HIPAA, PKI, and reducing productivity
Over the weekend, I was talking to a programmer/researcher at a large research hospital. He was telling me how he was involved in rolling out and using PKI for the physicians, nurses, researchers, administrators, and anyone else working there. Unfortunately, the PKI they chose was not necessarily the same PKI used by patients, drug companies, labs, universities, and other institutions outside the hospital. Because of HIPAA, some (if not all) emails must be encrypted. However, if the "outsiders" are not using a PKI, or are using an incompatible one (which seems often to be the case), the hospital employee must either not send the email or risk breaking the HIPAA laws by sending the message in plaintext.
Apparently, most people are choosing not to send. This has had a detrimental effect on productivity.
If you think the medical industry should not be concerned about patient privacy, then the solution to the problem is to scrap the PKI and simply send and store everything in the clear.
But if you like patient privacy, with or without HIPAA, and if you think efficiency and productivity in the medical industry are important, then this story illustrates that the hospital needs to do something.
What should it do? Choose another PKI? Whichever they choose will still be incompatible with someone else's. Spend the money to make PKI workable? The crypto industry has been trying to do that for 20 years and is about as close to making client PKI work as we were 10 years ago.
Of course, I think they should use IBE. But I'm biased, I work for Voltage.
On the other hand, our customers have discovered that in the hospital scenario (and similar ones), IBE does the job. It is easy to roll out, easy to use, and most importantly, easy to use with outsiders who have no PKI or do have a PKI, just a different system. With IBE, there is no need to make a choice between sending in the clear or not sending. It is possible to always send encrypted.
This story points out that PKI has some serious problems. We either have to live with them, solve them, or come up with something else. Whatever system we choose will have advantages and disadvantages, so in comparing two systems, we have to weigh the plusses and minuses of each. I'd be interested in hearing what a nonbiased observer has to say.
--Steve Burnett
Comments