File Transfer Business Drivers

As a participant in this nation’s healthcare system, CMS needs the capability to securely and reliably exchange data files with its business partners, government agencies, and other stakeholders. Files may be transferred electronically, or in some instances, using physical media such as encrypted digital tapes and disks.

File-oriented processing often requires a sequence of file transfers followed by application processing. For example, a file received from a partner is processed by an application and the results are sent to another partner for subsequent processing.

The CMS EFT system is the primary mechanism for coordinating the workflow of file transfer and subsequent application execution from various CMS business partners. Applications may also implement or use other file transfer solutions, such as the file transfer capabilities of the CMS ePortal.

CMS Enterprise File Transfer is a critical enabler of major programs like Medicare and Medicaid. These exchange data with a wide variety of business partner organizations, large and small. New legislative or regulatory changes may drive transfers with new partners and changes in data transfer volume.

Goals

The business goals of an effective, secure file transfer infrastructure include:

  • Exchanging files with CMS partners

  • Adapting to changes such as new partners, new applications, and new CMS services

  • Securing all data transfers in accordance with the current CMS ARS on an ongoing basis

Facilitate Exchanging Files

The primary business goal of an EFT system is to facilitate the secure exchange of data between CMS and its partners as well as between partners (as a pass-through) consistent with current CMS ARS requirements.

The CMS EFT team is responsible for all input and outbound file transfers that involve the CMS EFT infrastructure.

Adapt to Change

The CMS EFT infrastructure enhances productivity by isolating customers from changes in physical transfer locations. The Sweeps system used by CMS EFT is a store-and forward-transfer rather than a simple point-to-point transfer. This allows customers to be unaffected by changes to the other side of the transfer. This can be either a new server location, such as migrating from the mainframe to the cloud, or a new transfer product such as moving from Connect:Direct to SFTP. The sender and receiver may also each use different transfer product.

Objectives and Processing Environment Requirements

CMS data centers manage file exchange in accordance with prescribed management, security, and operational objectives. This CMS Processing Environment handles more than 1,200 customers and sites and an estimated three million transfers per month. In such an environment, robust automation is essential.

Managing Audit Trails

Maintaining an audit trail of file transfers is an essential capability of an EFT system. Audit trails are used in diagnosis as well as security. Both the HIPAA and HITECH acts require traceability of Protected Health Information for Covered Entities and Business Associates (CMS is a hybrid entity). Audit logs, including audit trails of all EFT administrator activity, must adhere to the current CMS ARS requirements, undergo regular review, ensure non-repudiation, and be appropriately retained.

From a security and privacy perspective, the audit trail is useful in determining when and what happened in a sequence of events, the party’s identities, and which data are involved. By examining audit logs, it is possible to determine when files were transferred, which trigger scripts were executed, and whether such activities were successful. When working with CMS partners, it is useful to know when events occurred to help diagnose problems at either end of a transaction.

Coordinate Application Execution

Coordinating application execution is a critical function of any EFT infrastructure. An EFT workflow management system performs this function by detecting successful in-bound file transfers and coordinating with the batch scheduler to execute corresponding applications. The mapping of data file to trigger script is recorded in the EFT routing tables.

Managing EFT Processing Issues

Detecting, reporting, and managing EFT processing errors to resolution is another critical capability. An EFT infrastructure can report the status of file transfers and detection of errors that occur during file transfer. An EFT infrastructure does not, however, detect or manage application processing errors; error reporting of application processing errors is an application responsibility.

Report on the EFT Process

It is important that the EFT system produce reports about the file transfer and application triggering process (when controlled by the EFT) that include information such as timestamps of file transfer, application triggering, file name, file sizes, and destinations. Reports can be produced on an on-demand and scheduled basis, with delivery via email or online.

Decouple File Transfer from Application Execution

One objective of EFT is to decouple file transfer operations from application execution. Without an EFT service, partners transferred files and were responsible for initiating trigger-script execution. With a CMS-managed EFT service, the control of initiating trigger-script execution may remain within CMS rather than relying on a partner to initiate application execution.

Prevent Data Overlays

Some EFT solutions, such as the CMS EFT service, introduce file name timestamps during a file renaming process that occurs at the end of file transfers. Timestamping helps retain data integrity by preventing accidental data file overlays.

Keeping Archival Copies

Applications are responsible for archiving copies of files transferred. Archiving files sent to external customers is needed to save communications subject to financial or legal review. Archiving also eliminates the need to repeat application execution to generate a file that was previously generated, as well as a variety of administrative duties such as resetting databases to prior condition, restoring backups, and other tasks that re-processing would entail.

The CMS EFT infrastructure saves copies of any file received or transmitted via Sweeps for up to 7 days. This allows for re-transmittal of files by the EFT admins without an application resending the file to Sweeps, which provides the benefits of archiving for a short term for all files transferred. The CMS EFT infrastructure is not responsible, however, for long-term archival or records management — this is an application owner’s responsibility. Files transferred using the Store-and-Forward or Pass-Through mechanisms are not archived.