The Digital Signature Company
 
  Blog   Face Book Icon   Twitter  
 
EsignIt Login LOGIN     EsignIt Sign Up SIGN UP
1- 800 - 207 - 6807 Ext. 100
 
    Authenticated Document / Data Exchange (Dr. Mohammed Shaikh, California)
INTRODUCTION
Exchange of documents and data in commercial organizations is normally accomplished using traditional workflow methodologies. Successful implementation of workflow in these organizations is encouraging agencies that did not look at these workflow methodologies favorably because data and documents exchanged were considered confidential and restricted and for use only by authorized users. The workflow in these organizations requires that user be authenticated before accessing the document/data as well as obtain their signatures at each step due to legal requirements associated with these processes. In addition retaining the confidentiality of the document/data based on user authentication is of utmost concern. Recent advances in digital signature technology and its use in replacing traditional signature have opened the possibility of creating a successful document/data exchange workflow for authenticated documents and data. Further this approach could be extended to authenticate each user and their role to meet confidentiality and security requirement. Some of the processes that can be identified for authenticated document/data exchange are;
  • Document/data exchange associated with healthcare document requiring HIPAA compliance.
  • Judicial transactions like TRO’s (Temporary Restraining Order) etc.
  • Financial Disclosure Documents
  • Documents associated with Federal or State approval i.e. FDA, FAA etc.
  • Documents associated with sensitive national security matters used by Local, State, Federal and International government agencies.

In this paper we will provide a brief introduction to digital certificate technology and its evolution followed by outlining why forms based workflow is critical to automate workflows involved in most of the situations outlined above. Next we will consider evolution of electronic filing and the workflow associated with electronic document/data exchange. Finally we will outline the new frontier that is taking shape where identity management using digital certificate can be utilized to authenticate users and their roles to create a paperless workflow maintaining the privacy and legal requirements that are essential to these processes.

EVOLUTION OF ELECTRONIC SIGNATURE AND DIGITAL AUTHENTICATION:

Some of the key events associated with adoption of Digital Certificate based electronic signature are listed below:
  • National Institute of Standards and Technology (NIST) established a federal digital signature standard (DSS) during the period 1991-94.
  • Many U.S. States established legal frameworks for digital signatures, most of them based on Utah's legislation (1995). See Biddle (1996) for a commentary on matters of concern about the Utah model, including privacy aspect.
  • On Oct. 1, 2000, the U.S. Electronic Signatures in Global and National Commerce Act went into effect. The so-called e-signature law allows for electronic signatures to be as legally binding as handwritten signatures.

In the next paragraphs we will outline the significance of legal precedence associated with signature and evolution of digitally authenticated documents.

SIGNATURES AND THE LAW

According to ABA, “a signature is not part of the substance of a transaction, but rather of its representation or form”. Signature serves the following general purposes:

  • Evidence:Signatures authenticate a writing by identifying the signer with the signed document. A signature is a distinctive mark used by the signer that makes the writing attributable to the signer.
  • Approval:In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it has legal effect.. A signature on a written document can impart a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document.

The formal requirements for legal transactions, including the need for signatures, vary in different legal systems, and with the passage of time. Sometimes it is necessary to use a Notary to authenticate the signer's signature on a paper.

To summarize the basic purposes of signatures outlined above, a signature must have the following attributes according to ABA:

  • Signer Authentication:A signature should, indicate the signer of the document, message or record, and should be difficult for another person to produce without authorization.
  • Document Authentication: A signature should identify what is signed, making it impracticable to falsify or alter either the signed matter or the signature without detection.

Digital signature technology generally surpasses paper technology in all these attributes. To understand why, one must first understand how digital signature technology works.

HOW DIGITAL SIGNATURE TECHNOLOGY WORKS

Thus, use of digital signatures usually involves two processes, one performed by the signer and the other by the receiver of the digital signature:
  • Digital signature creation uses a hash result derived from and unique to both the signed message and a given private key. For the hash result to be secure there must be only a negligible possibility that the same digital signature could be created by the combination of any other message or private key.
  • Digital signature verificationis the process of checking the digital signature by reference to the original message and a given public key, thereby determining whether the digital signature was created for that same message using the private key that corresponds to the referenced public key.
  • To sign a document or any other item of information, the signer first delimits precisely the borders of what is to be signed. The delimited information to be signed is termed the "message" in these Guidelines. Then a hash function in the signer's software computes a hash result unique (for all practical purposes) to the message. The signer's software then transforms the hash result into a digital signature using the signer's private key. The resulting digital signature is thus unique to both the message and the private key.

PUBLIC KEY CERTIFICATES

To verify a digital signature, the verifier must have access to the signer's public key and have assurance that it corresponds to the signer's private key. However, a public and private key pair has no intrinsic association with any person; it is simply a pair of numbers. Some convincing strategy is necessary to reliably associate a particular person or entity to the key pair.

In a transaction involving only two parties, each party can simply communicate (by a relatively secure "out-of-band" channel such as a courier or a secure voice telephone) the public key of the key pair each party will use. Such an identification strategy is no small task, especially, when the parties are geographically distant from each other, normally conduct communication over a convenient but insecure channel such as the Internet, are not natural persons but rather corporations or similar artificial entities, and act through agents whose authority must be ascertained. As electronic commerce increasingly moves from a bilateral setting to the many-on-many architecture of the World Wide Web on the Internet, where significant transactions will occur among strangers who have no prior contractual relationship and will never deal with each other again, the problem of authentication/nonrepudiation becomes not merely one of efficiency, but also of reliability. An open system of communication such as the Internet needs a system of identity authentication to handle this scenario.

CHALLENGES AND OPPORTUNITIES

The prospect of fully implementing digital signatures in general commerce presents both benefits and costs. The costs consist mainly of:

  • Institutional overhead:The cost of establishing and utilizing certification authorities, repositories, and other important services, as well as assuring quality in the performance of their functions.
  • Subscriber and Relying Party Costs: A digital signer will require software, and will probably have to pay a certification authority some price to issue a certificate.
  • Hardware to secure the subscriber's private key:There may be cost associated with securing the digital certificate on part of signer.
  • Digital certificate verification cost: Persons relying on digital signatures will incur expenses for verification software and perhaps for access to certificates and certificate revocation lists (CRL) in a repository.
On the plus side, the principal advantage to be gained is more reliable authentication of messages. Digital signatures if properly implemented and utilized offer promising solutions to the problems of:
  • Identity theft: The possibility of identity theft is eliminated except in case of loss of digital certificate;
  • Imposters, by minimizing the risk of dealing with imposters or persons who attempt to escape responsibility by claiming to have been impersonated;
  • Message integrity, by minimizing the risk of undetected message tampering and forgery, and of false claims that a message was altered after it was sent;
  • Formal legal requirements, by strengthening the view that legal requirements of form, such as writing, signature, and an original document, are satisfied, since digital signatures are functionally on a par with, or superior to paper forms; and
  • Open systems, by retaining a high degree of information security, even for information sent over open, insecure, but inexpensive and widely used channels. The most widely used standard for digital certificates is X.509.

FORMS RUN ORGANIZATIONS & ELECTRONIC FORMS MAKE IT SIMPLE AND PAPERLESS

From Courts to healthcare, from manufacturing to financial institutes, everyone uses forms. But the sheer mass of paper generated by excess printing and the lack of error protection inherent in a paper-based form workflow makes it costly and impractical.

Electronic forms like XForms, InfoPath were created to solve these problems and eliminate cost and inefficiencies associated with paper forms.
Using paper forms invites disorder, filing mistakes, damage, loss, waste, and other complications. To solve these problems, organizations could format their documents into HTML for publication on the web, but this is a costly and time-consuming process. What's more, the user remains unable to submit documents directly to the recipient from the computer screen, but instead can only print them out to mail or fax, resorting again to paper - and all of its attendant costs. Most organizations use forms to collect data from customers, employees, vendors, and contractors. Forms contain information that need to be processed, secured, and acted upon for a variety of purposes. To be effective, forms-based processes should be flexible to meet an organization's needs. They should be efficient in getting input and approval from everyone involved, and equipped to allow collaboration among several people or departments. Approval and validation of forms by multiple authorities is an important part of workflow used by number of organizations. The data exchange needed between the forms and line of business applications has resulted in development of XMLschemas that have become standard for different industries. In following paragraphs we have outlined few of the standards:

LEGAL XML STANDARD DEVELOPMENT:
THE GLOBAL JUSTICE XML DATA MODEL (GLOBAL JXDM):

The Global Justice XML Data Model (Global JXDM) is intended to be a data reference model for the exchange of information within the justice and public safety communities. The Global JXDM is a product of the Global Justice Information Sharing Initiative's (Global) Infrastructure and Standards Working Group (ISWG). It was developed by the Global ISWG's XML Structure Task Force (XSTF)

XML STANDARD FOR PROCESS DEFINITION LANGUAGE (XPDL) VERSION 1.0.
The Workflow Management Coalition (WfMC) has announced the release of its Workflow Standard XML Process Definition Language - XPDL 1.0. "Together with other WfMC standards, XPDL provides a framework for implementing business process management and workflow engines, and for designing, analyzing, and exchanging business processes. XPDL is the culmination of a fifteen-month effort by multiple vendors and users to provide a standard that satisfies the needs of diverse organizations. One of the key elements of the XPDL is its extensibility to handle information used by a variety of different tools. Based upon a limited number of entities that describe a workflow process definition ('Minimum Meta Model'), XPDL thus supports a number of differing approaches. The specification is intended for use by software vendors, system integrators, consultants and any other individual or organization concerned with the design, implementation, and analysis of business process management systems as well as with interoperability among workflow systems."

HEALTHCARE XML STANDARD DEVELOPMENT:
Hospitals, doctors, and other healthcare centers around the world require the ability to send and receive healthcare data, including patient information and various lab reports. As a result, vast amounts of healthcare information are exchanged on a daily basis. However, medical data can be extremely complicated due to the abundance of clinical terminology, as well as the structural complexity in the formation of the presented information. Thus, this information must be presented in a standardized format in order to ensure that the data is universally understood and organized. In order to achieve this, all healthcare information must be sent in a specialized healthcare language. The language that has been developed to overcome these obstacles is HL7. The HL7 protocol was developed by the Health Level 7 Organization, which consists of grammar and vocabulary that is standardized so that clinical data can be shared amongst all healthcare systems, and easily understood by all. By using the HL7 messaging protocol as a standard, all systems following the HL7 specifications are able to communicate easily with one another, without the need for information conversion.

October 4, 2000—Health Level Seven, Inc. (HL7) successfully balloted what it believes to be the first XML-based standard for healthcare—the Clinical Document Architecture (CDA). The CDA, which was until recently known as the Patient Record Architecture (PRA), provides an exchange model for clinical documents (such as discharge summaries and progress notes)—and brings the healthcare industry closer to the realization of an electronic medical record. The CDA Standard is expected to be published as an ANSI approved standard by the end of the year.

Clinical Document Architecture, Release One (CDA R1), became an American National Standards Institute (ANSI)–approved HL7 Standard in November 2000, representing the first specification derived from the Health Level 7 (HL7) Reference Information Model (RIM). CDA, Release Two (CDA R2), became an ANSI-approved HL7 Standard in May 2005 and is the subject of this article, where the focus is primarily on how the standard has evolved since CDA R1, particularly in the area of semantic representation of clinical events. CDA is a document markup standard that specifies the structure and semantics of a clinical document (such as a discharge summary or progress note) for the purpose of exchange. A CDA document is a defined and complete information object that can include text, images, sounds, and other multimedia content. It can be transferred within a message and can exist independently, outside the transferring message. CDA documents are encoded in Extensible Markup Language (XML), and they derive their machine process able meaning from the RIM, coupled with terminology. The CDA R2 model is richly expressive, enabling the formal representation of clinical statements (such as observations, medication administrations, and adverse events) such that they can be interpreted and acted upon by a computer. On the other hand, CDA R2 offers a low bar for adoption, providing a mechanism for simply wrapping a non-XML document with the CDA header or for creating a document with a structured header and sections containing only narrative content. The intent is to facilitate widespread adoption,

while providing a mechanism for incremental semantic interoperability. HL7 V3, like V2.x, is a standard for exchanging messages among information systems that implement healthcare applications. However, V3 strives to improve the V2 process and its outcomes. The original process for defining HL7 messages was established in 1987 and has served us well. The development principles behind HL7 V3 lead to a more robust and fully specified standard.

New capabilities offered in Version 3 include:

  • Top-down message development emphasizing reuse across multiple contexts and semantic interoperability.
  • Representation of complex relationships.
  • Formalisms for vocabulary support.
  • Support for large-scale integration.
  • Solving re-use and interoperability across multiple domain contexts.
  • A uniform set of models.
  • Expanded scope to include community medicine, epidemiology, veterinary medicine, clinical genomics, security, etc.
BUSINESS XML STANDARD DEVELOPMENT:
Introduction:The Electronic Business (eBusiness) Extensible Markup Language (XML) [ebXML] set of specification enable electronic trading relationships between business partners and integrates new technologies:

  • Communicate data in common terms (Core Components Technical Specification [CCTS]v2.0.1)
  • Register and provide eBusiness artifacts and services (ebXML Registry Services [ebRS v3.0] an Registry information Model [ebRIM v3.0])
  • Configure technical contract between business partners (Collaboration Protocol Profile and Agreements [CPP/CPA v2.0])
  • Provide secure and reliable transport (ebXML Messaging Services [ebMS])
  • Enable business processes (ebXML Business Process Specification Schema, [ebBP v2.0.3]).

E-FILING ELECTRONIC DOCUMENT AND DATA EXCHANGE USING XML:
Multiple government agencies are implementing electronic filing and electronic recordation of documents as a means of document/data exchange between courts and attorney's and other departments e.g. Child Support department, County recorder's office etc. E-filing allows organization to create a workflow across multiple departments across a WAN. We have outlined two case studies to demonstrate how the electronic filing is creating authenticated document/data exchange using a look a like image of the signature of the filers and court clerk. Later we have outlined case studies where true digital authentication is used to create a document/data exchange between various county departments to accomplish TRO Temporary Restraining Order) and other document types.

E-FILING CASE STUDIES:
E-filing is complete automation of the workflow needed between various agencies e.g. Sheriff, D.A., DCSS, Probation agencies, Juvenile agencies etc. as well as users e.g. attorneys, Pro Se Litigants, Process Servers etc. This automation uses multitude of technologies and standards that will allow these diverse entities to exchange document and data electronically. The complexities in this automation arise out of security concerns, data compatibility issues and legal concerns. These case studies outline the base modules needed to accomplish this automation and also describes need for standards and what is needed to make acceptance of these standards easy for future implementations of E-filing process. The process can be divided into following modules:

  • Document assembly and workflow automation at the filing entity to generate the document and data envelope needed by receiving agency.
  • Document/data transformation to receiving agency in a standard format.
  • Acceptance/rejection module.
  • Electronic return receipt generation module.
  • Transfer module for transferring data to Line of business application
  • Transfer module for transferring document to document repository.
RIVERSIDE COUNTY CHILD SUPPORT E-FILING SYSTEM:
WORKFLOW INVOLVING AUTHENTICATED DOCUMENT/DATA EXCHANGE:

A number of organizations as outlined below are forced to rely on paper documents to create processes that will withstand the challenges created by our legal system and conform to rules, such as: recording process involved in transfer of real estate; court filings used to obtain judgments via court proceedings; recordation of wills and testaments etc. Generally authorities responsible for legal validation of these processes have regarded electronic documents as unreliable resulting in, paper documents to be the only legally acceptable document. Other instances needing paper documents with wet signature involve legal, healthcare and other type of transactions requiring authentication of parties' involved and providing confidentiality and privacy for the information that by law cannot be released to unauthorized individuals. These type of transactions must be accomplished by secure transfer of documents between parties and require that unauthorized personnel can not access the document during the exchange process between parties that are generally located at different location. Some of the agencies that are involved in these kinds of transactions are:
  • Judicial agencies such as Courts, Sheriff, District Attorneys etc.
  • Healthcare agencies like Hospitals, Clinics, Laboratories, Pharmacies, Insurance agencies.
  • Parties involved in criminal proceedings involving minors or child support matters.
  • Financial transactions e.g. sensitive financial information needed by SEC
  • Drug and medical appliance certification and approval applications involving FDA.
  • Educational organizations.
  • National security agencies that deal with sensitive data related to national security and government affairs.
Some of these agencies have established rules that have been established over decades and can not be modified without going through exhaustive analysis of implications of these changes. Some of these processes can not be modified without changes in laws.
All these considerations outlined above make acceptance of digitally authenticated documents by these authorities difficult.
At the same time reliance on authenticated identities is becoming an increasingly crucial requirement for the introduction of Internet-based solutions. Technology companies are forced to address multiple localized identity solutions, adding cost and time to software development, requiring custom consulting services, the need for multiple training approaches, complex, and expensive product implementations one glaring example of these problems is .State-based Medicaid administration, a morass of local regulations and rules that render truly standardized products unworkable. Standardized solution will eliminate interoperability costs and barriers to rapid customer adoption and implementation of products that require identity management. The more quickly these solutions can be implemented, the faster these organizations will realize cost and efficiency returns. Failure to solve the identity problem globally will leave only one option—in-house administration of proprietary identities, an approach with significant inherent problems.

Today these organizations face unnecessary cost and complexity. Defining, administering, and maintaining an identity scheme—event ID number + password—is expensive and yields no competitive advantage. Every entity-specific identification process imposes costs and generates customer service issues. In spite of all the difficulties associated creating Authenticated document workflow, a number of agencies have created pilot or working prototypes to demonstrate the viability of digital authentication and workflow. The case studies outlined below, highlight the next frontier that is evolving in creating authenticated document workflow.

SEALED AND CERTIFIED DOCUMENT WORKFLOW IN COURTS:
Anyone who’s been through the court system, whether for domestic violence, elderly abuse or child-support issue, knows how burdensome it can be. There are arraignments, bail hearings, trial and court dates, and mounds of paperwork. The amount of work that goes into every aspect of anyone’s legal travails is overwhelming, and it’s the organizations behind the courts that, in some ways, truly feel the weight of the work. Victims are overwhelmed by the number of pages of forms, many involving repetitive questions. Victim’s advocates spent two to three hours filling out forms, and they often have to wait hours for an available advocate. It takes another four to six hours from the time a judge signs the Order of Protection until the sheriff receives the service paperwork. Up to five agencies are involved in each procedure, all of which are in different locations. Therefore, manual paper delivery uses up valuable time and sometimes forces the victim to live with abuse rather than approach the court authorities.

DIGITAL AUTHENTICATION BASED PROCESS TO OBTAIN TRO (TEMPORARY RESTRAINING ORDER).
When a Judge gets a document digitally signed by Attorney, to verify the signature on the document, Judge's software first uses CA’s (the certificate authority's) public key to check the signature on Attorney’s certificate. Successful de-encryption of the certificate proves that CA created it. After the certificate is de-encrypted, Judge's software can check if Attorney is in good standing with the certificate authority and that all of the certificate information concerning Attorney’s identity has not been altered (Although these steps may sound complicated, they are all handled behind the scenes by Judge's user-friendly software). Judge then signs his order digitally and a copy is electronically delivered to sheriff and court clerk in minutes. Sheriff can digitally authenticate judge’s certificate and can make it available to other parties i.e. sheriff in another county if they provide proper credentials, for viewing. The digitally authenticated document provides:

  • Proof of Identity.
  • Prevention from unauthorized use.
  • Intuitive UI for end users (encryption, decryption, and digital signatures).
  • In the event that information is intercepted, encryption ensures privacy that prevents third parties from reading and or using the information.
How it Works
e-signature
Digital Signature Certificate
Benefits of Digital authentication process
BATCH RECORDS (EBR) AUTOMATION
Pharmaceutical companies have traditionally used paper (hard copy) to maintain production batch records (PBR), also called master production batch records (MPBR), for FDA-compliance purposes. With the advent of 21 CFR Part 11 in 1997, the FDA began to accept electronic batch records. Since then, more and more manufacturers have recognized the advantages of automating the process of controlling EBR.

Under CGMP regulations found in 21 CFR Parts 210-211, the EBR must demonstrate the accomplishment of every significant step in the production, packing, and holding of each batch of a drug product. CGMP requires extensive EBR documentation, including batch dates, identity of major equipment/lines used, components/materials used and their weights, in process and laboratory control results, complete labeling control records, sampling, and identification of personnel supervising or checking each step. The paper tracking associated with the process can be onerous. A digitally authenticated workflow could provide better control, security, audit ability, and make the entire process simple and efficient for pharmaceutical companies and FDA.

ADVANCED HEALTHCARE DIRECTIVE WORKFLOW:
Technological advances in medicine have made it possible to prolong life in patients with no hope of recovery. The physician is faced with deciding whether measures used to keep patients alive are extraordinary in individual situations. Advance Medical Directives are documents intended to provide guidance to medical professionals and your loved ones if you are incapacitated and cannot make your own medical decisions.
Advance directives can be defined as the right of incompetent patients to refuse unnecessarily burdensome treatment but at the same time emphasize the necessity for written evidence documenting their wishes. This empowers an agent, who has the power of an attorney, to make end-of-life decisions and give instructions about your health care wishes, if you are in a “chronic vegetative state”. Most of us procrastinate in creating an AHCD due to difficulty in obtaining proper advice, help and documents. Even in those cases where a person has signed an AHCD, it may be difficult to for him to have his wishes enacted due to unavailability of signed documents when they are needed.

Governor Schwarzenegger signed AB 2805 on sept 28, 2006, a measure authored by Assemblyman Sam Blakeslee.

AB 2805 permits AHCD's to be digitally signed and notarized using the California digital signature standards which were established in law in 1995. The measure protects current requirements for AHCD's to be signed and either notarized or witnessed by two people. But, also allows patients and notaries to use digital signatures and requires the use of a digital certificate for that signature.

“An advanced health care directive could have been instrumental in alleviating confusion around a case such as that of Terri Schiavo,” said Blakeslee. “However, making end-of-life or life-sustaining treatment decisions is just the first step. AHCD's only work if people proactively record these decisions with their medical provider.”

ADVANCED HEALTH CARE DIRECTIVE (AHCD), A CMA INITIATIVE:
CMA (California Medical Association), Mede pass and Image-X have teamed to create www.healthcarewishes.com to allow a person to digitally sign an Advanced Healthcare Directive and also provide digital notarization. Further a physician with valid authentication to comply with the patient’s wishes can retrieve the AHCD on web in compliance with AB 2805.

The electronically stored Advance Healthcare Directives is available to health care providers at any time via secure Internet or facsimile.

From case studies outlined above, one can summarize that this is just the start of the digital authentication process to replace the onerous paper based process. As more and more agencies understand advantages of digital authentication and approve these processes by passing necessary rules, we hope to see better security and privacy as well as more efficient process and conformance with law

How it works?
Digital Signature
Electronic flow of the AHCD
Intuitive Interface:
Digital signatures
AHCD with Date, Time stamp and Digital signature

BIBLIOGRAPHY:

  • Digital Signature Guidelines, published by American Bar Association Section of Science and technology, Information Security Committee,
    Product code 5450012
  • SearchSecurity.com Definitions (Powered by WhatIs.com) July 2006
  • Legal XML Proposed Standard: XML Standards Development Project, XML Court Document 1.1 Draft Standard, E-filing report, published by Glasser Legalworks, Little Falls N.J.
  • Global Justice XML Data Model, U.S. Department of Justice, office of justice programs, http://it.ojp.gov/jxdm/3.0.3/index
  © Esignit.org, 2012 - Present. Digital Certification, Electronic Signature, and Data Exchange Service Provider
EsignIt in association with Image-X Enterprises
6464 Hollister Avenue, Suite# 7G, Goleta, CA 93117
Customer Service: (805) 964-3535
Need Technical Support ? Write us at Technical Support OR Send us Feedback