New Standard Policy for Public Key Certificates
ASTM Subcommittee E31.20 on Data and System Security for Health Information has developed a significant new security standard for healthcare informatics.
E 2212, Standard Practice for Healthcare Certificate Policy, establishes a policy for digital certificates supporting the authentication, authorization, confidentiality, integrity, and nonrepudiation requirements of individuals and organizations that electronically transact health information. The policy establishes minimum responsibilities for healthcare certification authorities, relying parties, and certificate subscribers, and follows Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, P-KIX Working Group Internet Draft, January 3, 2002 (RFC 2527).
In the standard, digital or public key certificates bind a public key value to information identifying the entity associated with the use of a corresponding private key. (An entity may be a person, organization, account, role, computer process, application, or device.) Public key certificates offer a convenient set of security features that address confidentiality, integrity, and availability of data, says Ann Geyer, healthcare technology consultant and partner, Tunitas Group, Mountain Ranch, Calif. The ASTM Healthcare Certificate Policy makes it easier for organizations to evaluate the sufficiency and completeness of their certificate requirements. It establishes a common vocabulary, a set of certificate attributes, and standard operational parameters.
ASTM E 2212 contains a Healthcare Certificate Profile including healthcare role and other attribute information. The hcRole attribute used in the standard supports the use of syntax developed for an hcRole attribute by the ISO Technical Committee (TC)-215 /Work Group 4. The data type is reproduced and described in a completed sample hcRole attribute on the last page. The 20-page document provides a glossary and reference tables listing certificate format and extensions for end entities, and object identifiers.
This standard will be used by information systems professionals, says Geyer, as a framework to specify their requirements for using public key certificates for a variety of healthcare information management purposes ranging from individual authentication, data authentication, basic privilege management, and electronic signature. A number of healthcare organizations are already using the standard in the design and operation of their PKI implementations.
E 2212 certificate policy defines a set of requirements ensuring that certificates have a minimally sufficient assurance level, covering:
Definition of healthcare certificates, healthcare certification authorities;
healthcare subscribers, and healthcare relying parties;
Appropriate use of healthcare certificates;
General conditions for the issuance of healthcare certificates;
Healthcare certificate formats and profile; and
Requirements for the protection of key material.
A subcommittee task group of over 100 informatics stakeholders created the standard through voluntary consensus to define:
Entity certificates issued to computing components such as servers, devices, applications, processes, or accounts reflecting role assignment;
Basic individual certificates issued to individuals involved in the exchange ofhealth information used for healthcare provisioning; and
Clinical individual certificates issued to individuals and used for authentication of prescriptive orders relating to the clinical treatment of patients.
The task group included healthcare business managers, information management and security professionals, system architects, leading security vendors, and industry consultants.
The original motivation for this standard was to provide a framework for designing and using public key infrastructure for healthcare purposes, says Geyer, the task group chairman. There were two primary objectives: first to make PKI more accessible by providing a certificate policy and profile any healthcare enterprise could use as the basis of its PKI; and second to promote interoperability of public key certificates within the healthcare industry by having a standard set of certificate requirements. ASTM is an ANSI-accredited standards development organization and the new E 2212 Healthcare Certificate Policy is recognized as an ANSI standard.
ASTM Committee E31 on Healthcare Informatics approved the standard which ASTM issued this year.
For further technical information, contact Ann Geyer, Tunitas Group, Mountain Ranch, Calif. (phone: 209/ 754-9130). For membership or meeting details, contact Dan Smith, director, Technical Committee Operations, ASTM International (phone: 610/832-9727). //
Copyright 2003, ASTM