Re: [egov] National Health Technology Standards Corporation

["Anders Rundgren" <anders.rundgren@telia.com>]

John Messing Wrote:

>It sounds to me like machine representation of an entity as its signing
>agent is at least in part a legal question, which may require
>legislation, court decisions (in common law countries), regulations,
>international agreements or a combination of them to resolve.

This is exactly what I referred to in my original posting: The gateway
approach is in active use since *decades* and hardly anybody have
questioned its legitimacy.  When the very same thing is dressed in PKI,
it appears to be a different ballgame.  But it is not.  Messages pumped
through leased lines are no different than those who go trough PKI gateways.
That is, all such messages are supposed to be authorized and trusted.
The "signature" does not mean anything more (or less for that matter),
it only a different (and often better), technique for achieving message
authenticity and data integrity.

Well, CA liability in case of certification errors is a new element that
have no direct counterpart in non-PKI gateways.

Regarding health-care and IT, I believe the issues above are very minor
compared to privacy, data integrity, and system reliability which are
all very complex and there are no silver bullets.

HOW IT WORKS

The e-prescription use-case (as performed in Sweden NB):
1. A doctor authenticates to a hospital information system
2. The doctor "navigates" to the patient's journal
3. The doctor creates a prescription
4. The doctor selects a suitable destination pharmacy
5. The doctor authorizes (signs) the finished prescription
6. The hospital information system verifies the doctor's authorization
7. The hospital information system saves the prescription and links it to the patient's journal
8. The hospital information system takes a copy of the prescription and encrypts it
9. The hospital information system signs (in the name of the hospital), the encrypted copy
10. The hospital information system sends the completed package to the selected pharmacy
11. Discussion point: Is it the hospital's task to verify that the doctor is authorized, or is this
    a task for the pharmacy? My personal opinion is that everything should be taken care of
    as early as possible.  Using this notion, the pharmacy may not even need to recognize the doctor.

This can be done using a browser + smart card only.  As the US gov (and SW industry)
have not yet "invented" web signatures and only have employee-level PKI they have not
been able to rollout anything similar (last checked with NIH/CIT in December 2004).

In Denmark they claim they are sending 1.2M/months of e-prescriptions.

Probably the US 5 year lag was an understatement...

Anders Rundgren



> -------- Original Message --------
> Subject: Re: [egov] National Health Technology Standards Corporation
> From: "Anders Rundgren" <anders.rundgren@telia.com>
> Date: Tue, February 01, 2005 1:58 pm
> To: "eGov OASIS" <egov@lists.oasis-open.org>
> Cc: "David Webber (XML)" <david@drrw.info>, "Chiusano Joseph"
> <chiusano_joseph@bah.com>
>
> Two answers in one letter to save list space :-)
>
> There are two dimensions, one is information and the other is trust & identity.
> If the NHTSC will be able to set the standard for "information" is hard to tell.
>
> Regarding the trust & identity stuff, I believe (but cannot provide evidence) that
> the consortium will fairly soon realize that there are TWO entities, in the
> game: people and machines.  Machines can in fact represent an organization.
> This is something the US Federal PKI people have not yet realized, which have
> caused the US a 5-year (and counting) lag compared to many other countries.
>
> That is, it is not enough that some standard provide an X.509 element
> because that means nothing or at least creates a lot of guesswork as
> there are currently four competing suggestions on how a machine should
> identify itself when signing outbound orders, presciriptions etc.
> - As an individual.  The German solution
> - As a server.   The short-cut
> - As as application.  IBM is promoting this.
> - As an organization.  The Scandinavian way
>
> The net result is poor interoperability.
>
> My hope is that this consortium should not leave this question to app developers
> just because it is "infected".
>
> thanx,
> Anders Rundgren
>
> ----- Original Message ----- 
> From: "Chiusano Joseph" <chiusano_joseph@bah.com>
> To: "Anders Rundgren" <anders.rundgren@telia.com>; "eGov OASIS" <egov@lists.oasis-open.org>
> Sent: Sunday, January 30, 2005 18:59
> Subject: RE: [egov] National Health Technology Standards Corporation
>
>
> I'm not certain how you arrived at all of the fine-grained technical
> details you put forth below, as the URL you provided did not speak at
> that level. Could you please provide an additional source to support the
> information that you provide below?
>
> Kind Regards,
> Joseph Chiusano
> Booz Allen Hamilton
> Strategy and Technology Consultants to the World
>
>
> > -----Original Message-----
> > From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> > Sent: Sunday, January 30, 2005 3:15 AM
> > To: eGov OASIS
> > Subject: [egov] National Health Technology Standards Corporation
> >
> > http://news.com.com/High-tech+alliance+for+digital+health+netw
> > ork/2100-1028_3-5550628.html?tag=nefd.top
> >
> > If this is for real, it could have a rather profound effect
> > on (F)PKI, as it seems that they are trying to create "a
> > scalable and secure architecture for information exchange and
> > collaboration" (my wording)..
> >
> > If this consortium succeeds in creating a working
> > architecture for healthcare, they have "fixed the rest as
> > well" as it seems that healthcare comprises practically all
> > security, privacy and legal issues one could imagine.
> >
> > This is likely to be yet another blow at the already severely
> > marginalized S/MIME scheme, as the network with a high
> > certainty will be based on Web Services, and due to that also
> > feature a "Gateway PKI".
> >
> > Gateways will be the norm for most org-to-org communication
> > including cross-border dittos as can be seen by this document:
> > http://europa.eu.int/idabc/en/document/3760
> >
> > Although gateways are well-known by security people,
> > something went terribly wrong when this extremely time-proven
> > concept met with PKI. I guess this must have had something to
> > do with the idea that PKI's sole mission in life is providing
> > legally binding signatures for individuals.  But this is
> > actually only one out of a myriad of PKI applications.
> >
> > Now to a yet not solved question: What exactly is a gateway
> > certificate?
> >
> > Anders Rundgren
> > Senior PKI Architect
> > working for a major computer security company
> >
> > Disclaimer:
> > This is my personal opinion, not to be associated with my employer
> >
> >
> > To unsubscribe from this mailing list (and be removed from
> > the roster of the OASIS TC), go to
> > http://www.oasis-open.org/apps/org/workgroup/egov/members/leav
> > e_workgroup.php.
> >
> >
>
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.php.
>
>
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.php.


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.php.