[Openid-specs-heart] CHIME Launches $1M Challenge to Solve Patient ID Problem

Justin Richer jricher at mit.edu
Mon Jan 25 13:55:39 UTC 2016


I've asked this before and thought we'd settled it, but it keeps coming 
up: where are you getting the idea of encrypting the data to the patient 
using a patient's key? That is not in scope for HEART, nor is it part of 
any of the underlying protocols.

  -- Justin

On 1/25/2016 8:52 AM, Adrian Gropper wrote:
> Establishing a separate URI for each patient is likely to be the only 
> stable solution to the patient ID problem. The issue, however, is how 
> many URIs will a patient be allowed to have? If the URIs are coercive, 
> in the sense of a chip or tattoo issued by government or an equivalent 
> global authority (Facebook?) or the URI is derived from DNA or an iris 
> scan. (Iris scans are a good positive IDs and can be read from 30 feet 
> away with modern technology.)
> Let's assume, for our purposes, that an iris scanner costs about as 
> much as a credit card terminal, cheap enough for every front office, 
> ambulance, and police car. Is the patient ID problem solved? I don't 
> think so.
> Patients can have one or more separate URIs in order to help manage 
> their health records. Today, we typically use email address for this 
> purpose, with WebFinger https://webfinger.net/ as a standardized way 
> to discover linked attributes such as the patient's UMA Authorization 
> Server and the associated public key.
> UMA for patient ID brings numerous benefits including much greater 
> transparency and security. The patient now has a single portal (their 
> UMA AS) to view all current relationships under that particular 
> patient ID persona. The system is also much more resistant to data 
> breaches as data holders (UMA Resource Servers) must implement 
> separate encryption keys for each patient.
> I think the HEART group is in a good position to compete for the CHIME 
> challenge on this basis and I'd be happy for me and PPR to help 
> organize a submission.
> Adrian
> On Sun, Jan 24, 2016 at 1:20 PM, Aaron Seib <aaron.seib at nate-trust.org 
> <mailto:aaron.seib at nate-trust.org>> wrote:
>     I appreciate your expertise and action.
>     I don't necessarily agree with some of your statements here but
>     that is the beauty of open processes.
>     Let's strive to do all we can - together.
>     Aaron Seib
>     @CaptBlueButton
>     (O) 301-540-9549 <tel:301-540-9549>
>     (M) 301-326-6843 <tel:301-326-6843>
>     "The trick to earning trust is to avoid all tricks.  Including
>     tricks on yourself."
>     -------- Original message --------
>     From: "Glen Marshall [SRS]" <gfm at securityrs.com
>     <mailto:gfm at securityrs.com>>
>     Date: 2016/01/24 7:07 AM (GMT-08:00)
>     To: HEART List <openid-specs-heart at lists.openid.net
>     <mailto:openid-specs-heart at lists.openid.net>>
>     Subject: [Openid-specs-heart] CHIME Launches $1M Challenge to
>     Solve Patient ID Problem
>     This is pertinent to our data-sharing use cases. There is no
>     current solution to accurately sharing/gathering patients'
>     clinical data stored among various repositories.  In turn, that
>     makes applying access controls across all of a patient's data in
>     those repositories difficult.   I'm happy to see Chime's challenge.
>     However, the related problem of discovering where all of one's
>     data might be is computationally intractable.  It is equally
>     intractable to gather and combine all access permissions and
>     regulatory restrictions on patients' data, even if there were a
>     useful means to do so.  (Both are equivalent to the halting
>     problem <https://en.wikipedia.org/wiki/Halting_problem>.)
>     Having a single "source of truth" repository is one direction for
>     a solution, as is having a single access permissions source. 
>     Keeping them updated with new data and permissions is possible,
>     even if difficult in the short run.
>     However, establishing unique URIs for each patient's data and
>     permissions is the same as having a universal patient identifier. 
>     That might be subject to current Congressional funding restrictions.
>     /The College of Healthcare Information Management Executives on
>     Tuesday launched a $1 million National Patient ID Challenge to
>     develop solutions to ensure 100 percent accuracy of every
>     patient’s identity to reduce preventable medical errors.//
>     //
>     //http://www.healthdatamanagement.com/news/chime-launches-1m-challenge-to-solve-patient-id-problem/
>     -- 
>     *Glen F. Marshall*
>     Consultant
>     Security Risk Solutions, Inc.
>     698 Fishermans Bend
>     Mount Pleasant, SC 29464
>     Tel: (610) 644-2452 <tel:%28610%29%20644-2452>
>     Mobile: (610) 613-3084 <tel:%28610%29%20613-3084>
>     gfm at securityrs.com <mailto:gfm at securityrs.com>
>     www.SecurityRiskSolutions.com <http://www.SecurityRiskSolutions.com>
>     _______________________________________________
>     Openid-specs-heart mailing list
>     Openid-specs-heart at lists.openid.net
>     <mailto:Openid-specs-heart at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-heart
> -- 
> Adrian Gropper MD
> HELP us fight for the right to control personal health data.
> DONATE: http://patientprivacyrights.org/donate-2/
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160125/438691e5/attachment.html>

More information about the Openid-specs-heart mailing list