This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "Implementation FAQ:Encryption and Security"

From HL7Wiki
Jump to navigation Jump to search
Line 1: Line 1:
 
The use of encryption and security is discussed in the security committee, and email questions sent to that list get good answers.  This page has been created to capture some of those answers to make them more accessible
 
The use of encryption and security is discussed in the security committee, and email questions sent to that list get good answers.  This page has been created to capture some of those answers to make them more accessible
*Encryption
+
== Encryption ==
 +
In the Security TC we have assumed that encryption happens below the application layer, e.g., via IPSec or TLS, not within HL7 messages. 
 +
 +
Any encryption to be done on only part of a message hauls along considerable technical baggage.  That includes whole new classes of administrative & infrastructure messages to establish and maintain organizational trust, communicate shared secrets (keys), user/entity authentication, etc.  It would require considerable net-new volunteerism to accomplish this work along with other things already on our agendas.
 +
 +
As a practical matter, we also should assume that people want to access healthcare data in a way that resembles the regime used for e-commerce or VPNs.  When healthcare consumers access their healthcare information it's proper to assume that they'd use normal browser-based access, which limits the technical choices anyhow.
 +
 +
The Security TC does support the HL7 application-layer necessities, of course, such as the recently-balloted RBAC role vocabulary and the exchange of privacy-consent data.
 +
 
 +
(email from Glen Marshall 31/8/07)
 +
== Signing ==
 +
See the separate page:
 
*[[Implementation FAQ:Digital Signatures|Digital Signatures]]
 
*[[Implementation FAQ:Digital Signatures|Digital Signatures]]

Revision as of 14:31, 31 August 2007

The use of encryption and security is discussed in the security committee, and email questions sent to that list get good answers. This page has been created to capture some of those answers to make them more accessible

Encryption

In the Security TC we have assumed that encryption happens below the application layer, e.g., via IPSec or TLS, not within HL7 messages.

Any encryption to be done on only part of a message hauls along considerable technical baggage. That includes whole new classes of administrative & infrastructure messages to establish and maintain organizational trust, communicate shared secrets (keys), user/entity authentication, etc. It would require considerable net-new volunteerism to accomplish this work along with other things already on our agendas.

As a practical matter, we also should assume that people want to access healthcare data in a way that resembles the regime used for e-commerce or VPNs. When healthcare consumers access their healthcare information it's proper to assume that they'd use normal browser-based access, which limits the technical choices anyhow.

The Security TC does support the HL7 application-layer necessities, of course, such as the recently-balloted RBAC role vocabulary and the exchange of privacy-consent data.

(email from Glen Marshall 31/8/07)

Signing

See the separate page: