Ronald Bowron pointed us to the press release at the AMA announcing its effort with Verisign for certifying providers' digital certificates; see http://www.ama-assn.org/ama/pub/article/1616-4573.html. Ronald adds: "I can see the day where the AMA will be a VAN for internet connectivity between the Providers, Patients and the Payers as part of their membership fees."
Though I don't see the AMA providing any VAN services, I do definitely see the value of the AMA-Verisign relationship. The AMA already knows all of their members, and those members' initial contact points. By merely giving the membership list to Verisign, the latter is guaranteed a good list of presumably vouched-for physicians. This information can be used by Verisign in a high-quality targeted "recruitment" of physicians for digital ID services. Since the AMA information is derived in an "out-of-band" context, in-person presentation of credentials (which adds to the horrific cost of digital certificates) might be avoided. One of the uses of these digital IDs might be in EDI: If a payer receives a transaction from a provider, who has digitally signed his payload with one of these Verisign signed (on the AMA's behalf) certificates, it can be reasonably assured that it came from the real doctor (as opposed to an impersonator). How one determines whether a particular AMA certificate correlates with a transaction identified by National Provider ID or proprietary payer-assigned ID is another matter - the devil's in the details! We mustn't lose sight of the role security (and PKI) plays in all of the recommendations we come up with. Even if Kepa's DNS "directory" works flawlessly and effortlessly for locating EDI Trading Partner information given an identifier, it's all for naught if any 13-year old in his bedroom can impersonate a provider (or a payer). The last thing we would want to see is Harry Hacker pretending to be Highmark by commandeering Kepa's DNS node 54771.NAIC.HIPAA.NET: every provider relying on the DNS "directory" wanting to send claims to Highmark could have them intercepted by the hacker if a PKI is not in place! Who knows enough (or wants to learn) about this X.509 and PKI mumbo-jumbo to help out on security requirements? C'mon people: we need volunteers! Start by taking a look at the PKI page at http://www.pki-page.org/, where you can see what X.509 and PKI are all about - there are links to just about everything in this field; start with "Literature / Articles / Publications / RFCs". William J. Kammerer Novannet, LLC. +1 (614) 487-0320
