Andrew Patterson wrote: >>pleasure of being made to jump through hoops backwards to prove who you >>re to their pedantic satisfaction (or rather, to the satisfaction of >>irrelvant standards set by the spooks for C'wealth public service PKIs - >>but HeSA is NOT a public service PKI, unless one considers GPs and >>private specialists to be public servants...). For example, it would be >>nice for Gps to be able to exchnage secure emails with physios, OTs, >>speech pathologists, dentists, residents and registrars in teh public >>hospital system and even patients using PKI certificates issued at low >>or no cost through analogues of CaCert (see http://www.cacert.org/ ) or >>similar. > > > Apologies if I am rehashing an old debate as I only joined this > list recently but I have been doing some work recently with > pki certs (hesa and non-hesa) and would be interested in > fleshing out some of the points you have brought up..
> ...lots of points points, all basically correct... Yup, we'e covered that ground many times in the past - unfortunately the archives of the GPCG list as hosted by the former GPCG are not searchable, so it is not easy to point you at those discussions. > Perhaps the > real answer is a multitude of certificates and CA's, > ranging from personal email certificates merely to > encrypt email, ranging up to 100 points of id, sign > my life away certificates for medicare claiming, > prescription writing etc. Yes. > Personally, I would have thought the correct bestower of > PKI certificates is whatever body accredits the > health practitioner.. so the RACGP for GP's, > relevant colleges for specialists and whatever > accreditation bodies are appropriate for allied > health professionals. That way they would be > asserting both identity and qualifications. In general, yes, although not the RACGP for GPs nor the Colleges of specialists. The correct body is the medical registration board in each State, or its equivalent for nurses (the Nursing Registration Boatd and teh Allied Health Professional Registration Board in NSW, probably the same in other States). These Boards already know who you are and they have a duty and great interest in weeding out people who fraudulently claim an identity. These Boards ought to act as Registration Authorities for each and every one of their registrants, as a matter of course. The Certificate Authority can be a separate body, even a private-sector one, so the Boards actauly need minimal extra technical capacity - all they are doing is vouching for the identity of their registrants. Naturally the system should bind user generated certifictaes as well as generate certs for users whoc don't wish to generate their own. The CA should publish the public certs in a publicly-availale LDAP directory as HeSA does. This would have huge advantage for the registration boards, because it wold enable them to move to purely electronic dealings via the Web with the majority of their registrants. The certificates could also be used (and trusted) by a myriad of other organisations as a way of authenticating health professional to Web sites etc - as well as enabling secure messaging, system-wide. The cost would be reasonable, since running a PKI is a known and well-worked out task both administratively and technically - perhaps $5-10 million per State per annum. State depts of health (which usually fund and run - at arms length- the various registration boards) would reclaim such modest costs many times over every year due to the greater efficincies provided by the ability to securely send hospital discharge summaries/referrals to GPs electronically. Many State Depts of Health or their regional sub-organisations are investing money in creating online directories of health service providers - an essential step in making in-hospital electronic records work. But few, if any of these projects are, AFAIK, taking the extra, obvious steps of comining this with putting the professional registration boards online and making then PKI registration bodies. And HeSA can still be used, if it must be, for Medicare purposes, which is all it wants to be used for anyway. Tim C _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
