Prescription for PKI Success

Medepass beats HIPAA deadline by outsourcing.

If you build it, so the saying goes, they will come. But what if you lack the in-house expertise to build it in the first place? This was the dilemma facing Catherine Roth, CEO of Medepass Inc., a San Francisco company that was formed by the California Medical Association two years ago to verify the online identities of health care professionals and to serve as a certificate authority. Earlier this year, with the HIPAA (Health Insurance Portability and Accountability Act) deadline quickly approaching, Roth needed to find a way to deploy PKI (public-key infrastructure)—a technology organizations have struggled with for years—and she needed to do it within mere months.

In the end, Roth chose to outsource the generation of digital certificates to security vendor Certicom Corp., in Hayward, Calif. The move not only allowed Medepass to beat the HIPAA deadline of October 2002 but also saved the company time and millions of dollars in infrastructure deployment costs, Roth said.

"The PKI world believes in databases secured like bunkers, and, frankly, those are expensive to build and to maintain," Roth said. "Who needs that? Theres no reason for us to try to reinvent the wheel or try to do it ourselves when experts are available."

As more organizations move to embrace public-key cryptography to securely transmit documents to partners, suppliers and customers, experts say they will be faced with the multimillion-dollar question: Should PKI be done in-house or outsourced?

The benefits of outsourcing, experts say, are obvious. The complexity of establishing trust models for authentication, the difficulty in integrating with internal applications and the intricacy of managing digital certificates make outsourcing PKI attractive to organizations that lack the in-house expertise and the time to do it themselves. And as with many other managed infrastructure services, outsourcing also enables companies to save time, money and headaches associated with implementing and operating the infrastructure themselves.

"Theres more inclination toward outsourcing in part because the early adopters wanted to own PKI," said Vic Wheaton, an analyst at Gartner Inc., in San Jose, Calif. "Now, people are realizing PKI is hard. And even financial services organizations with the hubris and the pride-of-ownership issues have been leaning more toward the outsourcing model."

Just how tenuous has the deployment of PKI been? Gartner estimates that 80 percent of PKI projects are still in pilot mode. And International Data Corp. estimates that by 2004, two-thirds of PKI vendor revenue will stem from managed services rather than software.

The dilemma that Medepass faced is one many health care organizations share. HIPAA, which was passed in 1996, gives health care providers and insurers one year from Oct. 16 to put tighter locks on patient information. Part of the act requires the use of PKI to encrypt messages sent among physicians as well as provide proof of their licenses.

Much of the cost associated with PKI comes from having to build a highly secure data center from which to generate digital certificates. After all, if a certificate authority were to be compromised, unauthorized users could gain access to confidential patient information.

"Outsourcing PKI has a lot to do with skill sets," Gartners Wheaton said. "Building a secure data center, ensuring the security, managing it and even running the help desk associated with the generation of certificates are complex and time-consuming tasks."

Medepass decided that it was not cost-effective to build a secure data center internally because of costs associated with training, the purchasing of hardware and the time it would take to ensure the security of the data center. The company, instead, chose to outsource that function by subscribing to Certicoms MobileTrust services. MobileTrust provides certificate generation from within a secure bunker maintained and managed by the security vendor. Medepass also licensed Certicoms TrustPoint PKI Portal software, which serves as a registration authority, and operates it in-house.

Physicians must be referred by their colleagues before qualifying for a Medepass certificate. Once referred, a physician then must pass a strenuous online authentication process in which he or she answers a series of questions. Medepass checks the answers against Oracle Corp. 8i databases that hold medical licensing, education and work history information.

If a physician passes the authentication process, a request is generated and sent to the TrustPoint PKI Portal application running on servers located at Medepass. The portal approves the request and forwards it to the certificate authority in Certicoms secure data center. Certicom issues the certificate to Medepass, which stores information about the certificate in a Lightweight Directory Access Protocol directory before sending the certificate to the physician.

The certificates can be stored either on the physicians desktop or on hardware such as a Universal Serial Bus token. All transactions run over TCP/IP, and every message sent between the PKI portal run by Medepass and the certificate authority at Certicom is digitally signed and encrypted.

Already, a number of health care organizations across the nation have signed on to accept Medepass digital certificates. Using those certificates, physicians will be able to request patient documents and confidential information from insurers online. Last month, Medepass began issuing digital certificates to 4,000 physicians in California at a cost of $25 to $50 a certificate per year. While Certicom declined to reveal how much its Medepass contract is worth, Medepass executives said that, depending on volume, customers are charged anywhere from $2 to $25 per certificate for the MobileTrust services.

Partnering with Certicom also enables Medepass to roll out additional services that require PKI, such as wireless digital certificates. With the popularity of handheld devices among physicians, Medepass will also use Certicoms MobileTrust services to issue digital certificates for handheld devices and laptops beginning in the middle of next year.

"Were firm believers in PKI, and the health care industry needs to stop wondering if its the right technology and start figuring out how we can get it to work to the benefit of the patients," Roth said.