On Wed, 2004-06-16 at 06:55, Tim Cook wrote:
> In a report about continuity of care records and electronic medical
> summary records I found a statement that intrigued me.
>
>
> "In Denmark over 90% of GPs offices (and 75% in New Zealand) use their
> computer systems to electronically send and receive clinical messages
> such as laboratory results, radiology results, prescriptions, discharge
> letters, and referrals. "
>
> If this is true....what method(s) are the GP's using to prevent exposing
> private patient data to modification and/or interception by third
> parties?
The following explanation was recently posted on the Australian GPCG
(general practice computer group) mailing list by Tom Bowden, CEO of
Healthlink, a New Zealand secure electronic messaging service provision
company which apparently carries the lion's share of health message in
NZ. Tom was answering a previous post which asked for confirmation of
how Healthlink operated. I have added some explanation of abbreviations
in square brackets, but the quote is otherwise verbatim. All opinions
contained in the quote are those of Tom Bowden, not mine. See also my
further comments on the issue below the quote from Tom.:
--- start quote from Tom Bowden ----
Following is further detail on PKI implementation and related questions
from our technical team
The comments expressed in your email relating to the security of
HealthLink are incorrect.
1. HealthLink does not use PGP. We use a more commercially suitable
certificate standard, X509.
2. HealthLink supports the use of digital certificates from a number of
trusted certification authorities, including those keys issued by HESA.
[HESA is a publicly-owned company operated by the Health Insurance
Commission (HIC) of Australia - which provides universal health
insurance for all Australians. HeSA's role is to enable secure
communications between health providers and HIC by operating a PKI and
issuing hardware "dongles" to service providers to manage their private
keys/certificates.]
3. Sending a message using HealthLink
a. The message is encrypted using the public key of the
intended recipient and signed using the private key of the sender
b. The message is sent over a secure, authenticated tunnel to
the HealthLink Server Farm
c. HealthLink cannot decrypt the message because HealthLink
does not hold the private key of the intended recipient (after
HealthLink is installed it generates a new private key). Message
routing information is included in a clear text message header so that
the message can be delivered and tracked - the message payload is
encrypted.
d. The recipient receives the message, verifies the senders
signature using the senders public key and decrypts the message using
their private key.
4. Graphic files can be exchanged using HealthLink but cannot be
included in a structured message unless the message specification allows
for the inclusion of graphics (eg the proposed HL7 radiology standard).
We are happy to field further questions.
Kind regards
Tom Bowden
CEO HealthLink Ltd
Tel +64 9 638 0670
Mobile +64 21 874 154
----- end of quote from Tom Bowden ------
My understanding is that Healthlink issues users of its service with
proprietary client software which packages information as HL7 and/or XML
and/or other formats, encrypts the message payload as Tom describes
above, and then uses SOAP and related protocols to send the message via
its own servers to the recipient, who must also be a Healthlink client.
The Healthlink client software can apparently interface directly with
some, but not all clinical information systems/EMRs in common use in NZ
and Australia.
There is considerable debate at the moment in Australia (or at least on
the GPCG mailing list) about the pros and cons of such an approach to
the problem of secure, reliable health messaging, versus the approach
adopted by a product called ArgusConnect, which also uses the HeSA PKI
to encrypt and decrypt message payloads in HL7 or other formats, but
which uses SMTP and MIME attachments to transmit the messages to
recipients (who may or may not be ArgusConnect users). Typically the
Argus software is deployed as an "edge" server at the interface of local
networks and the Internet, where it acts as a proxy mail server, looking
after all the encryption and decryption details. Like Healthlink, it can
also interface directly with some clinical software applications, so
that some HL7 messages (lab results, say) can be deposited directly into
a patient's record, rather than merely turning up in the doctor's email
inbox amongst all the spam. I should add that Argus was developed using
a govt-provided grant which allegedly specified that the Argus code be
open sourced, and we are all waiting anxiously for news from the Argus
copyright holders for news in this respect. My understanding from the
Argus developers is that extension of Argus to accommodate other X.509
PKIs and/or GPG/PGP would not be too difficult. It already uses LDAP for
directory services.
I have CCed Tom Bowden, Ross Davies and Andrew Shrosbree on this message
so that they can correct any factual errors I have made in the above
accounts of their services and products.
Of course, security of patient data while it is transmitted from place
to place is only part of the story. You also need to worry about
security of the data where it is stored in databases etc, and security
of back-up media and other removable media containing such data. The
answer to all these issues in the setting of small clinics is
encryption, encryption, encryption, plus good key management system for
that encryption, or to only store the data off-site in a secure data
centre - that is, adopt an ASP model (but you still need to worry about
encrypting those off-site backup tapes).
--
Tim C
PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere
or at http://members.optushome.com.au/tchur/pubkey.asc
Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0
