Contact: Karen Van Hentenryck
(734) 677-7777

For Immediate Release

Health Level Seven announced today that it has ratified a recommendation for sending secure HL7 version 2.x messages using public Internet e-mail. The recommendation, titled Secure HL7 Transactions Using Internet Mail, was ratified by an HL7 membership ballot that concluded in mid-April. All comments received in response to that ballot were discussed and resolved at the HL7 Spring Working Group Meeting, which convened April 26-30 1999 in Toronto, Canada.

The recommendation is in response to the recognized risks of increasing demand to use the public Internet for HL7 communications. While the Internet offers a cost-effective channel for HL7 messaging, it bears considerable security risks, including threatened privacy of health care data by interception of messages enroute from senders to receivers, threatened correctness and reliability of data due to fraudulent messages, and threatened reliability and accountability of data due to repudiation. The HL7 recommendation advocates cryptographic methods combined with the widely deployed MIME standard to avert these risks. This approach is useful not only for asynchronous e-mail-based messaging but also for synchronous communication using the Hypertext Transfer Protocol (HTTP).

The recommendation outlines a process whereby an HL7 message is built using standard HL7 encoding rules, incorporated into proper e-mail lines of text by base64 transfer encoding, and then encapsulated in a MIME-EDI entity. The MIME-EDI entity, now carrying the HL7 message, is then wrapped into MIME Security Multi-parts (RCF 1847), which specifies a common generalized security socket into which special security modules can be plugged. .

Secure HL7 Transactions Using Internet Mail includes a thorough discussion of cryptographic technologies and how they are applied to achieve authenticity, confidentiality and non-repudiation and can be implemented using either of the competing cryptographic protocol suites, PGP or S/MIME. The recommendation also addresses implementation issues and provides a detailed example of an HL7 lab order sent and received via Internet mail. Since the HL7 recommendation was developed in cooperation with the Internet Engineering Task Force (IETF) working group on EDI-Internet-integration, implementations are already available from large and small EDI vendors.

"This recommendation is the first of HL7’s answers to the pending HIPAA regulations," says Gunther Schadow, M.D., co-chair of the Secure Transactions SIG and principal author of the recommendation, "it allows HL7 implementations to be sufficiently secured from the messaging perspective. However, security is more than just secure messages, and HL7 will continue to address security issues in various committees; indeed, security aspects will be woven into the basic methodology of the upcoming HL7 version 3."

Health Level Seven approved the formation of the Secure Transaction Special Interest Group (SIG), in 1996. The primary goal of the SIG is to address the practical implementation of secure, authenticated HL7 transactions between systems in health care environments. The SIG is committed to leveraging existing standards and to coordination with other Standards Developing Organizations to avoid duplication.

Founded in 1987, Health Level Seven is a not-for-profit ANSI Accredited Standards Developing Organization that develops standards for electronic data exchange in health care with and emphasis in clinical and administrative data. HL7’s membership represents more than 1,400 vendors, consultants and providers in the healthcare field. For more information visit HL7’s web site at http://www.hl7.org or contact Karen Van Hentenryck at (734) 677-7777.

###