«

Hi,
I am developing part of an application that handles sets of medical data
that need to be encrypted when they are being saved to a disk or sent over
a network to protect patient privacy. Basically whenever they exist as a
file outside the the database.

Authentication or digital signatures are not considered that important but
could be a nice feature to add on.

At the moment we are thinking of 2 levels of security, the stronger option
is using a public key system, so it can be encrypted specifically for the
intended recipient and only them. The disadvantages are that there might
be no internet connection available to search for and download public keys.

So we are thinking of also offering a password based symmetric key option.
Where the password can be either generated or chosen at export time. That
can be printed out and posted or spoken to the recipient over the phone or
something, it would have to be less than 10 characters so people can
be bothered to type in.

I am a fan of OpenPGP and initially thought of using the PGP SDK, but the
MS Crypto API should also be considered. X.509 solutions seem to be taken
more seriously in the commercial world than web of trust systems, and
perhaps we could buy keys in bulk from a CA and provide them with the
software, if it works that way, it seems as though users need to present
id or personally visit the CA to get a trusted key, but I could be wrong
on that, X.509 does seem to focus more on digital signatures than
encryption.

Anyway what do you gurus think?

Any other out of the box solutions are most welcome.

In message <>, Kurt Häusler wrote:

> I am developing part of an application that handles sets of medical data
> that need to be encrypted when they are being saved to a disk or sent over
> a network to protect patient privacy.

Encryption technology is about keeping secrets, not about maintaining
people's privacy. Privacy is maintained by policy, not by encryption
technology.

Before you design your security system, have you asked yourself what threat
scenarios you envisage? Who is likely to want to violate patients' privacy,
and how might they try to do it?

It seems to me people's medical records are of little or no interest to
anybody except those patients.

Hello!
You wrote on Tue, 03 Jul 2007 15:25:08 -0500:

KH> So we are thinking of also offering a password based symmetric key
KH> option. Where the password can be either generated or chosen at export
KH> time. That can be printed out and posted or spoken to the recipient
KH> over the phone or something, it would have to be less than 10
KH> characters so people can be bothered to type in.

Passphrase (i.e. a long meaningful sentence) can be used instead of a short
password.

The question "what to use" depends on how you will receive the public key
and how you will confirm it's identity (in order not to encrypt the data
with some false key which will be used for information theft). If you can
ensure that the key has come from the intended recipient, then OpenPGP is a
good choice. If you need to verify the key itself, then you are stuck with
X.509 and public CAs. Your assumption that X.509 is mainly for signing is
probably biased, cause the backend technologies (public key cryptography)
are the same in OpenPGP and X.509 (PKCS#7, to be precise).

Our product, SecureBlackbox (see signature) provides support for both X.509
and OpenPGP technologies.

With best regards,
Eugene Mayevski
http://www.SecureBlackbox.com - the comprehensive component suite for
network security

On Wed, 04 Jul 2007 11:21:20 +0300, Eugene Mayevski wrote:

> Passphrase (i.e. a long meaningful sentence) can be used instead of a short
> password.

I am leaning more and more away from the idea of allowing the user to
choose a password and more towards the idea of a pki based thing, running
our own simple CA. The key management seems to be the tricky aspect,
particularly for users with no internet. I am looking at a number of off
the shelf CA solutions now.

> Our product, SecureBlackbox (see signature) provides support for both X.509
> and OpenPGP technologies.

Thanks I will have a look.

On Wed, 04 Jul 2007 19:36:17 +1200, Lawrence D'Oliveiro wrote:

> Encryption technology is about keeping secrets, not about maintaining
> people's privacy. Privacy is maintained by policy, not by encryption
> technology.

You are right, as far as policy goes most jurisdictions, especially in our
target markets America and Europe have (or soon will have) laws that make
it an offence to "allow unauthorised third parties access to confidential
medical information".

There have apparently been lawsuits already where a patients secret
medical information has been released without their consent.

Our goal is to implement a system that allows doctors to treat such
confidential information as a secret to be shared between a small number
of participants. So in this way privacy is enabled by a
system that allows secret-keeping.

> Before you design your security system, have you
asked yourself what
> threat scenarios you envisage? Who is likely to want to violate
> patients' privacy, and how might they try to do it?

Some of the scenarios include selling information on famous people to the
media, potentially blackmailing people by threatening to reveal medical
conditions that the patient considers secret or private, also people have
in the past released medical pictures of breasts and genitals on
pornography sites which the patients found somewhat traumatic.

> It seems
to me people's medical records are of little or no interest to
> anybody except those patients.

Generally yes, but surveys on privacy indicate people are mostly worried
about their medical information being released. Anyway the need for the
software is established, so I am only really concerned with making the
general case (that of allowing unauthorised third parties access to
confidential/private/secret medical information) as difficult as possible.

In message <>, Kurt Häusler
wrote:

> Some of the scenarios include selling information on famous people to the
> media, potentially blackmailing people by threatening to reveal medical
> conditions that the patient considers secret or private...

And how would you guard against that? Who among the categories of people who
might be given access to this information can be completely relied on not
to release it? Are the doctors absolutely trustworthy? If not, who?

On Wed, 04 Jul 2007 22:42:53 +1200, Lawrence D'Oliveiro wrote:

> In message <>, Kurt Häusler
> wrote:
>
>> Some of the scenarios include selling information on famous people to the
>> media, potentially blackmailing people by threatening to reveal medical
>> conditions that the patient considers secret or private...
>
> And how would you guard against that? Who among the categories of people who
> might be given access to this information can be completely relied on not
> to release it? Are the doctors absolutely trustworthy? If not, who?

Problems can't be prevented 100% of course, but risk can be managed, blame
allocated, chances of problems occurring minimized.

At some point doctors have to be trusted to a certain extent, they are
trained and paid to respect peoples privacy and accept that
responsibility as part of their job. But there's no reason to burden all
the trainees, secretaries, nurses, and couriers etc who might come into
possession of a DVD containing confidential information with that degree
of responsibility too. The business case for encrypting medical
information in transit is already established and medical professionals
are waiting on software to give them the confidence to perform their
duties in an increasingly hostile litigative environment.

In message <>, Kurt Häusler
wrote:

> On Wed, 04 Jul 2007 22:42:53 +1200, Lawrence D'Oliveiro wrote:
>
>> In message <>, Kurt Häusler
>> wrote:
>>
>>> Some of the scenarios include selling information on famous people to
>>> the media, potentially blackmailing people by threatening to reveal
>>> medical conditions that the patient considers secret or private...
>>
>> And how would you guard against that? Who among the categories of people
>> who might be given access to this information can be completely relied on
>> not to release it? Are the doctors absolutely trustworthy? If not, who?
>
> At some point doctors have to be trusted to a certain extent, they are
> trained and paid to respect peoples privacy and accept that
> responsibility as part of their job. But there's no reason to burden all
> the trainees, secretaries, nurses, and couriers etc who might come into
> possession of a DVD containing confidential information with that degree
> of responsibility too.

Why not? That already happens with paper files. They could be trusted not to
leak information from those, why should DVDs be any different?

On Wed, 04 Jul 2007 23:13:23 +1200, Lawrence D'Oliveiro wrote:


>> At some point doctors have to be trusted to a certain extent, they are
>> trained and paid to respect peoples privacy and accept that
>> responsibility as part of their job. But there's no reason to burden all
>> the trainees, secretaries, nurses, and couriers etc who might come into
>> possession of a DVD containing confidential information with that degree
>> of responsibility too.
>
> Why not? That already happens with paper files. They could be trusted not to
> leak information from those, why should DVDs be any different?

Well that's a good question really. I don't know actually know the answer.
People do seem to worry more about their privacy and security more as it
relates to the electronic domain than in more traditional forms of
information. For example everyone is worried about pictures of naked
children and bomb making instructions online but no one seems to be worried
about it in art or libraries. Same with credit card fraud, it seems to me
that its easier to be a victim of it by handing your card to the waiter in
a restaurant than by buying a book from amazon but I only ever hear about
it being an issue online.

Maybe it is just a case of people fearing what they don't know or perhaps
find harder to understand, perhaps as a programmer I only hear about these
issues as they refer to the digital domain and they are in fact just as
relevant to paper based records. Perhaps there are certain aspects of the
nature of electronic information that makes problems easier or more
serious than in the equivalent non-electronic form. Maybe the fact that
non-electronic systems are older than electronic ones means that the
issues there have long been resolved and the electronic world is catching
up. Probably on a case by case basis any number of these issues may or may
not be relevant.

Actually I would like to think that sensitive paper based records are in
fact treated as seriously as electronic ones and have been for a long
time, and that every effort is made to protect privacy and confidentiality
regardless of what form the information finds itself in.

As a programmer though I am primarily interested in the implementation of
security as it pertains to digital records regardless of the perceived
need or otherwise for it.

Interesting discussion but I think the questions you have regarding the
degree of necessity are, although interesting, beyond what I know about
the subject. I appreciate the need for security but I don't feel
particularly obliged, compelled, or prepared to convincingly
persuade others that they need it. In many cases people probably don't care
less but the people paying me seem to so that's good enough for me.