Books
in black and white
Main menu
Home About us Share a book
Books
Biology Business Chemistry Computers Culture Economics Fiction Games Guide History Management Mathematical Medicine Mental Fitnes Physics Psychology Scince Sport Technics
Ads

PKI security solutions for the enterprise - Raina K.

Raina K. PKI security solutions for the enterprise - Wiley publishing , 2003. - 334 p.
ISBN: 0-471-31529
Download (direct link): securitysolutionsfor2003.pdf
Previous << 1 .. 43 44 45 46 47 48 < 49 > 50 51 52 53 54 55 .. 127 >> Next

Table 5.4 Summary of HIPAA Technical Security Mechanisms
HIGH-LEVEL REQUIREMENT COMMENTS
Communication/network controls Refer to the use of message authentication and either access controls or encryption
108 Chapter 5
When the HIPAA standards were originally written in August 1998, it was not clear how PKI technology would evolve. As a result, a number of stipulations were added to standards to allow for future changes. Some of the required key features included the following:
Ability to add attributes. Certificates can provide attributes that can describe information about the certificate holder. The ability to add attributes is part of the X509 v3 standard protocol, and, thus, most major PKI vendors can adhere to this requirement.
Continuity of signature capability. This feature allows documents or messages to be verified between signings. For example, managers may verify an employee's digital signature before signing the document with their own digital signatures.
Countersignatures capability. This feature allows for verification to determine the order in which signatures were placed on the document or message. In this manner, a chain of signature authorities can be established to ensure that a proper process had been followed.
Independent verifiability. Given that certificates can be used and validated by resolving the chain of trust for the certificate, it is possible to easily verify the digital certificate that was used in a transaction. Furthermore, with public key technology, anyone has access to a signer's public key, making this requirement trivial for certificates issued by public CAs.
Interoperability. Some PKI vendors do make deviations from standard X509 v3 certificates, which then can cause problems when the systems have to interact with each other. Interoperability is required to prevent the need for a single vendor. A number of standards bodies in other industries have attempted to create this "universal model" for certificates. For the most part, certificates can be used for standard applications, such as digital signatures, with good interoperability; however, some complex, custom applications may not work with all types of certificates.
Multiple signatures. Generally, in an approval or workflow process, multiple signatures may be required for approval; thus, a PKI would need the ability, either directly or through third-party applications, to show a chain of signing authorities. Most form-signing or workflow packages that use digital certificates have this ability.
Transportability. This is the ability to send a signed document over an insecure network (for example, the Internet) without the loss of message integrity. It is part of the basic functionality of a digital certificate, as it provides privacy and integrity by encrypting and signing a message.
Healthcare Solutions 109
HEALTHKEY
HealthKey is a multistate organization, funded by the Robert Wood Johnson Foundation, that creates secure infrastructure models for healthcare organizations. A key aspect of the organization is the definition of a PKI system that can be leveraged across the healthcare industry. Some key projects HealthKey has focused on include the following:
? Secure email between healthcare organizations. This initiative advocates using organizational-level certificates rather than individual certificates. This, of course, does not provide individual nonrepudiation, but it does protect sensitive information transmitted over the Internet.
? Bridge service for CAs (to allow different CAs to interoperate). The first example of this bridge service was executed in July 2001 with the HealthKkey Bridge Technology in Minnesota. The application sends secure email between different organizations using the bridge model.
? Immunization registry secure access. This project, launched with the name Provider Access to Immunization Registry Securely (PaiRS), allowed the North Carolina Department of Health and Human Services Immunization Branch to offer secure access to a common registry of immunizations. In this manner, citizens and healthcare workers could access immunization records. Challenges in using PKI were found when high mobility was required (as in the case of citizens). User name/password and PKI were implemented in parallel because of these challenges.
? Communicable disease information (sensitive information sent by the Center for Communicable Diseases to local agencies, for example, in the event of a epidemic). The key reasons for using a PKI-based solution include: secrecy (to prevent panic and false news reports) and speed (by using the Internet for information flow).
It is important to note that HIPAA does provide for the resolution of a number of privacy concerns; however, the resolution of the security requirements establishes a good base for privacy resolutions. In addition, various directives from other organizations, such as the European Union, affect how certain companies, like pharmaceutical companies, can deal with European customers. In general, an organization that is HIPAA compliant will have a much easier time meeting EU privacy directives.
Previous << 1 .. 43 44 45 46 47 48 < 49 > 50 51 52 53 54 55 .. 127 >> Next