We are currently writing an internet-based application for use by doctors and health providers to exchange information. Because of this, security and privacy is obviously a concern (although if the laws around this in Australia were the only guide you may be forgiven for not thinking that!). This has lead to me looking at a number of different possible approaches to keeping the data sent between the users secure and private. The trade of course is quite a few of the other 'ilities like usability, flexibility, mobility, performability (I've always liked that one). Here were the choices with the pros and cons:
- VPN vs SSL: the option of running everything over a VPN was ruled out because we wanted to include a large range of people in a large range of locations – VPNs just don't work in this setting.
- Client certificates: remember the NBT (next big thing) – PKI? Good because we could have another level of identification – bad because of the overhead of managing certificates, people forgetting their passwords, management of installation or use of the certificates.
Encryption of data: Generally a good thing because even though the systems administrators could theoretically get access to the keys to un-encrypt, that is a step further than just casually seeing in–the-clear text of messages or data.
- Public key via client certificates: good because the information is encrypted with the recipient's key – would be even better if this was done on the client – the difficulty is that the only real way of doing this is to use Active X which only works on IE (bad since we support Firefox as well). Bad because of (2) and browser dependencies. If it is done on the server, there is no advantage over symmetric encryption and the overheads are greater.
- Symmetric encryption using a private key: good mostly – another level of protection – the main issue being where to store the key but that can be put on a smartcard or other off-box device.
In reality, the decision tree for using a particular variant for security is complicated and the path depends on context. This is probably why it is so difficult to come up with specific recommendations on what is necessary when it comes to security of medical records. The bottom line is that reasonable steps should be made to protect privacy and security of patient information but the advantages to patients of systems that facilitate accurate and timely sharing of information far outweigh the risks of breaches providing a base level of security including SSL, usernames and passwords and content encryption, is applied.