Friday, 2 July 2004

You should be Certified

At least, everybody tells me that I should.

But Seriously Folks, this one's a Big Deal. Seen via that excellent blog (how could such a thing come from Melbourne is beyond me) TramTown, comes a story about Digital Certificates. Free ones.

OK, so what's the Big Deal? Basically, a Digital Certificate provides a trusted Internet ID. In fact, it's the only relatively secure way of providing such a trusted ID.

In My Brilliant Career, I've often had to deal with databases and other such systems where giving the wrong people too much access can cause real problems. I don't mean just theft of hundreds, or hundreds of millions, of dollars, I mean people can die as the result. Would you want your Medical Records a matter of public knowledge? Worse, would you like some miscreant to be able to alter them, so the next time you get medical treatment, they might not know of a life-threatening allergy and give you the wrong drugs?

One of the big problems with medical treatment nowadays is if you journey outside the coverage of your local GP or Hospital, and get sick. The GP in your new locale has no idea of your medical history, they're forced to play '20 questions' with you, and rely on your imperfect memory to get some sort of background so they can start diagnosis. This can, and has, sometimes resulted in 'obvious' problems being missed, and people dying as the result. One example I know of : over-medication with anti-blood-clotting agents after a patient got transferred interstate, which probably caused the patient's death two weeks later.

Now all this data is already recorded in your GP's computer, and your Hospital Records. But privacy concerns mean that it's guarded like Fort Knox, or at least it should be. In many parts of the world, that's the Law.

But in order to give an outsider access, that outsider must be trusted, verified - and basically, certified, signing in with a digital certificate that is not feasibly forgeable. Such things exist. But until now, they've been costly, and a general pain to administrate. One thing a large medical practice doesn't need is to shell out thousands, or tens of thousands, of dollars per year just in certificate costs, money that could be used for new equipment, or to reduce charges to patients. In one medical catchment area (no names, no pack drill) that I've had experience with, the take-up amongst pharmacies, medical clinics, hospitals and pathology labs was... THREE PERCENT.

So what would a somewhat-more-secure-than-today's-certificate that is also free-as-in-beer mean? It would greatly increase the co-ordination between pharmacies, pathologists, and medical practitioners. It could tighten up the practice of despensing prescription drugs (many of which are subsidised here, and capable of misuse). It could mean a reduction in the number of mistakes made because the wrong pathology results were used in making the diagnosis. Fewer people with damaged eyesight due to an incorrect prescription for laser-eye-surgery.

Oh yes, if consumers, people such as you or I, were to be (Digitally) Certified, then it could dramatically reduce the amount of Fraud with Credit-Card payments, enabling the credit companies to reduce rates, and stores to reduce prices. With a bit of work, we should be able to eliminate Spam too, thereby freeing up bandwidth, making it cheaper, and reducing the billions of hours lost per year in deleting the stuff.

It's not a Universal Panacea: the certification is of a Computer, not a person, so physical access to it must be restricted, passwords or physical keylocks installed etc. But the same is true for any security situation.

That is why it's a Big Deal. Or at least, if the article is accurate, it could be.

UPDATE : More over at Slashdot.

No comments: