Direct Data Entry (DDE) Security Upgrade Requirement

As most of you know, CMS allows providers direct access to the Common Working File (CWF) through DDE.  This technology has existed for many years and has evolved from remote terminals, modems and phone lines to terminal emulator software running on personal computers connected to the CWF through secure networks.

As this technology evolved, some providers and vendors implemented more modern solutions for their DDE connections, others stuck with existing systems.  Regardless of the technology, the functionality of DDE remained the same.  Once you get connected, everyone sees the same screens and has the same capabilities.  How you got connected made no difference, until now.

Over the last twenty years, the federal government became concerned with the wide variety of security standards among their different agencies.  They began developing standards that would apply across all government agencies regarding the hardware and software components used to secure data as it was exchanged over government networks.  The National Institute of Standards and Technology (NIST) developed the Federal Information Processing Standards (FIPS) which are government computer security standards for the encryption of data. These standards defined four levels of security that could be assigned to different agencies and transactions based on the type of information exchanged and it’s security requirements.  As time went by, these standards were enforced at each agency and deadlines were imposed on parties involved in these transactions.

DDE, as an exchange of patient data over a variety of networks, has finally fallen under the scope of this process.  Health and Human Services (HHS) has mandated that all “data in motion” or data that travels over secure or wireless networks, comply with FIPS 140-2 cryptographic standard.  The deadline is 9/30/13, two weeks from today.

Access to DDE is provided through a closed network called “CMSNet” that connects and protects several CMS computer systems, including the computers accessing the CWF.  The group that maintains this network has been working with vendors that access this network over the last few months to make sure that they comply with these new standards.  These vendors are listed on this site:

http://cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/HETSHelp/HowtoGetConnectedHETS270271.html

They have provided access to a new test environment that is FIPS 140-2 compliant.  They contacted all of these vendors that are currently connected through CMSNet (such as MEDTranDirect) to make sure that they can demonstrate their ability to connect over the FIPS 140-2 compliant network.  MEDTranDirect passed these tests and our customers have already been converted to the new standard.

However, this is not necessarily true for all vendors of DDE connectivity or all of their provider customers.  Over the last six weeks or so, we have been contacted by many customers of a “major” competitor.  These customers have been told by that vendor that they are approaching this deadline and that they need to “upgrade” their DDE solution to be FIPS 140-2 compliant.  Their strategy has been to portray their existing connectivity as non-compliant, which is true, but that instead of taking the responsibility of upgrading the solution to become compliant, they are insisting that their customers purchase a new, and more expensive solution to replace it.  They have taken the position that this is a marketing opportunity rather than a support issue.

At MEDTranDirect, when our products stop working, for whatever reason, new specs, new network standards, programming errors, it is our responsibility to fix the problem and get them running again ASAP.  If future changes require changes in our systems or technology, our job is to make sure that we prepare our customers before these changes are implemented.  We will never take the position of allowing these systems to fail in order to generate new sales.  This particular situation was presented in plenty of time for any capable vendor to have anticipated what needed to be done and prepared for the upgrade.

If you find yourself in a situation where your DDE will not be working on 10/1/13, we can assist you whether or not you are a current MEDTranDirect customer.  You can visit our web site and try out our web-based DDE solution through our PayerLink product for up to 30 days at no charge and no commitment.  You can use this time to examine your options for DDE connectivity and if you choose, you can continue to use PayerLink after your trial period has expired.

http://www.medtrandirect.com/PayerLink/payerLink.aspx

I won’t normally directly promote our products through these articles to this degree in the future, but we only have a couple weeks left before some of you will either have to live without DDE or pay the price for additional features and components that you may not need.  I hope that we can help many of you get the additional time you need to make an informed decision.

By Kalon Mitchell – President, MEDTranDirect

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s