Re: e-Health: Putting the Gateway PKI at work

["Anders Rundgren" <anders.rundgren@telia.com>]

Peter,

I'm sorry if you found my posting(s) offensive.
If there is a working e-prescription scheme, why not hand over a link to
debunk at least some of my claims?

However, these facts remain:
1. FPKI does not support an organizational-only entity.
2. There is no web-sign standard.
3. The IETF cream (that have been the "real" decision makers and advisers
to the US agencies), have spent numerous years rejecting the schemes I have just
described.  They did that by focusing on the server's security instead of looking
at "enablement", "costs", and "simplicity".  What the PKI people don't get is that
"secure servers" is the foundation for almost *all* IT of today.  If your business
runs SAP and it does not work, you are in deep trouble. A PKI server is just another
server, particularly if you have HW crypto.  HW crypto will BTW be default in all
computers fairly soon.

====================================================================================
That is, your allies, the IETF "cream" have effectively created a national five-year
(and counting) lag.   So you are actually pointing your gun in the wrong direction.
====================================================================================

Why not put some of these guys on the task to actually show how e-prescriptions
would be carried out using FPKI?  I believe a usability, cost, auditing, and security
analysis would be most interesting.

It is in this context worth mentioning that secure e-mail (S/MIME) has been a
huge flop from a deployment point of view which means that if the Federal
agencies invest in this, they will not be able to communicate with the outer
world (who use the web).   Since the only "reason d'être" for the public sector
is to "serve" the society, I believe this situation should be addressed.

My thesis FWIW, is that FPKI has never had so much to do as now, but from the
PKI-TWG agendas you get the impression  that you consider yourself as "ready".

Sincerely
Anders Rundgren

----- Original Message ----- 
From: "Alterman, Peter (NIH/CIT)" <altermap@mail.nih.gov>
To: "'Anders Rundgren '" <anders.rundgren@telia.com>; "'Multiple recipients of list '" <pki-twg@nist.gov>
Sent: Thursday, February 03, 2005 02:09
Subject: RE: e-Health: Putting the Gateway PKI at work


Anders,

The reasons the US healthcare industry has not rolled out e-prescriptions
has nothing to do with whether the US has "invented" anything or not or
whether the US only has a single level PKI, whatever that means; I'd like
that implied accusation corrected.  The US e-prescription initiative has
been led by the Department of Veterans Affairs and the Department of Justice
for the last few years, not by NIH or Health and Human Services. NIH does
biomedical and biobehavioral research. Think AIDS treatments and cures for
leukemia.  That you would not know this, yet still feel competent to make
pronouncements on the reasons for our apparent failure to roll out an
e-prescription system before Scandinavians have, makes it difficult to take
your statements seriously.

The US has a multi-level PKI infrastructure, liberally stolen from Canada,
the UK, and some of the best minds in the business.  And the US
E-Authentication architecture runs the gamut from no assurance to high
assurance, with all related technologies represented.  While we may not be
as far along as some parts of the world (we are all behind the Pacific 8
economies when it comes to multinational production implementations using
PKI), we have done our share and have a good architecture and very competent
policies and procedures.  And we are ahead of the game when it comes to
exploring interdomain PKI interoperability, its implications and its tools.
Nobody does more or better policy mapping than we do.

You should spend some time trying to learn what the US PKI architectue looks
like and how it works because it's clear from your ongoing criticisms that
you don't yet understand it, flaws and all.  Then consider that no system is
perfect; that we all compromise to accommodate any number of external
variables, and that we all build the systems we need to work in our unique
environments.  I don't have a single, state-overseen medical care system; I
have a zillion providers, insurers, policies, procedures and billing systems
colliding everywhere.

I read in your language something quite ugly, my friend, in a place where we
have a right to expect basic courtesy and professionalism.

Peter


-----Original Message-----
From: Anders Rundgren
To: Multiple recipients of list
Sent: 2/2/2005 5:30 PM
Subject: e-Health: Putting the Gateway PKI at work

e-Health: Putting the Gateway PKI at work

It is sometimes claimed that scurity solutions are just security
solutions.  I like to think of security solutions more as "enablers" of
certain services, like a passport is an enabler for international
travels.  The Gateway PKI is indeed a enabler as can be seen by the
following:

The e-prescription use-case (as performed in Sweden NB):

1. A doctor authenticates to a hospital information system

2. The doctor "navigates" to the patient's journal

3. The doctor creates a prescription

4. The doctor selects a suitable destination pharmacy

5. The doctor authorizes (signs) the finished prescription

6. The hospital information system verifies the doctor's
authorization

7. 'The hospital information system saves the prescription and
links it to the patient's journal

8. The hospital information system takes a copy of the prescription
and encrypts it

9. The hospital information system signs (in the name of the
hospital), the encrypted copy

10. The hospital information system sends the completed package to
the selected pharmacy

11. Discussion point: Is it the hospital's task to verify that the
doctor is authorized, or is this a task for the pharmacy? My personal
opinion is that everything should be taken care of as early as possible.
Using this notion, the pharmacy may not even need to recognize the
doctor.

This can be done using a browser + smart card only.  On
Windows/Mac/Linux.

Denmark claim they are sending 1.2M/months of e-prescriptions.

As the US government (and SW industry) have not yet "invented" web
signatures, and only have a single-level PKI, the US have not yet been
able to rollout e-prescriptions  (last checked with NIH/CIT in December
2004).  Using the FPKI framework you would need unique, usually platform
dependent, expensive to develop, "fat" clients or degrade to Outlook
(which would be extremely clumsy). The real security and reliability
would be lower than in the Scandinavian systems as much of the
transaction will be dependent on the quality of the client software.
Yes, you can in fact bypass the hospital information system altogether
as it has "nothing to say" in this matter using the FPKI scheme.

Anders Rundgren