HIPAA, managed care aid smart card entrée into U.S. healthcare market

August 23, 2000

HIPAA, managed care aid smart card entrée into U.S. healthcare marketU.S. firms go head-to-head with established European vendorsSmart cards, like voice recognition and wireless networking, belong to that “some day” group

HIPAA, managed care aid smart card entrée into U.S. healthcare market

U.S. firms go head-to-head with established European vendors

Smart cards, like voice recognition and wireless networking, belong to that “some day” group of products that have obvious application in healthcare but have yet to achieve widespread adoption—at least in the U.S. Despite successful healthcare smart card implementation in Germany and France and multiple pilot programs by the Department of Veterans Affairs (VA), the General Services Administration (GSA), and the armed services, the U.S. has been slow to embrace this technology, largely because the healthcare delivery infrastructure in the United States is so fragmented.

However, with high-profile security initiatives such as HIPAA and growing awareness of the need to protect Internet-based data transactions (HNN 6/14/00, 7/12/00), smart cards may have finally found a way into the U.S. market. In the last year, prominent vendors such as Microsoft have joined smart card veterans Siemens, Gemplus, and Sun Microsystems in developing card-based products for healthcare.

Analysts say there is plenty of room for these players and more, in large part because the U.S. market is virtually untapped, especially in vertical markets such as healthcare. At present, smart cards have their largest penetration in both Europe and the U.S. in the cellular phone market, because digital phones using the GSM(Global System for Mobile Communications) protocol require a smart card, called a SIM (Subscriber Identity Module),to function. Other vertical markets like the financial industry are also driving the technology. For example, American Express is actively marketing the Blue card, a smart card with a reader that is aimed squarely at enabling secure e-commerce.

In addition, the technology is more complex than it might appear at first glance, thus requiring a multitude of component suppliers. Implementing smart cards requires not only the physical card and embedded integrated circuit chip, but also applications, an operating system, and card readers.

Memory cards, the least expensive type, store data but do not run applications. Only cards with an embedded integrated circuit chip are able to run applications. According to Leo Legaspi, director of Business Development-Americas for the French firm Gemplus, a typical smart card offers about 32 KB of storage. The firm has demonstrated a card with 1 to 2 MB of capacity that will be commercially available in a couple of years, according to Legaspi. He also notes that smart card technology today is far in advance of its actual usage.

“A smart card is a full computer without the input device or display,” he said. “It has its own operating system, memory including RAM and ROM, everything that would qualify it as a computer.”

Gemplus is one of several European firms that dominate the smart card industry. Europe’s adoption of healthcare smart cards was driven by the nationalized healthcare systems and a top-down Eurocard initiative implemented by the European Union in 1993. Ultimately, EU member nations plan to have a common infrastructure in place to exchange healthcare data on user smart cards. James Forcier, an economist and managing director of San Francisco-based Bay Analytics, compares smart cards to wireless, in that the U.S. lags behind its European counterparts in implementing the standards and infrastructure needed to support the technologies.

“In Europe, the health insurance card serves as an ID and gives access to the hospital,” said Rik Primo, director of IS/PACS at Siemens Medical Systems. “It generally contains only administrative data; there is too much resistance to storing medical data. Approving medical data like allergies and blood type on the smart card requires positive patient involvement due to the problems with patient privacy.”

Germany chose to implement smart cards to carry healthcare administrative information soon after the Eurocard framework was begun; by 1995 more than 78 million cards were in use. The system was implemented in only 20 months, due in part to the card’s limited functionality; the German cards are memory cards that do not run applications. However, even this basic approach—the simple storing of administrative data and providing physicians and dentists with readers and PCs—resulted in a 35% decrease in the administrative cost of health insurance, according to Gemplus, which supplied over 15 million cards and more than 50,000 readers to the German healthcare market.

France has taken a more ambitious first step by equipping patients with smart cards that have processing capability. The Sésam Vitale 1 card replaces paper-based claims processing; the Vitale 2 card will also securely store medical data in addition to administrative claims data. Because of the more complex goals of the French project, implementation is lagging behind Germany’s. Some 42 million Vitale 1 cards were distributed in 1998 and 1999, and 60 million Vitale 2 cards are expected to be distributed in the next few years.

Tax Dollars at WorkThe U.S. is not a complete neophyte. Federal and state government agencies have been experimenting with smart card applications for security, identification, and data storage purposes in many areas, including healthcare, for several years. The VA has been at the vanguard of these efforts, participating in various smart card projects, including the Global Information Society G-7 and G-8 Healthcare Data Card Projects, since the early ’90s. The VA has also been running a pilot for secure Web-based access to medical data since 1998 and is investigating smart cards as part of that project, according to Dan Maloney, director of emerging technologies for the VA.

“We envision it as a card that works with the network,” Maloney said. “We’re trying to move the process forward, but there’s no budget currently.”

More recently, the GSA has awarded a five-year, $1.5 billion contract to multiple vendors to develop smart card technology for the federal government. This project includes a healthcare data storage component being developed by Litton-PRC/Centurion using Windows for Smart Cards. Security and identification applications will probably incorporate biometric authentication being developed by Viisage and IriScan.

The VA’s focus is on a card that can store data and perform public key infrastructure (PKI) calculations. The VA hopes to incorporate as much of the GSA smart card work and the Department of Defense smart card project using PKI authentication as it can, according to Maloney. The VA also plans to have a two-card update model, with both the patient’s card and doctor’s card required to modify data on the card or on the VA network. Depending upon the success of the GSA’s biometric pilot, the VA may incorporate that additional layer of security as well.

As part of the G-7 Healthcare Data Card Project, the Western Governors’ Association has spearheaded a three-city Health Passport Project to develop and test smart card systems in North Dakota, Wyoming, and Nevada. This project, which is being run in conjunction with Siemens and other smart card vendors, is intended to enable near-real-time, secure access to health data, reduce administrative costs, and increase efficiencies. It will also provide access to Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) benefits in some locations and enable provider access to user data across state lines. Phase I is scheduled to be completed in December 2001. In Phase II, WGA and its vendors will work with the Navy, GSA, and other partners to Web-enable its smart card systems and to test the cards’ capability to access multiple disparate systems.

Despite the military’s investment in smart cards, however, commercial development and adoption of this technology within the U.S. remains sluggish. But this could be changing, thanks in large part to HIPAA, managed care, and the increasing consolidation and regionalization of the U.S. healthcare system.

According to Primo, U.S. hospital IT departments are expressing more interest in smart card technology, especially for security and HIPAA-compliance related applications. Siemens is considering integrating smart cards into its PACS products to provide secure access to systems using PKI. In addition to storing the private key on the card, Siemens may incorporate a biometric security layer as well.

“A number of issues still stand in the way of smart cards in the U.S.,” Primo said. “But there are a lot of good things about smart cards; you don’t have to input information over and over again, and the cards can be used as data carriers or login and access devices for hospital staff. Applications are limited only by the creativity of the users.”

Forcier sees opportunity for healthcare smart card vendors not only in applications relating to secure access, but also in applications that will cut costs and improve operational efficiency. While achieving HIPAA compliance is mandatory, clients will more likely go for the most cost-effective solution that conforms to the rules’ requirements and their own workflow processes.

“Smart cards are one tool among many that could address some concerns,” he said. “If the real question is how are we going to make data available at different points in the healthcare system while protecting privacy and keeping costs down, with a system that’s intelligent and user friendly, the industry will look at alternatives and settle on some combination. Smart cards are being looked at in particular with Web-based communications systems.”

Market Barriers RemainThe potential for smart cards has attracted some of the biggest names in the computer industry. In fact, the well-documented Sun-Microsoft competition for the desktop/Webtop (HNN 7/26/00) is also at play in the smart card field.

Sun introduced its Java Card platform in 1996. The software overlays proprietary operating systems and provides a common Java-based environment that enables the cards to have any operating system and still run Java-based smart card applications. As it did with Java, Sun has opened the Java Card platform to developers and so has no firm count of how many of the 2.5 million Java developers are working on healthcare applications for smart cards. Sun claims to have shipped more than 20 million Java Cards in 1999 and is planning to integrate Java Card technology with the other Java platforms as its next enhancement, according to Jennifer Yonemitsu, product manager.

“Not all smart cards support multiapplication technology—Java cards are among the few that do,” Yonemitsu said. “We started with a bare-bones configuration—secure authentication and e-commerce—but we’ll be able to add more services as users demand. With Java Card, we can protect each application from other applications on the same card, while allowing the apps to share data.”

Microsoft, a latecomer to the smart card market, announced its initiative in September 1999. But the company may benefit from its delayed entry as smart card vendors work toward interoperability and the implementation of HIPAA draws near. HIPAA requirements are part of the company’s healthcare smart card strategy, according to Paul Smolke, healthcare industry manager for Microsoft’s Business Solutions Group. The potential security features of smart cards—digital certificates, digital signatures, and a private key—complement the PKI support built into Windows 2000.

“Essentially what smart cards provide for us is a way to extend the security of Windows 2000,” Smolke said. “What we want to do in healthcare is extend smarts cards and make the technology available to consumers as well as people in the business enterprise.”

Microsoft is working with several smaller firms to develop healthcare-specific applications for smart cards using Microsoft technology, including Lifestream, a company that has gotten FDA approval for its home cholesterol monitor that uses smart cards to store data and transmit it over the Internet (HNN 5/3/00). Microsoft is also working with Humana and Healtheon/WebMD to create smart card applications that enable Humana subscribers to store medical data on the card and use the card to securely access their personal health records via the Web.

“The long-term goal of a smart card is to replace all the cards in a wallet, providing encryption to protect the data,” Smolke said. “We’re still fairly early in the process of getting adoption and developing applications. We’re also talking to physicians to show them the benefits of being able to get information and update it.”

Future In a FlashDespite all this effort, however, U.S. smart card developers still face some formidable challenges. Because the smart card industry has been around since the ’80s, many vendors have developed proprietary operating systems running proprietary applications. For example, Gemplus has its own proprietary operating system but also works with Microsoft on the Windows for Smart Cards platform and with Sun on the Java Card platform.

“I think the challenge for Sun/Java and Microsoft/Windows in smart cards is that they’re coming in relatively late to an industry that’s been going for some time,” Forcier said. “Vendors like Gemplus and Schlumberger have already developed a major presence.”

In addition, competition of another sort is already brewing. Several firms are developing flash memory cards, a smaller but higher capacity portable data storage unit. Flash memory cards, unlike smart cards, are more like a disk drive than an operating system, according to Ed Cuellar, manager of the OEM marketing group for Sunnyvale, CA-based SanDisk. Cuellar sees the benefit for healthcare in the flash memory cards’ higher storage capacity—up to 1 gigabyte of storage in some cases—which will allow the medical data on the card to include higher capacity files like JPEG thumbnails of x-rays. The flash memory cards can be read through a PC card adapter for laptops and USB readers for desktops.

The Army is already beta-testing flash memory cards developed by SanDisk and Informatech, a subsidiary of Kaneb Services, as personal data carriers for field personnel. The Personal Tag (P-tag) can hold 8 to 32 MB of data, rather than 32 KB like a smart card, and is the size of a large postage stamp. The healthcare P-tags will cost less than $100, a hefty price tag when compared with smart cards that cost generally less than $10, and will be available sometime in the last half of 2001. According to Cuellar, the Army has already received several thousand units and will be conducting field trials through the rest of the year.

“Now that we have the trials in place, we’re trying to take the same product to the general healthcare market,” Cuellar said. “We’re actively looking for value-added resellers in the healthcare arena.”

According to Cuellar, P-tags will be attractive to the broader medical community because of their ability to circumvent HIPAA requirements. If patients are carrying their own medical records, then the providers are no longer responsible for the record and the patient has control over where the information is sent.

However, Gemplus’ Legaspi believes that it is the smart card’s processing capability that will give it an edge over flash memory cards. Due to the high interest in implementing PKI and digital signatures to meet HIPAA requirements, smart cards will be able to run the applications necessary to comply with the final rules.