Posted by John Patrick on Jul 17, 2011 in
Healthcare,
Internet Technology,
PKI 
Seems like everything is in the clouds or on the way to the clouds — our money, our music and pictures, our email, contacts and spreadsheets. What about our healthcare records? Some say security is holding back electronic health records. I do not think so and I believe the vision is clear — that encrypted healthcare data that is authenticated and properly authorized for access will be safer than the millions of manilla folders currently guarding our sensitive information. Google.com/health made a bold move to provide a universal repository for storing health records. I was one of the early users and came to depend on it. When did I get the flu shot? What was my blood pressure at last year’s physical? What test results and medications are there? All that and much more were provided for free by Google Health. Automatic updates were made by CVS, Medco, and Quest Diagnostics. Get a blood test and in a couple of days you can see a graph of how those results compared to the last time or to five years ago. A very nice service. The company announced last month that Google Health will be shut down permanently and all data will be deleted in 18 months.
Google says it’s shutting down the project because they got very little traction, but ReadWriteWeb reported in Google Health: Why It’s Ending & What It Means, that Google Health may have been ahead of its time and did a poor job reaching out to a now growing ecosystem of developers. They urge that rather than shut it down, Google should put it on slow life support until the momentum builds. Many tech executives believe, as I do, that patient-centric cloud-based electronic health records are a huge opportunity. An executive acquaintance at Microsoft (yes, there is at least one person at Microsoft who will speak to me after the OS/2 wars), tells me that the company sees the opportunity as large and is committed to HealthVault, an offering similar to Google Health. Even though I am not a fan of Microsoft offerings, I decided to give it a try. Step one at healthvault.com was to login using your Windows Live credentials. That almost stopped me in my tracks, but then I remembered that I had actually setup a Windows Live account back in 2003 to try out some other offering and my account is still good. Exporting all my health data from Google was a couple of clicks and importing it to HealthVault was a bit more complicated but not bad. Now that I have all my health data in HealthVault, what can I do with it. So far, nothing.
At Google Health, you can look at graphs of all your blood tests, print out an immunization card for travel purposes, and other handy things. The HealthVault strategy is to use business partners for the applications; Microsoft just stores the data. They have quite a few partners who offer personal health records. I tried several of them and could not get any of them to work. My data is securely in Microsoft’s vault and nobody can get access to it, including me! You have to setup a unique HealthVault email address and cross-authenticate, and, and, and. I spent an hour at it and finally gave up. I am sure they will make it easier and one day when I don’t have a doctoral paper due, I will try again. Our future health will revolve around personalized medicine and it in turn will revolve around our personal health records (PHR). The key question is who will provide the PHR service for us.
It is early in the game and there are many possibilities. First movers will not necessarily be the winners. Having Google or Microsoft provide a PHR service has certain advantages but there are disadvantages. How about if your health insurance provider decides to not share information with one of the big guys? Why would they decide that? Maybe because they want to be your PHR provider. Then there is your hospital. This is a very logical provider for a PHR service in the cloud, but will they have the resource and skills to launch a user-friendly, scalable, secure cloud-based service? And if you move, will your data be able to move with you? And if you decide to go on a medical vacation to China to get a heart transplant, will your hospital allow the Chinese hospital to have access to your PHR? And there is CVS and Walgreen and Walmart. They may all want to be your PHR provider as an integrated service with their pharmacy operations. And then there is Merck and Pfizer et al. Some chronically ill patients depend on certain medications and the manufacturer will be motivated to provide a PHR service tailored to monitor, sell, and communicate about their drugs. WebMd and the many other e-health sites are logical providers based on the wealth of medical information they provide access to. And what role will the government play?
There are many hurdles. A key element is standards. The Internet works exactly the same in every part of the world because it is built on globally agreed to standards. Health records have standards too. A lot of them! I have written a lot over the years about certificate authorities for authentication on the Internet (see patrickWeb category on PKI). In theory, there could be a single central certificate authority that would issue digital signatures that could make Internet email much more secure. In theory. I participated in meetings in Washington 15 years ago on the subject. When there were a few of us in the room we made a lot of progress but when the vendors, agencies, the military, etc. weighed in the whole process fell of its own weight. Likewise one central provider of PHRs could have many advantages, but I don’t believe consensus could be reached on how to do it. I am betting on hospital systems and networks. They may not be able to provide national solutions but they certainly can provide regional solutions through use of their health information exchanges (HIE) and HIEs in turn will ultimately follow standards that will allow them to exchange data on a secure basis. Stay tuned. There will be many developments on this subject in the months ahead.
Tags: emr, Google Health, Healthcare, healthvault, hie, personal health record, phr, PKI
Posted by John Patrick on Jan 8, 2004 in
Conferences 
There are snow flurries in the air and very cold conditions in New England. Hoping to get out for a motorcycle ride tomorrow though. As long as the roads are free of slippery materials, it is fun to ride in the winter. Meanwhile, the schedule for conferences of various kinds for the next 100 days is turning into a flurry also. Next week at the I/S Executive Roundtable Breakfast series hosted by Georgia State University in Atlanta, I expect to find a lively dialogue about the future of the Internet. The following week, back in Atlanta again, will be ATI 2004 conference which will focus on "trustworthy computing". Unfortunately, I will not be able to stay for the Friday morning keynote by Robert Liscouski, Assistant Secretary of Homeland Security for Infrastructure Protection because of a board meeting back in Connecticut. (read more)
Tags: homeland security, Motorcycles, New England, PKI, winter
Posted by John Patrick on Dec 26, 2003 in
PKI 
Another dimension of Trust has to do with standards. Because of standards, the Internet is the only thing I know of that works the same everywhere. Most things work differently in different parts of the world. The side of the road we drive on, the side of the car we drive from, the width of the railroad tracks, the plugs that we put in the wall; all work differently around the world. But not the Internet; it works exactly the same in every corner of the world. There are a lot of debates during the process while Internet standards are being developed but once published as a standard every vendor has an obligation to implement the standard. Most do. (read more)
Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb
Posted by John Patrick on Dec 24, 2003 in
PKI
In “Too Secure?”, I described how a financial services company insisted that I use the fax machine to send them a document. Let’s contrast that process with how it might have worked using a public key infrastructure approach with the five security functions described in the last part of the Privacy And Trust series. We’ll look at each of the five elements. (read more)
Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb
Posted by John Patrick on Dec 23, 2003 in
PKI
The most important benefit of a digital ID is authentication. Once digital IDs are more commonplace, you will no longer have to send your login ID and password over the Internet. Your password, passphrase, or biometric will go no further than your smart card, token, or your PC. Once you are authenticated, you will be able to authorize an encrypted exchange of digital data between your PC (or phone or other information appliance) and the other party. The result of the exchange is that both parties will be able to confirm that the other party is indeed who they say they are. If you provided biometric data the person will know not only that it was your ID but that it was actually you and not someone who may have ?borrowed? your login/password. (read more)
Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb
Posted by John Patrick on Dec 20, 2003 in
PKI,
Public Policy
There was a cartoon by Peter Steiner in the July 5, 1993 issue of The New Yorker showing a dog at a PC speaking to another dog watching from the floor. The caption was, ?On the Internet nobody knows you’re a dog.? Very true and in fact nobody really knows for sure just who you are. Nor do you know who is at the other end of a chat session or e-commerce transaction either. Assuming success of the numerous technologies at the Inside ID conference in Washington, D.C. this week, we will soon have Digital IDs that will change this. There are many issues but has become urgent that we get digital ID’s in place for all of us (and for our servers and eventually for everything. (read more)
Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb
Posted by John Patrick on Dec 9, 2003 in
PKI 
On Tuesday morning I will be speaking at Inside ID in Washington, D.C. They are calling this conference a "Mega Show" because there will be dedicated sections of the exhibit hall branded to reflect the major tools used in modern identification solutions. These "shows within the show" include: Inside Identity Management,
Inside Digital Identity,
Inside Card Technology,
Inside Biometrics, and
Inside Document Security. I am extremely interested in the content of the show and will be reporting more on it later. My talk will be called "The Future Of The Internet: A Distributed Web of Trust". The
talk will be based on my views as expressed in a story in Network World where I wrote an 850 word summary, called "The Ultimate Internet".
Tags: identity, PKI, privacy, security
Posted by John Patrick on Dec 7, 2003 in
PKI
Mention the word trust and many people immediately think of security. We hear so many negative questions about Internet security. Is it strong enough? What will happen to my credit card number? What about hackers? We would like to implement this or that application but we can’t because of ?security?. The list goes on. This is one area where some ?old fashioned? attitudes are actually healthy. Security is critical and needs to be taken very seriously — but not in a restrictive sense. In fact the question that business and government leaders should be asking is about how security on the Internet can become the enabler of global commerce, the enabler for enabling people to control the email they get, the enabler for more secure and efficient processing of healthcare information, and the enabler for trusted transcations. (read more)
Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb
Posted by John Patrick on Dec 4, 2003 in
PKI,
Public Policy
Most websites now have privacy policies and it is a good idea to read them, especially if it is a company you have not done business with before. Some privacy policies amount to "We capture data about you and we sell it or give it to anyone we choose". Other companies have a policy like "We will always tell you if we are capturing your personal data. We will never give it away or sell it. If we want to use it in any way other than to fulfill an order or something you asked of us we will ask your permission first. We guard all data with extremely tight backup and security procedures to insure your data is never compromised". That is a good policy but how does a company insure they are actually complying with their own policy? (read more)
Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb
Posted by John Patrick on Dec 1, 2003 in
PKI 
Is it possible to be too secure? This morning I was working on a personal financial matter that required me to send some information to another person. The information was on a paper document and I did not have a machine readable version of it. I scanned the document and sent it via email as an eFax attachment. I first called the person to let them know that I would be sending the email. By making the call I was able to verify that the person was who they said they were and the person would then be able to expect the email and who it was coming from and what it contained. Five minutes later I got a call. (read more)
Tags: authentication, authorization, ca, certificate authority, digital id, encyption, integrity, key, non-repudiation, passphrase, PKI, privacy, security, smart card, trust, usb
