[LINK] More on smartcards [was:Roxon revives smartcard plan]
Stephen Wilson
swilson at lockstep.com.au
Mon Jun 22 10:25:02 AEST 2009
Tom Worthington wrote:
> At 08:49 PM 17/06/2009, Stephen Wilson wrote:
>> ... Long before we have standardised e-health records, we could see
>> benefits from the right sort of smartcard ... hold a number of
>> IDs/keys to enable indexing of different records ...
> Good point. But ... this will not necessarily give the patient any
> more control, as when they go to a health center the first thing which
> is likely to happen is that the staff will ask them for their card, at
> which point the patient has lost control of their records.
There are a host of issues around 'control' regardless of the possible
involvement of a smartcard. If health records are kept on servers, then
we must grapple with a set of issues entirely orthogional to smartcards,
to do with ownership, custodianship, privacy, control of the data etc.
Loosely speaking, this is the privacy/security/"trust" in-the-clouds
issue. In health records, subsets of one's data probably should be made
available under proper protocols to interested parties in emergencies or
where the patient cannot given consent. That is, if we do have patient
smartcards then they will not always be necessary to grant access -
there will have to be exceptions. But smartcards would be beneficial
for giving consent in routine clinical encounters to healthcare
professionals to access a record (or multiple records) in full.
>> ... using something like a smartcard to access Personal Health
>> Records (PHR) over the Internet. ...
> You can't use a smart card on it own to access the Internet: you have
> a smart card reader as well. Medicare gives away USB smart card
> readers to medical practitioners. But this might be a bit expensive
> and cumbersome for every citizen.
Yes. There is a tradeoff in convenience versus security here. Let me
state my thesis that good mutual authentication (to protect health
records users from accessing phishing sites) necessitates a smart
personal authentication device, like a smartcard, or could be a phone,
SIM, USB crypto key etc. I do not believe it's safe to access large
scale PHRs without such a device. Yes, it requires extra steps be
taken, but that may be worth it. There was a time when you didn't need
an ignition key to start your car, and I imagine that some customers
complained that car keys were inconvenient too. Or there was a time
when you had to make a special trip to the networked CD-ROM burner in
the IT department if you wanted to burn some data to a disc
[But now that USB keys hold 10s of GB and software is not being
distributed on sticks not discs, I wonder if the days of the CD drive
are numbered? Boy, that would liberate a lot of valuable volume in the
laptop build.]
With smartcards and card readers becoming prevalent (see e.g.
http://tinyurl.com/3rmx9j) and with the use of plastic cards across all
of commerce and government totally habitualised, it may be just a matter
of time before we see a wave of applications in which you insert the
appropriate smartcard into a PC and stuff happens. Like properly
secure, mutually authenticated net banking and e-shopping (using a
Chip-and-PIN credit card), e-health (using a smart Medicare Card or
dedicated new card), and secure & private government services (using
e.g. the new Qld driver licence).
> I wonder if anyone has made a credit card shaped unit with a USB
> connector on one edge? This could still have a magnetic stripe and a
> standard smart card interface. But when at home you could simply plug
> one end of the card into the USB port on your computer, without the
> need for any extra hardware, except perhaps a USB extension cable.
Exactly this sort of thing was seen floating around in the Singapore
government a few years ago -- a customarily sized smartcard with a USB
'tongue' (no metal shroud) sticking out at the end. It suffered a few
obvious problems however. The USB connector is significantly thicker
than a standard plastic card, and made from a stiffer material, so the
card's construction is complicated. And the form factor is not
compatible with ATMs and other readers that capture the card.
The better bet long term I think is standard smartcards used with
readers built into commodity PCs and notebooks.
Cheers,
Stephen Wilson
Lockstep
www.lockstep.com.au
More information about the Link
mailing list