Healthcare PKI

PKI Introductory Topics
PKI Tutorial (ppt/zip)
The Healthcare Authentication Problem Module 1 of PKI Tutorial
PKI Readiness Evaluation

PKI Implementation Topics
Certificate Issuance (ppt/zip)
Access Control using Certificates (ppt/zip)
Secure Messaging with s/MIME (ppt/zip)
The CMA's Physician PKI (ppt/zip)
Extra-Enterprise Trust Models (ppt/zip)
Electronic Signature (ppt/zip)
Building the PKI Business Case (ppt/zip)
Briefing the Healthcare Executive (ppt/zip)

PKIX, The IETF Standards for PKI under development by the PKIX Working Group

PKCS, The Public Key Cryptography Standards as promulgated by RSA

CARAT Guidelines The National Automated Clearinghouse Association (NACHA) recommendations for Certificate Policy(s)

American Bar Digital Signature Guidelines Standard reference providing the legal infrastructure for CAs and electronic commerce

State of California Digital Signature Legislation basis for EC with the California state agencies. Law plus discussion. California Electronic Transaction Act creates new risks, emphasizing the need for corporate electronic signature Policy.

Kaiser Permanente is now deploying one of the healthcare industry's most ambitious PKI. Read about Kaiser's PKI Concerns, by Dave Barnett, Kaiser System Architect

CHIME offers the Connecticut health industry, the nation's first fully developed public CA with a specific healthcare industry focus, CHIMEtrust

HealthKey is a multi-state project to create a "replicable model" for healthcare PKI. Healthkey publishes an alternate view of healthcare PKI where interoperability is dependent upon adherence to set certificate practices, subordination of enterprise CA to common industry provided roots, and the deployment of 'trusted' directories.

NIST PKI Project will determine how Federal agencies will develop a PKI that supports US government use of digital signatures and public key security services.  Of particular interest is the proposed Federal Model Certificate Policy developed by The Working Group  (TWG). This project provides the basis for the joint PKI acitivies of the Health Care Woking Group of the Federal PKI Steering Comittee

The Auto Industry Action Group is building a PKI to support the ANX (Auto Network Exchange) Extranet.  Of particular interest is the ANX Model Policy

The PKI Forum is a 'vendor led, customer driven' initiative "to acelerate the adoption of PKI as a critical eBusiness enabler by enhancing the PKI value equation."

Center for Democracy and Technology -  legal analysis of current legislation and regulatory trends regarding digital signatures, certificates, electronic authentication and encryption.

McBride, Baker & Coles maintain a comprehensive summary of  State and Federal legislation regarding digital signatures and third party CA

PKILaw.com maintains a collection of annotated links to articles about PKI and the law

Michael Fromkin law review article Essential Role of Trusted Third Parties in Electronic Commerce

Software Manufacturers
CertCo
Baltimore
Entrust
Spyrus

Netscape's Use of Public Key Cryptography is a prototypic implementation of PKI based security services for the Internet

IBM eNetwork security uses public key cryptography extensively.  The IBM Vault Registry provides scalable security for the Net based on digital certificates.
 
 
 

ASTM Publishes Standard Practice for Healthcare Certificate Policy
The new standard is now available at the ASTM website. ASTM is currently working on an Implementation Guide to accompany the Standard. For more information contact Ted Cooper, Kaiser, ASTM committee chair.

Creating the Healthcare Enterprise PKI

Planning for PKI from a Healthcare Business Context Ann Geyer, Tunitas Group A cost sensitive healthcare enterprise requires compelling justification to undertake new cost entailed in creating its PKI. This talk briefly discusses the healthcare PKI business case.

Healthcare PKI Policy Issues Mike Martin, Connecticut Hospital Association A PKI Policy specifies to whom the enterprise will issue certificates and for what purposes as well as the basis for its reliance on the certificates issued by others. To support the electronic disclosure of health information, the Policy must be responsive to industry regulation and support industry practice. This talk addresses Policy issues raised by the healthcare context.

Diligence and Risk Mitigation Donna Dodson, Social Security Administration What provides a practical proof of the identity of new subscribers that is appropriate for the exchange of health information?. The answer impacts the assurance level and overall reliability of the PKI, but a cost effective answer depends upon the business and systems context provided by the enterprise, its CA and subscribers.

Standing up the CA - Technical aspects of Certificate Manufacturing Bob Ycmat & Bernie Cohen, Arcanvs What is involved in implementing a certificate service? What are the risk factors that may require greater protections for the certificate service than for the information that the PKI is designed to protect?

Subscriber issues and certificate maintenance Terry Fotre, DO; MEDePass Appropriate reliance assumes that certificates are current and that the related private key are exclusively under the control of appropriate persons. This talk discusses certificate revocation, renewal and reissuance as well as the management of subscriber private keys.

Cross certification and trading partner strategy Yuriy Dzambasow, Digital Signature Trust A principal use of PKI is in support of electronic communication between autonomous trading partners (providers, plans and payers, suppliers). The value of the enterprise’s PKI will depend in large part upon its interoperability with the solutions adopted by trading partners. Distinct industry players have announced their determination to support different cross certification models in seeking this interoperability. This talk will introduce the technology of cross certification and propose various strategy to address industry fragmentation. .

Implementing Reliance

Introduction to Electronic Signature and PKI Jan Lovorn, Protegrity PKI provides authentication of the signatory thru digital signature. This talk introduces the ASTM PKCS#7 based standards for healthcare use of digital signature as well as explore future directions provided by the IETF, W3C and HL7.

Enforceability of Electronic Signature in Healthcare Robyn Meinhardt; Foley and Lardner Jurists and regulators will ultimately determine the appropriateness of adopted electronic signature mechanisms. This talk will explain the federal "Global eSign" legislation and the ‘Uniform Electronic Transaction Act" and its impact upon the design and implementation of the healthcare PKI. Robyn Meinhardt; Foley and Lardner

Electronic Signature Applications Ray Wagner, Phyve This talk will summarize the technical requirements of a healthcare electronic signature application and evaluate the sufficiency of a number of vendor products and tools.

Using PKI to Secure Healthcare electronic mail Joe Miller, Mass Health Data Consortium The enterprise responsibilities for healthcare related email go beyond "encryption + authentication" as the enterprise must ensure the appropriateness of disclosure. Talk explains the use of the s/MIME specification to secure electronic mail, discusses issues in its implementation and enterprise solutions for management of email.

Using PKI to Secure Asynchronous File Transfers Mike Lundie, CycloneCommerce This talk discusses the EDIINT specification for securing routine data file transfers across open networks. As implemented today, EDIINT supports 'lights out, mission critical' transfer of EDI containing X12 and HL7 formatted messages.

Certificate Mapping and Controlling Access to Web Applications Bill Pankey, Tunitas Group Certificate mapping is a process by which users authenticated with specific certificates are provided resource access. HTTP server platforms support this in a variety of ways as discussed by this talk. An application of certificate mapping to PKI enable a ‘webiffied’ legacy systems will be detailed.

PKI enabling the legacy application - Part I Bertrand Dufrasne, IBM The healthcare enterprise typically has a large number of applications for which it must control access. This talk discusses software strategy and implementing products by which users may present a single certificate to authenticate to each of the applications.

PKI enabling the legacy application - Part II Robert Lendvai, Kyberpass Frequently, healthcare applications are stovepipe systems for which source code is not available to the enterprise. In the absence of the application vendor's direct support for an HTTP interface or PKI, the enterprise can find PKI support with authentication servers and various 'wrapper' technologies. This talk introduces concepts of PKI 'middleware' and its use.

PKI and Wireless Applications Aleksander Bosanac, Certicom The rapid introduction of handheld and wireless devices creates new security and technology challenges. PKI will be part of the solution thru the emerging technology of WTLS and compressed certificates. The talks surveys requirements and the current state of solutions.

PKI Vendors and Product

Vendor Roadmap Ann Geyer, Tunitas Group The current market supports a number of vendors of software product and certificate sources. Each vendor has its own concept of PKI and how it should be implemented. The talk provides a survey and context to assist in vendor evaluation.

Microsoft Certificate Server and the Win2k PKI Fred Pinkett, SHYM Technology PKI is an integral part of Windows 2000 and certificate server software is bundled into Advanced Server. The presence of Microsoft bundleware will change the dynamic of the PKI software market and an evaluation of the inexpensive Microsoft should be a part of any enterprise’s PKI planning process. The talk introduces Win2k’s PKI capability and addresses issues in its use.

OpenCA Bob Johnson, Tunitas Group The Open source community offers 'free' PKI software solution to those enterprises capable of taking advantage of it. This talk outlines the functionality provided by openCA and other open source pki and discusses issues in their deployment.

Outsourcing Components Tim Ells, Baltimore Deploying an enterprise or community PKI involves expertise and cost with respect to multiple PKI components. The healthcare enterprise may seek to assign responsibility for some of these component’s to third parties. The talk addresses the various options as well as the incremental costs and risks in PKI outsourcing.

Conference Wrapup Ann Geyer, Tunitas Group

top