e-Health: Putting the Gateway PKI at work

["Anders Rundgren" <anders.rundgren@telia.com>]

e-Health: Putting the Gateway PKI at work

It is sometimes claimed that scurity solutions are just security solutions.  I like to think of security solutions more as "enablers" of certain services, like a passport is an enabler for international travels.  The Gateway PKI is indeed a enabler as can be seen by the following:

The e-prescription use-case (as performed in Sweden NB):

1.  A doctor authenticates to a hospital information system
2. The doctor "navigates" to the patient's journal
3. The doctor creates a prescription
4. The doctor selects a suitable destination pharmacy
5. The doctor authorizes (signs) the finished prescription
6. The hospital information system verifies the doctor's authorization
7. 'The hospital information system saves the prescription and links it to the patient's journal
8. The hospital information system takes a copy of the prescription and encrypts it
9. The hospital information system signs (in the name of the hospital), the encrypted copy
10. The hospital information system sends the completed package to the selected pharmacy
11. Discussion point: Is it the hospital's task to verify that the doctor is authorized, or is this a task for the pharmacy? My personal opinion is that everything should be taken care of as early as possible.  Using this notion, the pharmacy may not even need to recognize the doctor.

This can be done using a browser + smart card only.  On Windows/Mac/Linux.

 

Denmark claim they are sending 1.2M/months of e-prescriptions.

As the US government (and SW industry) have not yet "invented" web signatures, and only have a single-level PKI, the US have not yet been able to rollout e-prescriptions  (last checked with NIH/CIT in December 2004).  Using the FPKI framework you would need unique, usually platform dependent, expensive to develop, "fat" clients or degrade to Outlook (which would be extremely clumsy). The real security and reliability would be lower than in the Scandinavian systems as much of the transaction will be dependent on the quality of the client software.  Yes, you can in fact bypass the hospital information system altogether as it has "nothing to say" in this matter using the FPKI scheme.

Anders Rundgren