Virginia Beach: Pretty good health privacy

By Brian
05:27 PM

When sharing health information, government agencies must abide by rules established under the Health Insurance Portability and Accountability Act (HIPAA), which does not allow such information to be transmitted unprotected via public networks.

That seems like a simple rule, but schemes that provide secure sharing, such as public-key infrastructure and Pretty Good Privacy, are complex to create and maintain, and they require the use of trusted third parties to provide the necessary keys.

If the chain that includes those keys is lost, the whole process must be redone.

Even direct encryption can be complicated. All potential senders and recipients of the information must have special software on their computers.

Furthermore, direct encryption is good for one-to-one communication, but it doesn’t work well in the kinds of highly collaborative environments that exist at government agencies.

Officials in Virginia Beach, Va., faced those issues when they started exploring secure ways to exchange health information with their partners.

Their solution is the appropriately named Secure Messaging Application (SMA), which was developed in summer 2007.

“In the past, we used to share information by fax or through the mail, or people would come to the office and pick it up,” said Mick Vollmer, information technology architect at the Virginia Beach Communications and IT Department.

“When the Internet arrived, we obviously saw it as a cool thing,” he said. “Now if a provider calls for information about a particular customer, we can provide that as a PDF through e-mail.”

Secure, compliant and simple
The challenge is sending files securely in a way that meets HIPAA standards and is intuitive for employees to use, Vollmer said.

SMA’s simplicity lies in its role as a transport mechanism for messages rather than an e-mail system. Messages are hosted on a Virginia Beach government server and therefore never leave the government’s infrastructure unencrypted.

Plus, all activities rely on Internet-standard Secure Sockets Layer security and a virtual private network connection, so everything that happens during an SMA conversation is encrypted.

With SMA, users have control over what happens to the information they receive. They can choose to delete messages immediately after reading them or leave them on the server for the system to delete after a specified time.

That’s a significant advantage over a standard e-mail system, which typically backs up and archives messages automatically. SMA’s approach protects it from malicious attacks and from e-discovery and Freedom of Information Act requests that target e-mail content.

“We wanted to make sure that people understood that this is not a regular e-mail system,” Vollmer said. “The information it carries won’t be kept in perpetuity.”

However, the approach can create some initial problems for users because the system is not intuitive and its functionality is not the same as a regular e-mail system even though it resembles one, he said.

For example, users can’t forward messages via SMA because doing so would pose a risk that the information could fall into the wrong hands, and that’s a chance Virginia Beach officials didn’t want to take, Vollmer said.

Virginia Beach’s path to SMA
Before creating SMA, Virginia Beach officials evaluated commercial systems but quickly realized that they had a lot of drawbacks. Nothing was designed to provide the simple and secure messaging that the city government was seeking.

Also, the commercial solutions were mostly client/server based, with all of the complexities and ongoing maintenance involved in those systems.

Plus, the licensing models were user- or message-based. City officials anticipated eventually registering thousands of users but didn’t know the exact number and therefore had no way to predict future costs.

SMA seems to have provided Virginia Beach with the best of both worlds. It is the simple and secure messaging system officials were looking for, and it was inexpensive compared with the alternatives. Consulting fees plus city employees’ time cost $50,000, while it would have cost $200,000 or more to buy and implement a commercial solution.

As a homegrown product, SMA needed no additional investment by the government. SMA runs on computer systems the city already had in place. It’s based on Microsoft’s .NET Web application development software and uses Microsoft SQL Server for the back-end database.

However, SMA’s ultimate success has not been determined because it will take some time for government employees and outside users to become familiar with it. Vollmer said there were just 40 active accounts as of mid-February, but that might not give an accurate picture because his office doesn’t track how many people have accessed the system in any given time period.

“It’s definitely a culture change,” he said.

Law enforcement potential
SMA’s reputation is already prompting other government agencies to give it a closer look. For example, police department officials think it could help them in several areas, perhaps by providing a way to securely interact with local pawnshop owners and supporting anonymous crime tip lines.

It’s also a possible channel for fraud and abuse alerts and citizen complaints.

Other state and local governments will be able to profit immediately from SMA’s development because Virginia Beach officials are offering it free to anyone who requests it. It comes on a CD with the source code and all necessary documentation. However, the city doesn’t provide technical support or allow SMA to be used for commercial purposes.

“We’ve already had other cities come to get [the CD], and we’ve had expressions of interest from several others,” Vollmer said. “We just ask that if they expand on its use in any way that they share that with others.”