HIPAA tech
HIPAA dvisory
HIPAAdvisory > HIPAAtech Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Public Key Infrastructure (PKI)

Definition:

PKI stands for "public key infrastructure." PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.

PKI is not only software or hardware. It is an infrastructure.  So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people.  All of these elements work together to provide for secure interactions on the Internet and other open networks. It is not a single monolithic entity, but a distributed system.   The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.

Public key technology is designed to:

  • AUTHENTICATE users strongly over closed or open networks
  • ensure the INTEGRITY of data transmitted over those networks
  • achieve technical NON-REPUDIATION for transactions
  • allow strong ENCRYPTION of information for privacy/confidentiality or security purposes.

Strongly authenticating users is critical in securing any infrastructure.  The potential for mischief increases substantially if you cannot be sure with whom you are dealing. Ensuring the integrity of data transmitted from user to user helps prevent the data from being changed. Technical non-repudiation binds a user to a transaction. This will provide important forensic evidence in the event of a later problem. Encryption protects private information from being divulged even over open networks.

Public key technology is also called "asymmetric cryptography." In a typical PKI, two key-pairs are generated by or for each user. One key-pair is for digital signatures and authentication, and the other key-pair is for encryption. Each key-pair comprises two keys.  These "keys" are very large numbers, up to 150 to 300 digits in length and are subtlety, mathematically linked. In each key-pair, one key is kept private, and the other made public.  The public key may be a "digital certificate." A trusted party cryptographically binds the public key to the person's identity by digitally signing the certificate. These trusted parties are called Certification Authorities or "CA"s.  The digital signature on the certificate ensures that any unauthorized alteration of either the identity or the public key will be detected.

Because public key technology uses two keys, one that is secret and the other public, there is no "shared secret" between the transacting users.  Without a shared secret, no one party has the opportunity to compromise the interests of both by losing control over the "shared secret." There is also no need to manage large numbers of symmetric keys (since each set of transacting parties would need a unique symmetric key). The user makes the digital certificate available to whomever he or she wishes to conduct business with.

PKI has not yet been deployed on a broad scale in a complex environment like healthcare. Many technological, legal, financial, organizational and administrative questions remain to be answered. As a result, the Robert Wood Johnson Foundation has funded the HealthKey Program, a collaboration of five healthcare technology organizations across the country who are focusing on developing a health information infrastructure using a market-driven, community based approach. The HealthKey Program partners believe interoperable PKI technology and supporting policies, procedures, and practices will be integral to secure exchange of health information over the Internet.

Articles and Reports:

Can PKI Live Up to Its Promise of Meeting HIPAA Requirements? by Pete Palmer, Health Management Technology, April 2003
The requirements of HIPAA for secure communication of patient-identifiable information seem tailor-made for PKI. After all, PKI can provide privacy, authentication, data integrity and non-repudiation – all required by HIPAA. In fact, PKI solves a larger subset of the HIPAA security requirements than other methods, e.g., leased lines or IPSec virtual private networks. But widespread deployments of PKI have stalled, and a lot of PKI products have ended up as “shelfware,” because it’s just too complicated to install and use them. If we can make PKI easier to deploy and use, it will begin to live up to its promise.

Only Mostly Dead: RIP PKI. Why a security platform never took off.
While the concept behind PKI was appealing, everything else about it was shoddy. Vendors approached PKI arrogantly and CIOs approached it ignorantly.

HealthKey Program
The ultimate goal for this program is twofold: Making advances in interoperability among PKI implementations in each state and promoting the concurrent adoption of appropriate privacy practices.

NIST PKI Program
The National Institute of Standards and Technology (NIST) is taking a leadership role in the development of a Federal Public Key Infrastructure that supports digital signatures and other public key-enabled security services. NIST is coordinating with industry and technical groups developing PKI technology to foster interoperability of PKI products and projects.

The Evolving Federal Public Key Infrastructure
This report provides an updated picture of how public key technology is being used within Federal agencies, de-scribing a burgeoning expansion as planned and predicted in the previous documents. Further, this report lays out a strategic vision for the continued evolution and development of the Federal PKI, focused on promoting continued expansion within Federal agen-cies, interoperability among Federal agencies (and ultimately interoperability with the private sector), and the development of appropriate mechanisms for governance that support innovation and growth.

Go to TOP