Digital certificates, encryption, public and private keys…these are the names of the game and all the rage amongst security buffs and privacy analysts today. With HIPAA deadlines racing towards us, it comes as no surprise that we're a bit like a deer in the headlights of a Mack truck. On March 10, 2001, NCRIC Group will be holding the Technology Exposition 2001, which is the first conference dedicated solely to the information needs of physicians and practice administrators to support patient care.

According to NICRIC's website, "The Conference will help attendees evaluate computer-based patient record (CPR) systems and decide which system best suits their practice's needs. Caroline Samuels, M.D., a Medical Informaticist and the keynote speaker, will guide attendees through the maze of current CPR product offerings." In discussions with my fellow members at the Medical Society of Washington, D.C.'s High Tech Task Force, security and privacy have frequently been mentioned when discussion about CPR comes up. Undoubtedly, the aforementioned security buzzwords will receive plenty of airtime. But what do they mean? Here's a quick reference guide pulled from one of my favorite sites, www.whatis.com:

"A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. A certification authority such as Verisign issues digital certificates, although there are two healthcare-oriented certificates issued by the AMA/Intel consortium and the California Medical Association's MEDePass. Digital certificates contain your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encryption messages and digital signature), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Digital certificates can be kept in registries so that authentication users can look up other users' public keys."

"Encryption is the conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood." Simply put, encryption is the translation of data into a secret code. If you have no need to send secure messages or make certain that no one is forging your name when sending emails, then you don't need encryption. But if you're working in healthcare and you want to send another physician your thoughts on a specific patient, then encryption is probably a good idea.

In Martin Sargent's article on email encryption at www.zdnet.com, he states that the most popular email security technology is called public-key encryption. In this system, two mutually dependent algorithms, known as the public and private key, are used. As a result of online databases, your public key is available to anybody, but you keep your private key strictly to yourself. When you want to send a secure message to another physician, you use your copy of your colleague's public key to encrypt the message. When your colleague receives the scrambled message, she uses her private key to decipher it. Without the private key, the code can't be cracked. The public and private keys are really two halves of a whole, and that whole is referred to as a Digital ID.

Many companies have launched products and services aimed at the healthcare arena. One such site, www.salu.net, offers an array of services for specialists and appears to be establishing itself as a strong competitor to WebMD, minus the medical content.. One of their services, Medical Messenging, provides medical offices with secure email for communication amongst themselves and their patients. Although not a direct competitor to Salu.net, Hush Communications (www.hush.com) specializes in web-based encrypted email solutions and may be of more interest to hospitals and other large patient care centers.

Basically, there are two types of access to email. One is through an email program such as Netscape Messenger, Eudora Pro or Microsoft Outlook. Another mechanism for accessing email is a web browser that accesses a website that has web-based email, such as Hotmail.com, Bigfoot.com or Yahoo.com. Unlike these three, however, Hush.com offers web-based email with 1024-bit encryption, which is considered unbreakable with current technology.

According to a press release On January 8th, 2001, Hush was awarded a United States Patent for its Public Key Cryptosystem with Roaming User Capability (http://www.delphion.com). By holding the patent, Hush is able to exclusively offer the most sophisticated and easy to use encryption solution on the market. Specifically, it allows Hush to administer and manage the encrypted version of its customers' private keys, but without the capability to access or decrypt those keys.

This announcement comes just after Hush announced the launch of HushMail Private Label, which enables customers to easily outsource email infrastructure and operations, generate additional site traffic and revenue, and ensures indiscriminate hackers cannot access end user accounts.

HushMail Private Label is designed to help healthcare professionals and insurance firms provide electronic security to their networks and communications as they prepare for new government legislation that will require them to provide electronic security to their networks and communications. This legislation requires that security be in place no later than October 2002 in order to comply with HIPAA. In accordance with the HIPAA, this service offers digital signatures as a standard feature of its products.

Using digital signatures, e-mail generators can electronically sign their message so the recipient can authenticate it as being sent by the person it purports to come from. The digital signature also makes the message tamper proof to prevent it from being altered in transit.

"HushMail Private Label is an invaluable solution for the privacy-conscious medical community," said Jon Matonis, CEO of Hush Communications. "More importantly, the core technology behind the product can be integrated into almost any application. As many hospitals have developed highly customized networks, this technology can be accessed without disturbing those networks."

Although neither Salu.net, Hush Communications or WebMD are currently listed as vendors at NCRIC's Technology Exposition 2001, each of these firms offer a secure email product that has an inherently strong value proposition and is of great importance to the physician communication paradigm. It is unreasonable to believe that physicians won't use insecure email to discuss their patients and with secure email solutions such as those offered by Salu.net, Hush Communications and WebMD, physicians shouldn't have to.