be able to choose to move to a more secure method of accessing information
from the National Health Index (NHI), via an internet protocol (IP) based service.
Ministry of Health Chief Advisor for Health Information Nick Manson said the New Zealand Health Information Service
(NZHIS) had spent 18 months formulating and testing the practicability of a bundle of technology standards to lay the
way for secure transmission of health information.
The NZHIS co-ordinates and maintains the National Health Information Systems including the NHI.
The standards have been tested in several pilot projects by a variety of health providers including hospitals, GPs and
Plunket, and is now ready for use by health professionals. A technical review by independent specialists found that the
proposed and tested standards are consistent with current world best practice.
Access to the service has been driven by a demand from Hospital and Health Services (HHS) for better information sharing
between professionals.
"There is considerable demand from the health sector to migrate to these standards," Mr Manson said.
"However, the pilots found that further consideration needs to be given to the development of applications, a means of
governance and associated processes to ensure compliance with the standards prior to their adoption by a health
organisation.
"For example, the process of identifying senders and recipients of electronic health messages (certification) needs to
be tailored to the structures and responsibilities of health organisations."
Mr Manson said the capacity to share information securely and privately was seen as paramount and a prerequisite for the
improved coordination of health service delivery.
In order to ensure continued progress, the following documents are being made available:
a brief background paper (attached)
a short discussion paper to seek comments from anyone who may be interested in the adoption of these standards;
(attached)
a report by Kaon Technologies Ltd that reviews the proposed standards. (this may be found on the NZHIS website -
www.nzhis.govt.nz).
Background Paper: Standards for Secure Exchange of Health Information
The Ministry of Health's New Zealand Health Information Service (NZHIS) has spent the last eighteen months formulating
and testing the practicability of a 'bundle' of technology standards (refer to attached document) to lay the way for
secure transmission of health information using internet protocols (IP).
The demand for investigating the migration to IP technology was originally driven by the Hospital and Health Services
(HHS). Subsequently, several HHS's, Independent Practitioner Associations and other health service providers were
involved in pilot projects to look at the issues related to this enhancement of health communications.
The upshot of this process is as follows:
· the proposed and piloted standards are consistent with current world best practice;
· there is considerable demand from the health sector to migrate to these standards;
· a governance body and processes need to be instituted to ensure compliance with the standards prior to their adoption
by a health organisation;
· there is scope for health information system developers to provide applications for health messaging;
· the process of identifying senders and recipients of electronic health messages (certification) needs to be tailored
to the structures and responsibilities of health organisations;
· the NZHIS will make available both the existing X25 and a secure IP based service for access to the National Health
Index (NHI) for interested health service organisations by the end of July 1999.
In order to ensure continued progress, the following documents are being made available:
· a short discussion paper to seek comments from anyone who may be interested in the adoption of these standards;
(attached)
· a report by Kaon Technologies Ltd that reviews the proposed standards.
(this may be found on the NZHIS website - www.nzhis.govt.nz/projects/kaonrep.html) Discussion Document
Secure Transmission of Health Messages: Standards for Using Internet Protocols (IP)
Audience : IPAs, HHS's Privacy Commissioner, Vendors, SSC, Media
The purpose of this document is to inform you of recent discussions between Government Health Agencies and to seek any
comments you may have.
In recent meetings between the Ministry of Health, New Zealand Health Information Service, Health Funding Authority and
the Accident Compensation & Rehabilitation Corporation the following principles were agreed:
there is a need for high security in the electronic transmission of health messages relating to individuals (eg. when
patients are referred from one clinician to another; when diagnostic results need to be shared between clinicians to
coordinate or consult on the provision of care; when a clinician makes a claim to a funder for a service provided;
etc.);
there will be benefits if this secure transmission is based on 'open' standards (i.e. standards available for anyone to
use and incorporate in their systems.) Please see attachment for a listing of the proposed standards;
it is important to accept that there may be cost implications with the implementation of these standards to ensure good
security for health messaging;
that the health sector/industry will need time to migrate to full adoption of these standards (up to 18 months may be
reasonable);
and that the standards referred to only constitute means for the secure electronic transmission of data and will need to
be balanced with commensurate development of health service staff and practices to ensure data security and privacy.
These statements have been made on the basis of extensive investigation, the trial of IP standards and technologies
within New Zealand (the Health Intranet Pilot: now completed) and with reference to international experience and
direction. A technical review of the standards has been completed and is available on the New Zealand Health Information
Service website (www.nzhis.govt.nz) for those who are interested.
It may be of interest that the approach and standards described above are consistent with the direction being developed
within other government agencies.
We are now seeking your comments or queries on this proposed direction. In particular we are interested in the level of
interest and support for your own organisation or in your role as a stakeholder in health information.
Your responses will be used not only to inform information service development within the central agencies, but they
will also be fed into the national health information strategy development process which has recently started and which
is expected to produce a document for consultation in the last quarter of 1999.
Appropriate Standards
The following is a list of recommended standards for use on the Health Intranet.
It should be noted that the standards shown are not product specific.
Means of Identifying Individuals & Organisations
Digital Certification
X.509v3 digital certificates with a minimum of 128 bit public keys.
Standards for Secure Email
Mail Extension
Secure Multipurpose Internet Mail Extensions (S/MIME) version 2 using X.509v3
digital certificates for email and signed documents issued by the NZHIS
authorised Certificate Authority.
Standards for Encoding/Encrypting Data
Encryption
RSA public key algorithm for key lengths of 128 bits or less
SHA-1 digest for hash number generation
Triple Des or 3 Des encryption for tunnel encryption
128 bit Secure Socket Layer version 3 with RSA
Standards for Interactive or Real Time Communication
World Wide Web and Hypertext Transmission
HTTP version 1.0
128 bit secure HTTP (HTTPS)
Java 1.1.3 compliant Java Virtual Machine
HTML version 2
Standard Smartcard
Smartcards
RSA PKCS 11
Standards to Protect Local Computers from Undesired Access
Firewall
ICSA Certification
These standards provide a core set of requirements.