Digital certificates: Uses in health information exchange- final in series

This post is the last I have currently planned on introducing the topic of the trust framework and digital certificates. The first post in this series addressed the concept of a trust framework. I discussed the role of certificate authorities in helping establish trust among information exchange partners. I provided links to sites that explain how certificate authorities perform identity proofing by following policies and procedures that help define various levels of trust. The second post explored the difference between electronic signatures and digital signatures. Certificates are used with the latter to enable cryptographic technologies that can be used to insure data integrity and non-repudiation. Now I want to discuss two other important uses for digital certificates-user authentication and data encryption.

Digital certificates are a hot topic of discussion in various arenas that are leading the way in health information technology. Both of the two FACA committees, the HIT Standards Committee and HIT Policy Committee, have sponsored meetings of work groups and the entire committee to delve into issues dealing with digital certificates. The use of digital certificates was a core element in the design of the Direct Project. Pilot projects of HwHIN Direct are all dealing with the management of digital certificates. Finally, the Standards and Interoperability Framework sponsored by ONC has several work groups working on digital certificate management and provider directories. The reason for all this overlapping work is that use of digital certificates is central to the user authentication process. Many of the health information exchange transactions are founded on the use two-way exchange of digital certificates (based on strong identity proofing policies and strategies) to assure end point identities. Directories are one way health information exchange users locate the digital certificates of their partners. NIST has prepared an excellent and well-illustrated publication that thoroughly explains the authentication process. It is not easy reading but explains all the concepts that are important for one to truly understand the authentication processes currently used in health information technology. Don't be confused by terminology. Digital certificate, token, and key can be used interchangeably.

The final use of digital certificates is to power the Public Key Infrastructure that is used to encrypt data. I recommend another NIST publication as a reference to help understand the uses of symmetric and asymmetric encryption. This Wikipedia page may also be helpful. We know that the federal rule on data breaches strongly encourages encryption technology. Also, data encryption was designed into the Direct Project specification. I cannot imagine anyone sending unencrypted protected health information over the public internet in this day and age. Furthermore, it is probably a good risk mitigation strategy to encrypt most protected health information, whether it is in transit or at rest on disk storage. The rash of successful network attacks in multiple information technology realms keeps HIT executives and security experts up at night.