[LINK] More on smartcards [was:Roxon revives smartcard plan]

[Stephen Wilson]

Tom Worthington wrote:
> At 08:49 PM 17/06/2009, Stephen Wilson wrote:
>> ... Long before we have standardised e-health records, we could see 
>> benefits from the right sort of smartcard  ... hold a number of 
>> IDs/keys to enable indexing of different records ...
> Good point. But ... this will not necessarily give the patient any 
> more control, as when they go to a health center the first thing which 
> is likely to happen is that the staff will ask them for their card, at 
> which point the patient has lost control of their records.
There are a host of issues around 'control' regardless of the possible 
involvement of a smartcard.  If health records are kept on servers, then 
we must grapple with a set of issues entirely orthogional to smartcards, 
to do with ownership, custodianship, privacy, control of the data etc.  
Loosely speaking, this is the privacy/security/"trust" in-the-clouds 
issue.  In health records, subsets of one's data probably should be made 
available under proper protocols to interested parties in emergencies or 
where the patient cannot given consent.  That is, if we do have patient 
smartcards then they will not always be necessary to grant access - 
there will have to be exceptions.  But smartcards would be beneficial 
for giving consent in routine clinical encounters to healthcare 
professionals to access a record (or multiple records) in full. 
>> ... using something like a smartcard to access Personal Health 
>> Records (PHR) over the Internet. ...
> You can't use a smart card on it own to access the Internet: you have 
> a smart card reader as well. Medicare gives away USB smart card 
> readers to medical practitioners. But this might be a bit expensive 
> and cumbersome for every citizen.
Yes.  There is a tradeoff in convenience versus security here.  Let me 
state my thesis that good mutual authentication (to protect health 
records users from accessing phishing sites) necessitates a smart 
personal authentication device, like a smartcard, or could be a phone, 
SIM, USB crypto key etc.  I do not believe it's safe to access large 
scale PHRs without such a device.  Yes, it requires extra steps be 
taken, but that may be worth it.  There was a time when you didn't need 
an ignition key to start your car, and I imagine that some customers 
complained that car keys were inconvenient too.  Or there was a time 
when you had to make a special trip to the networked CD-ROM burner in 
the IT department if you wanted to burn some data to a disc

[But now that USB keys hold 10s of GB and software is not being 
distributed on sticks not discs, I wonder if the days of the CD drive 
are numbered?  Boy, that would liberate a lot of valuable volume in the 
laptop build.]

With smartcards and card readers becoming prevalent (see e.g. 
http://tinyurl.com/3rmx9j) and with the use of plastic cards across all 
of commerce and government totally habitualised, it may be just a matter 
of time before we see a wave of applications in which you insert the 
appropriate smartcard into a PC and stuff happens.  Like properly 
secure, mutually authenticated net banking and e-shopping (using a 
Chip-and-PIN credit card), e-health (using a smart Medicare Card or 
dedicated new card), and secure & private government services (using 
e.g. the new Qld driver licence).
> I wonder if anyone has made a credit card shaped unit with a USB 
> connector on one edge? This could still have a magnetic stripe and a 
> standard smart card interface. But when at home you could simply plug 
> one end of the card into the USB port on your computer, without the 
> need for any extra hardware, except perhaps a USB extension cable.
Exactly this sort of thing was seen floating around in the Singapore 
government a few years ago -- a customarily sized smartcard with a USB 
'tongue' (no metal shroud) sticking out at the end.  It suffered a few 
obvious problems however.  The USB connector is significantly thicker 
than a standard plastic card, and made from a stiffer material, so the 
card's construction is complicated.  And the form factor is not 
compatible with ATMs and other readers that capture the card. 

The better bet long term I think is standard smartcards used with 
readers built into commodity PCs and notebooks. 

Cheers,

Stephen Wilson
Lockstep
www.lockstep.com.au