Sight unseen behind the scenes PKI plays an essential role in safeguarding medical information through advanced authentication and encryption methods.

What is PKI?

PKI (Public Key Infrastructure) is a security and identity framework that uses digital keys and certificates for digital identity, authentication, authorization, encryption, access, and digital signatures to help ensure the confidentiality, integrity, and authenticity of health information.

PKI is the backbone of most secure communication protocols and plays a vital role in safeguarding information by securing:

-  websites as deployed in Secure Sockets Layer (SSL) or Transport Layer Security (TLS) shown by the padlock in front of the web address,
-  email as it is deployed in Direct Secure Messaging,
-  the secret in OpenID Connect to digitally sign the Jason Web Token (JWT) to prove identity.
-  mobile driver’s license (mDL) currently being deployed by the Transportation Security Administration (TSA)
-  PKI is used to sign electronic prescriptions, ensuring that they are authentic and unaltered. It also helps secure databases of prescription information, reducing the risk of prescription fraud.
-  PKI facilitates the creation of digital signatures that verify the authenticity and integrity of medical records.
-  It enables the generation of audit trails to track who has accessed patient data and when.
-  IOT Devices PKI safeguards IOT devices by ensuring secure communication and preventing tampering and unauthorized access.

How does PKI work?

Identity Proofing

Healthcare information is private and can’t be shared with just anyone. We need to know to whom we are communicating to establish trust. This means that the patient, provider, payer, or device needs to be identity-proofed and authorized, and communications need to be secured by encryption and authenticated.

In PKI, the entity that performs identity proofing is called the Registration Authority (RA). The RA follows guidelines created by the U.S. Department of Commerce National Institute for Standards and Technology (NIST) on what is required for identity proofing.  In healthcare, the recognized standard for identity proofing is NIST 800-63-3 IAL2 or higher.

Digital Certificates

This digital identity under the DirectTrust Direct Protocol is bound to two single-use X.509 Certificates; each certificate contains two cryptographic keys: a public key and a private key. One key pair is used for encryption/decryption and the other is digitally signing the outbound messages and verifying the digital signatures of inbound messages.

When a certificate is used for one and only one function such as encryption or signing it is known as a single-use certificate. It is possible, although not recommended, to use a dual-use certificate, that is, a certificate that is used for both encryption and signing (two uses).

Public keys are publicly discoverable while private keys are kept secret, stored securely on a secure encrypted device such as a hardware security module. This is because the private keys are used for the decryption of inbound messages that are encrypted with the public keys and digital signatures are used for authentication of the transaction.

In PKI, the entities that issue certificates are called the Certificate Authorities (CA). CAs are trusted third-party organizations responsible for validating the identity of users or entities and issuing digital certificates. Digital certificates contain the public key and information about the owner, such as their name and the name of their organization. The CA digitally signs these certificates to confirm their authenticity.

When a user or entity requests a digital certificate, they provide their public key and identity information to the CA. The CA engages with a Registration Authority (RA) that verifies the identity of the requester through various means, such as email confirmation, physical documents, or in-person validation. Once the identity is confirmed, the RA reports the confirmation to the CA who then issues a digital certificate that binds the public key to the requester's identity.

The digital certificate is made available to the user, typically through download from a CA's website or via email. The recipient of the certificates installs the certificate on their software, device, or server so that relying parties who access resources on the recipient's device will have proof that the resources are found to the identity of those devices.

Secure Communication Using Single-Use Certificates

The Sender creates the transaction using the Receiver's public key to encrypt data and the Sender's private signature key to sign the transaction.

The Receiver receives the transaction and uses the Sender’s public key to decrypt the signature and the Receiver's private key can decrypt the transaction.

Certificate Revocation

If a user's private key is compromised or they no longer require their certificate, the CA can revoke the certificate. Further, if there is a bad actor, the certificate of a single user can be surgically revoked without affecting any other user. A Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) is used to check the revocation status of certificates.

Conclusion

In summary, PKI is a system that uses cryptographic keys, digital certificates, and trusted third-party including RA's for identity proofing and CA's to issue Certificates to establish secure and authenticated communication in various applications, such as secure web browsing (HTTPS), email encryption (S/MIME), and secure network connections (VPN). PKI is a foundational technology that forms the backbone of healthcare data security. It is essential for protecting sensitive medical information, enabling secure communication, and ensuring regulatory compliance in the healthcare industry.

About iShare Medical

iShare Medical has been EHNAC Accredited for Privacy and Security and a DirectTrust Accredited Trust Anchor Health Information Services Provider since the inception of the DirectTrust Accredited Trust Anchor bundle in 2015.

By signing up for an iShareID Direct Address and iShare Medical Messaging Account you will be able to send and receive Direct Messages across organizational boundaries to patients, providers, payers, and devices via our nationwide network of 2.8 million healthcare providers. This helps you to improve care coordination, reduce costs, and save time.   Plus, iShareID Direct Address and iShare Medical Messaging account include access to and a listing in the iShare Medical Directory of Direct Addresses. Sign up today and start sharing medical records now.

Sign up today for iShare Medical Messaging and start sharing medical records now.  Call us today at 816.249.2555 or email us at info@isharemedical.com.