<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Adrian,<br>
<br>
I've asked this before and thought we'd settled it, but it keeps
coming up: where are you getting the idea of encrypting the data to
the patient using a patient's key? That is not in scope for HEART,
nor is it part of any of the underlying protocols.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 1/25/2016 8:52 AM, Adrian Gropper
wrote:<br>
</div>
<blockquote
cite="mid:CANYRo8iSsNhrfFY=NJx0kfJhwz29VvZTSSpZyQ2JbkSU=SUnDw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">
<div>
<div>
<div>Establishing a separate URI for each patient is likely
to be the only stable solution to the patient ID problem.
The issue, however, is how many URIs will a patient be
allowed to have? If the URIs are coercive, in the sense of
a chip or tattoo issued by government or an equivalent
global authority (Facebook?) or the URI is derived from
DNA or an iris scan. (Iris scans are a good positive IDs
and can be read from 30 feet away with modern technology.)<br>
<br>
</div>
Let's assume, for our purposes, that an iris scanner costs
about as much as a credit card terminal, cheap enough for
every front office, ambulance, and police car. Is the
patient ID problem solved? I don't think so.<br>
<br>
</div>
Patients can have one or more separate URIs in order to help
manage their health records. Today, we typically use email
address for this purpose, with WebFinger <a
moz-do-not-send="true" href="https://webfinger.net/"><a class="moz-txt-link-freetext" href="https://webfinger.net/">https://webfinger.net/</a></a>
as a standardized way to discover linked attributes such as
the patient's UMA Authorization Server and the associated
public key. <br>
<br>
UMA for patient ID brings numerous benefits including much
greater transparency and security. The patient now has a
single portal (their UMA AS) to view all current relationships
under that particular patient ID persona. The system is also
much more resistant to data breaches as data holders (UMA
Resource Servers) must implement separate encryption keys for
each patient.<br>
<br>
</div>
<div>I think the HEART group is in a good position to compete
for the CHIME challenge on this basis and I'd be happy for me
and PPR to help organize a submission.<br>
<br>
</div>
<div>Adrian<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Jan 24, 2016 at 1:20 PM, Aaron
Seib <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aaron.seib@nate-trust.org" target="_blank">aaron.seib@nate-trust.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>I appreciate your expertise and action. </div>
<div><br>
</div>
<div>I don't necessarily agree with some of your
statements here but that is the beauty of open
processes. </div>
<div><br>
</div>
<div>Let's strive to do all we can - together.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><span style="font-size:15.4224px">Aaron Seib</span>
<div><span style="font-size:17.489px">@CaptBlueButton<br>
</span>
<div dir="auto"><span style="font-size:15.4224px"
dir="auto">(O) <a moz-do-not-send="true"
href="tel:301-540-9549" value="+13015409549"
target="_blank">301-540-9549</a></span></div>
<div dir="auto"><span style="font-size:15.4224px"
dir="auto">(M) <a moz-do-not-send="true"
href="tel:301-326-6843" value="+13013266843"
target="_blank">301-326-6843</a></span></div>
<div dir="auto"><span style="font-size:15.4224px"
dir="auto"><br>
</span></div>
<div dir="auto"><span style="font-size:15.4224px"
dir="auto">"The trick to earning trust is to avoid
all tricks. Including tricks on yourself."</span></div>
<div dir="auto"><br>
</div>
</div>
</div>
<div>
<div class="h5"><br>
<br>
-------- Original message --------<br>
From: "Glen Marshall [SRS]" <<a
moz-do-not-send="true"
href="mailto:gfm@securityrs.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:gfm@securityrs.com">gfm@securityrs.com</a></a>>
<br>
Date: 2016/01/24 7:07 AM (GMT-08:00) <br>
To: HEART List <<a moz-do-not-send="true"
href="mailto:openid-specs-heart@lists.openid.net"
target="_blank">openid-specs-heart@lists.openid.net</a>>
<br>
Subject: [Openid-specs-heart] CHIME Launches $1M
Challenge to Solve Patient ID Problem <br>
<br>
This is pertinent to our data-sharing use cases.
There is no current solution to accurately
sharing/gathering patients' clinical data stored among
various repositories. In turn, that makes applying
access controls across all of a patient's data in
those repositories difficult. I'm happy to see
Chime's challenge.<br>
<br>
However, the related problem of discovering where all
of one's data might be is computationally
intractable. It is equally intractable to gather and
combine all access permissions and regulatory
restrictions on patients' data, even if there were a
useful means to do so. (Both are equivalent to the <a
moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/Halting_problem"
target="_blank">halting problem</a>.)<br>
<br>
Having a single "source of truth" repository is one
direction for a solution, as is having a single access
permissions source. Keeping them updated with new
data and permissions is possible, even if difficult in
the short run.<br>
<br>
However, establishing unique URIs for each patient's
data and permissions is the same as having a universal
patient identifier. That might be subject to current
Congressional funding restrictions. <br>
<br>
<br>
<i>The College of Healthcare Information Management
Executives on Tuesday launched a $1 million National
Patient ID Challenge to develop solutions to ensure
100 percent accuracy of every patient’s identity to
reduce preventable medical errors.</i><i><br>
</i><i><br>
</i><i><a moz-do-not-send="true"
href="http://www.healthdatamanagement.com/news/chime-launches-1m-challenge-to-solve-patient-id-problem"
target="_blank">http://www.healthdatamanagement.com/news/chime-launches-1m-challenge-to-solve-patient-id-problem</a></i><br>
<div>-- <br>
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: <a moz-do-not-send="true"
href="tel:%28610%29%20644-2452"
value="+16106442452" target="_blank">(610)
644-2452</a><br>
Mobile: <a moz-do-not-send="true"
href="tel:%28610%29%20613-3084"
value="+16106133084" target="_blank">(610)
613-3084</a><br>
<a moz-do-not-send="true"
href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a><br>
<a moz-do-not-send="true"
href="http://www.SecurityRiskSolutions.com"
target="_blank">www.SecurityRiskSolutions.com</a></p>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-heart"
rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><br>
<div dir="ltr">Adrian Gropper MD<span
style="font-size:11pt"></span><br>
<br>
<span
style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT
YOUR FUTURE - RESTORE Health Privacy!</span><span
style="font-family:"Arial",sans-serif;color:#1f497d"><br>
HELP us fight for the right to control
personal health data.</span><span
style="font-family:"Arial",sans-serif;color:#1f497d"></span><span
style="font-family:"Arial",sans-serif;color:#1f497d"><br>
DONATE:
<a moz-do-not-send="true"
href="http://patientprivacyrights.org/donate-2/"
target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span
style="color:#1f497d"></span>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-heart mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-heart">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a>
</pre>
</blockquote>
<br>
</body>
</html>