On Sat, 2003-09-20 at 15:01, Tim Churches wrote: > Hmmm, that is OK for point-to-point solutions (between a small number of > parties), but what about when, say, 50 different pathology providers > want to deliver test results securely to a few thousand GPs (family > physicians), in the absence of an existing VPN or secure network.
This is why private networks still exist. > Now, > there are dozens of ways of achieving that aim - but that's the issue: > which, if any, solutions are blessed by standards? I think policy makers are finally realizing that they should not be in the business of defining these things. They tend to specify "best practices" as the mark to hit. This is essentially the position taken in the HIPAA security regulations. > I have mentioned the > use of HTTPS to wrap HL7 2.x messages, with either username/password or > certificate-based authentication (used to send immunisation adverse > event reports to CDC). This is a perfect example of reusing a proven technology. > It has been pointed out that CDC also propose the > use of ebXML to wrap HL7 messages, with SAML to define the security, and > various protocols for the transport, including SOAP and HTTPS - for the > limited domain of public health message transport. That's of interest to > me, but I must say that ebXML/SAML+tarnsport protocol makes for a very > complex solution (which CDC seems to be addressing by commissioning > closed-source software implementations which are then offered for free > to US govt agencies - is that a fair assessment of the situation?). > Maybe David Forslund or others closer to current US Government activities could address this? But I agree with your observation that this is a very complex solution. > What else is being used? It seems that HL7.org and its national > affiliates have concentrated on the content of messages, but not on how > to get them securely and privately from place to place. Is that > impression correct? I would hope so. > The problem is not an absence of solutions to the > latter problem, but rather that there are too many possible solutions. I > hope I am wrong. What is the best solution for your specific circumstances? I think this is the level where there is no one size fits all. You have to make a professional determination. Then be flexible. <vbg> This was no help at all, but was an interesting thinking point. :-) Later, Tim
