On Tue, 2004-03-30 at 01:17, Wayne Wilson wrote: > Implications for medical messaging: > > HL7 has long taken the view that they would not build in security > mechanisms as long as existing message layer standards were in place. > S/MIME was early looked at as the 'way'. Now, it seems the faith > is being put into XML digital signature http://www.w3.org/Signature/ . > > Both of these approaches build on the PKIX work. So does the US > Government. I am certain this is because of the top down nature of > the architecture, i.e. the notion of creating a 'root' trust > authority, from which all other trust stems. It's natural for large > agencies, NGO or GO to want to posistion themselves as the 'trusted' > ones. > > My personal opinion is that the business world and the world of > individual privacy runs counter to that model and creates a > resistance. But even if that is not a big issue, the technical inter > operability and the complexity of the standards themselves are so > great that nothing really practical is on the near term horizon.
The situation in Australia might be instructive. Several years ago the Health Insurance Commission (HIC) tried to establish their own PKI for the health professionals. HIC is a govt body which administers Medicare, which is our universal health insurance scheme (and which has slowly been whittled away by conservative govts, but there is an election this year and that might stop the rot...). Alas, HIC made multiple mistakes: a) the scheme was clearly focused on helping them reduce operational costs by encouraging doctors to submit patient claims electronically, instead of on paper, and HIC refused to endorse the use of their PKI for any other purpose - a huge blunder, since the cost savings to doctors of submitting electronically were negligible, or negative, whereas teh cost savings of other uses of a PKI to doctors are potentially large - but such uses were not endorsed; b) they chose a typical top-down X.509 PKI dictated by the govt security agency, and designed for public servants in govt depts, without realising that the main users would be general practitioners who are independent small business people, not govt employees; c) the scheme they chose relied on proprietary hardware dongles, which were fiddly, and had restricted Windows-only proprietary APIs (initially, now a Java API); d) they insisted (and still do) on generating the private signing and encryption keys themselves, and then distributing these private keys to the users by courier - yet the end users are expected to sign a document confirming that the signing keys are as good as their written signature - this practice, of refusing to allow self-generation of private keys, completely undermines the basis of PKI and people have been wary of the system as a result; e) they failed to establish an easy-to-use (eg LDAP-enabled) directory of public keys, and the key revocation list facilty initially (still does?) rely on users manually updating their keyrings - which is never going to happen; f) the end user agreement initially ran to over 100 pages of closely typed text (now shortened); g) the certificate authority they use, originally an Australian security company, has changed hands twice, and is now a US multinational. Not surprisingly, given all these reasons, the uptake of the system has been small, despite all the software and hardware being given away for free (for now at least), although it is beginning to pick up now in some areas, but 4 years and many tens of millions of dollars down the track. Last year they started to offer cash incentives to medical software companies to support the scheme. See http://www.hesa.com.au/ if you are interested in more details. > No one has found the 'right' combination of automation and scalability > yet. Neither PKIX scaling downwards nor PGP scaling upwards have > found the magic ease of use to build a community of trust which will > drive forward this technology. In contrast to the HIC PKI system, several local groups of GPs have just been getting on with establishing local secure email networks using GPG, at minimal cost. David Guest, who subscribes to this list, operates one such network - David, can you give us a thumb-nail sketch of the Northern Rivers system? Another example is operated by the Top End (Northern Territory) Division of General Practice, who have built a nice LDAP directory service which holds GPG public keys - see https://www.tedgp.asn.au/servicedir/loginform.php So I think it can be done using GPG - but some degree of social cohesion and a good organiser is required. Whether GPG-style Webs-of-Trust (WoT) can scale up remains to be seen, but I see no reason why they can't, with local WoT bridged to others by designated "bridge-builders". However, in most settings, the majority (90% or more) of health care communication occurs between local parties, who are all likely to be part of a single WoT. If a GPG system is a bit less convenient for the rarer "long-distance" electronic communication, then that is not a disaster - but even that remains to be seen. I am impressed who well GPG works across the Internet with correspondents anyway - but you do need GPG + social organisation + policies to make it work. But not policies which drag on for hundreds of pages. The back of an envelope should suffice to list them. Is that correct, David? -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0
signature.asc
Description: This is a digitally signed message part
