Health agency ready for digital IDs

Department of Health and Human Services officials will be able to approve all official correspondence and regulations with digital signatures by this fall, a National Institutes of Health official said.

Digital signatures, which are electronic tamperproof seals guaranteeing that a file has not been modified, are one benefit of a new electronic records management system that NIH will start using this summer. After NIH officials test the System for Enterprise Records and Correspondence Handling (SERCH), HHS officials intend to deploy it departmentwide on a voluntary basis, said Star Kline, NIH's information systems manager.

SERCH supports HHS Secretary Michael Leavitt's goal to move the government into the Digital Age. When he was governor, Utah became the first state to pass legislation recognizing digital signatures as a legal means to authenticate electronic communications. HHS would be one of the first civilian departments in the federal government to use digital signatures on all official letters.

The Defense Department has already issued more than 5 million smart cards with digital signature capabilities.

Experts predict that most federal civilian agencies will use digitally stamped, encrypted autographs in the next two years. Advances in workflow management systems such as SERCH and homeland security policies will make digital signatures ubiquitous in government. Agencies will profit from cost-savings, time efficiency and greater accountability.

Additionally, digital signatures help federal officials adhere to government rules to reduce paperwork by eliminating printing, scanning and copying fees. Because the signatures travel through cyberspace, multiple parties can instantly approve documents from any location without waiting for them to arrive in the mail. A digital signature's cryptography ensures that the message remains unaltered, preventing forgeries and increasing integrity.

Kline said SERCH's digital signature is a numeric code accompanied by a representation of the individual's autograph.

Digital signatures should not be confused with electronic signatures. The latter are digital illustrations of handwriting, not something cryptographically stamped. Some government officials use e-signatures for bulk endorsements.

Kline said the main reasons for transitioning to digital signatures are saving time and legal requirements. "You can ensure who exactly signed the document and exactly when," she said.

NIH and HHS attorneys have reviewed SERCH's digital signature process to ensure that signed documents are trustworthy enough to hold up as evidence in court. For example, tobacco litigation has a need for secure signatures.

Several HHS agencies have already opted in, including the Health Resources and Services Administration, the Agency for Healthcare Research and Quality, the Centers for Medicare and Medicaid Services, the Indian Health Service, and the Substance Abuse and Mental Health Services Administration.

NIH and HHS officials signed a five-year contract for SERCH at an initial cost of $2.45 million. The cost for other HHS agencies to opt in will be lower because the software license is already paid for.

SERCH is based on several products, including Adobe software for digital signatures. Kline said she chose Adobe because the company's free Reader eliminates the cost of installing viewer software on each computer.

Experts say HHS' PIN-accessible digital signatures are not as fortified as federal identification technology that will be available in the next few years, but they have advantages.

Under new governmentwide smart card specifications, known as Federal Information Processing Standard (FIPS) 201, the majority of federal employees will have a smart card token capable of inserting a digital signature with minimal extra cost.

William Burr, manager of NIST's Security Technology Group, said any form of digital signature is more credible than a computerized autograph or a handmade scribble.

"Digital signatures are the strongest form of electronic signatures," he said. "They are cryptographic ... so technical attacks against them are very difficult. ... It's a self-authenticating record."

Burr added that PIN-accessible signatures, while less airtight, allow employees to authenticate documents from home or on the go, without smart card readers.

Ben Jun, vice president of Cryptography Research, a data security firm, said HHS is particularly well-positioned to test digital signatures.

"They've had a 10-year head start on thinking about how to move their paper processes into the electronic world" because of Health Insurance Portability and Accountability Act transaction regulations, he said.

Jun predicts that most federal agencies will adopt digital signatures in stages. First, public outreach organizations, such as the Government Printing Office and the Internal Revenue Service, might broadcast digital signatures on documents they release daily. Then agencies will sign off on financial transactions digitally. Finally, government officials will approve digital signatures for use in e-mail messages.