>A more subtle, and to my way of thinking more serious, problem with SSL is
>the underlying trust model. This is that all transactions take place between
>browsers (which are in effect retail customers) and servers (which are in
>effect shops). I don't think that this is expressive enough to support the
>sort of web-based medical records that could be useful in healthcare. The
>missing features are:
>
>- digitial signatures on web pages so that you can rely on the origin
> and contenets of (say) a lab report or referral letter
>
>_ encryption mechanisms that support access control lists, so that
> you can build access controls into heterogeneous distributed systems
> in a robust and extensible way.
>
Does SSL v2 where digital certificates are available for both the
server AND client change the model?
Of course it still only authenticates the client, not the user of the
client. That's an application-level issue to my mind, and/or handled
with individually issued authentication devices.
With a web-enabled back end database application, the features you
describe can be handled within the back-end application to a great
extent. Note Mike Wells' comments about application level security -
that's where it's arguably best handled - eg hospital X's pathology
system only lets you access the records you have been deemed (by the
pathologist?) to be entitled to access and only in the way you are
entitled to access them.
If you access the results interactively from within hospital X's
system (albeit via a remote web front end), you will probably have few
doubts about the origin and authenticity of the results - or at least
arguably less so than if you received them "out of the blue" via email
or EDI.
It seems to me, then, where SSL fits in is the (albeit currently
imperfect) encryption it provides to transfer information from the
server to your PC screen. How about alternative non-USA algorithms to
40 bit RSA? - Red Pike maybe (hears sharp intake of breath!).
Authentication that you, the Web browser user, are who you say you are
and the control over what information you can then gain access to is
vital, but lives within the application you are trying to access,
---
Rob Tweed
IM&T Consulting Ltd; Health Web Services Ltd;
M/Gateway Developments Ltd
Tel: (+44) 181 540 1325
Fax: (+44) 181 715 4337
---
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|