Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Mobile

    Prescription for PKI Success

    By
    Anne Chen
    -
    November 5, 2001
    Share
    Facebook
    Twitter
    Linkedin

      If you build it, so the saying goes, they will come. But what if you lack the in-house expertise to build it in the first place? This was the dilemma facing Catherine Roth, CEO of Medepass Inc., a San Francisco company that was formed by the California Medical Association two years ago to verify the online identities of health care professionals and to serve as a certificate authority. Earlier this year, with the HIPAA (Health Insurance Portability and Accountability Act) deadline quickly approaching, Roth needed to find a way to deploy PKI (public-key infrastructure)—a technology organizations have struggled with for years—and she needed to do it within mere months.

      In the end, Roth chose to outsource the generation of digital certificates to security vendor Certicom Corp., in Hayward, Calif. The move not only allowed Medepass to beat the HIPAA deadline of October 2002 but also saved the company time and millions of dollars in infrastructure deployment costs, Roth said.

      “The PKI world believes in databases secured like bunkers, and, frankly, those are expensive to build and to maintain,” Roth said. “Who needs that? Theres no reason for us to try to reinvent the wheel or try to do it ourselves when experts are available.”

      As more organizations move to embrace public-key cryptography to securely transmit documents to partners, suppliers and customers, experts say they will be faced with the multimillion-dollar question: Should PKI be done in-house or outsourced?

      The benefits of outsourcing, experts say, are obvious. The complexity of establishing trust models for authentication, the difficulty in integrating with internal applications and the intricacy of managing digital certificates make outsourcing PKI attractive to organizations that lack the in-house expertise and the time to do it themselves. And as with many other managed infrastructure services, outsourcing also enables companies to save time, money and headaches associated with implementing and operating the infrastructure themselves.

      “Theres more inclination toward outsourcing in part because the early adopters wanted to own PKI,” said Vic Wheaton, an analyst at Gartner Inc., in San Jose, Calif. “Now, people are realizing PKI is hard. And even financial services organizations with the hubris and the pride-of-ownership issues have been leaning more toward the outsourcing model.”

      Just how tenuous has the deployment of PKI been? Gartner estimates that 80 percent of PKI projects are still in pilot mode. And International Data Corp. estimates that by 2004, two-thirds of PKI vendor revenue will stem from managed services rather than software.

      The dilemma that Medepass faced is one many health care organizations share. HIPAA, which was passed in 1996, gives health care providers and insurers one year from Oct. 16 to put tighter locks on patient information. Part of the act requires the use of PKI to encrypt messages sent among physicians as well as provide proof of their licenses.

      Much of the cost associated with PKI comes from having to build a highly secure data center from which to generate digital certificates. After all, if a certificate authority were to be compromised, unauthorized users could gain access to confidential patient information.

      “Outsourcing PKI has a lot to do with skill sets,” Gartners Wheaton said. “Building a secure data center, ensuring the security, managing it and even running the help desk associated with the generation of certificates are complex and time-consuming tasks.”

      Medepass decided that it was not cost-effective to build a secure data center internally because of costs associated with training, the purchasing of hardware and the time it would take to ensure the security of the data center. The company, instead, chose to outsource that function by subscribing to Certicoms MobileTrust services. MobileTrust provides certificate generation from within a secure bunker maintained and managed by the security vendor. Medepass also licensed Certicoms TrustPoint PKI Portal software, which serves as a registration authority, and operates it in-house.

      Physicians must be referred by their colleagues before qualifying for a Medepass certificate. Once referred, a physician then must pass a strenuous online authentication process in which he or she answers a series of questions. Medepass checks the answers against Oracle Corp. 8i databases that hold medical licensing, education and work history information.

      If a physician passes the authentication process, a request is generated and sent to the TrustPoint PKI Portal application running on servers located at Medepass. The portal approves the request and forwards it to the certificate authority in Certicoms secure data center. Certicom issues the certificate to Medepass, which stores information about the certificate in a Lightweight Directory Access Protocol directory before sending the certificate to the physician.

      The certificates can be stored either on the physicians desktop or on hardware such as a Universal Serial Bus token. All transactions run over TCP/IP, and every message sent between the PKI portal run by Medepass and the certificate authority at Certicom is digitally signed and encrypted.

      Already, a number of health care organizations across the nation have signed on to accept Medepass digital certificates. Using those certificates, physicians will be able to request patient documents and confidential information from insurers online. Last month, Medepass began issuing digital certificates to 4,000 physicians in California at a cost of $25 to $50 a certificate per year. While Certicom declined to reveal how much its Medepass contract is worth, Medepass executives said that, depending on volume, customers are charged anywhere from $2 to $25 per certificate for the MobileTrust services.

      Partnering with Certicom also enables Medepass to roll out additional services that require PKI, such as wireless digital certificates. With the popularity of handheld devices among physicians, Medepass will also use Certicoms MobileTrust services to issue digital certificates for handheld devices and laptops beginning in the middle of next year.

      “Were firm believers in PKI, and the health care industry needs to stop wondering if its the right technology and start figuring out how we can get it to work to the benefit of the patients,” Roth said.

      Anne Chen
      As a senior writer for eWEEK Labs, Anne writes articles pertaining to IT professionals and the best practices for technology implementation. Anne covers the deployment issues and the business drivers related to technologies including databases, wireless, security and network operating systems. Anne joined eWeek in 1999 as a writer for eWeek's eBiz Strategies section before moving over to Labs in 2001. Prior to eWeek, she covered business and technology at the San Jose Mercury News and at the Contra Costa Times.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×