Health agency ready for digital IDs

HHS to verify electronic documents' authenticity

Department of Health and Human Services officials will be able to approve all official correspondence and regulations with digital signatures by this fall, a National Institutes of Health official said.

Digital signatures, which are electronic tamperproof seals guaranteeing that a file has not been modified, are one benefit of a new electronic records management system that NIH will start using this summer. After NIH officials test the System for Enterprise Records and Correspondence Handling (SERCH), HHS officials intend to deploy it departmentwide on a voluntary basis, said Star Kline, NIH's information systems manager.

SERCH supports HHS Secretary Michael Leavitt's goal to move the government into the Digital Age. When he was governor, Utah became the first state to pass legislation recognizing digital signatures as a legal means to authenticate electronic communications. HHS would be one of the first civilian departments in the federal government to use digital signatures on all official letters.

The Defense Department has already issued more than 5 million smart cards with digital signature capabilities.

Experts predict that most federal civilian agencies will use digitally stamped, encrypted autographs in the next two years. Advances in workflow management systems such as SERCH and homeland security policies will make digital signatures ubiquitous in government. Agencies will profit from cost-savings, time efficiency and greater accountability.

Additionally, digital signatures help federal officials adhere to government rules to reduce paperwork by eliminating printing, scanning and copying fees. Because the signatures travel through cyberspace, multiple parties can instantly approve documents from any location without waiting for them to arrive in the mail. A digital signature's cryptography ensures that the message remains unaltered, preventing forgeries and increasing integrity.

Kline said SERCH's digital signature is a numeric code accompanied by a representation of the individual's autograph.

Digital signatures should not be confused with electronic signatures. The latter are digital illustrations of handwriting, not something cryptographically stamped. Some government officials use e-signatures for bulk endorsements.

Kline said the main reasons for transitioning to digital signatures are saving time and legal requirements. "You can ensure who exactly signed the document and exactly when," she said.

NIH and HHS attorneys have reviewed SERCH's digital signature process to ensure that signed documents are trustworthy enough to hold up as evidence in court. For example, tobacco litigation has a need for secure signatures.

Several HHS agencies have already opted in, including the Health Resources and Services Administration, the Agency for Healthcare Research and Quality, the Centers for Medicare and Medicaid Services, the Indian Health Service, and the Substance Abuse and Mental Health Services Administration.

NIH and HHS officials signed a five-year contract for SERCH at an initial cost of $2.45 million. The cost for other HHS agencies to opt in will be lower because the software license is already paid for.

SERCH is based on several products, including Adobe software for digital signatures. Kline said she chose Adobe because the company's free Reader eliminates the cost of installing viewer software on each computer.

Experts say HHS' PIN-accessible digital signatures are not as fortified as federal identification technology that will be available in the next few years, but they have advantages.

Under new governmentwide smart card specifications, known as Federal Information Processing Standard (FIPS) 201, the majority of federal employees will have a smart card token capable of inserting a digital signature with minimal extra cost.

William Burr, manager of NIST's Security Technology Group, said any form of digital signature is more credible than a computerized autograph or a handmade scribble.

"Digital signatures are the strongest form of electronic signatures," he said. "They are cryptographic ... so technical attacks against them are very difficult. ... It's a self-authenticating record."

Burr added that PIN-accessible signatures, while less airtight, allow employees to authenticate documents from home or on the go, without smart card readers.

Ben Jun, vice president of Cryptography Research, a data security firm, said HHS is particularly well-positioned to test digital signatures.

"They've had a 10-year head start on thinking about how to move their paper processes into the electronic world" because of Health Insurance Portability and Accountability Act transaction regulations, he said.

Jun predicts that most federal agencies will adopt digital signatures in stages. First, public outreach organizations, such as the Government Printing Office and the Internal Revenue Service, might broadcast digital signatures on documents they release daily. Then agencies will sign off on financial transactions digitally. Finally, government officials will approve digital signatures for use in e-mail messages.

The inner workings of SERCH

The System for Enterprise Records and Correspondence Handling (SERCH) will play a major role in enabling Department of Health and Human Services officials to use digital signatures to verify the validity of electronic documents.

The signature process does not use smart cards now, but it will. Currently, when a document is ready for a signature, it is sent to the employee via secure SERCH workflow software. The process does not rely on insecure e-mail.

The employee then drags an icon of his or her signature to the signature line. Once that image is in place, the employee saves the file and types in a user name and password to obtain a public-key infrastructure digital certificate.

The request and authorization travel back and forth securely via the Internet, similar to the way credit card approval works for online purchases. Once the person's identity is confirmed, the computer marks the document with the digital signature.

— Aliya Sternstein


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected