Significance and Use
The policy defined by this practice is written from the perspective of healthcare relying parties. It defines a set of requirements to ensure that certificates, used for authentication, authorization, confidentiality, integrity, and nonrepudiation of health information by healthcare organizations and persons, have a minimally sufficient assurance level.
This policy defines a healthcare public key infrastructure that can be used to implement other ASTM standards including Specification E2084 and Guide E2086.
CA that implement procedures satisfying each requirement of the policy should reference the policy’s OID in the appropriate fields within its certificates. Relying parties can recognize the inclusion of the policy’s OID as an indication that the issuing CA has conformed to the requirements of the policy and that the certificates referencing the policy’s OID may be used for healthcare purposes.
CA that do not comply with all provisions of the policy must not assert the policy’s OID in its certificates. A CA that complies with all but a limited number of provisions may reference the policy in its own policy, provided that it clearly states the specific deviations. For example, a healthcare organization might operate an internal CA that complies with all of the provisions of the basic individual certificate class except that it uses a noncomplying cryptographic module for the CA signer keys. The organization might want to use the policy as the basis for establishing trust with external relying parties. While it may not directly assert this policy using the OID, it may reference the policy in a document that includes statements explaining measures it has taken to protect the integrity of the CA signing key. Relying parties or CA wishing to facilitate cross-trust relationships must then make their own risk analysis to determine if the modified policy is adequate for the proposed usage. This assessment, while not as easy as that based upon full compliance, should be significantly facilitated by treating the policy as a reference standard from which to judge the modifications.
Certificates and the certificate issuance process can vary in at least three distinct ways. The most frequently cited variation is about assurance. Assurance levels vary depending upon the degree of diligence applied in the registration, key generation, certificate issuance, certificate revocation, and private key protection. The required assurance level depends on the risks associated with a potential compromise. The federal PKI, among others, divides assurance into three classes. Rudimentary assurance involves very little control of either the registration process or key security. The federal PKI does not consider rudimentary assurance appropriate for healthcare use. Medium assurance involves a higher degree of diligence in the registration process and requires a number controls over CA keys. Medium assurance is designed for moderate risk applications. High assurance adds additional controls on the CA and subscriber keys as well as careful division of roles in the issuance process. These additions make high assurance certificates more appropriate for higher risk applications. Certificates may also vary depending upon the type of entity whose identity is bound to the certificate. Finally, certificates are often described in terms of appropriate and inappropriate uses.
The policy does not define certificates in terms of assurance levels. Instead, it defines three classes of certificates (entity, basic individual, and clinical individual) that differ in terms of their primary intended use or purpose and in terms of their intended subscriber type. The three certificate classes are ordered so that the clinical individual certificate must meet all the requirements of the basic individual certificate and the basic individual certificate must meet all the requirements of the entity certificate.
It is anticipated that the policy will be used to facilitate cross-licensing between healthcare CA. The policy is intended to provide a common reference point for establishing compatibility of purposes, representations, and practices among a number of autonomous healthcare CA.
Scope
1.1 This practice covers a policy (“the policy”) for digital certificates that support the authentication, authorization, confidentiality, integrity, and nonrepudiation requirements of persons and organizations that electronically create, disclose, receive, or otherwise transact health information.
1.2 This practice defines a policy for three classes of certificates: (1) entity certificates issued to computing components such as servers, devices, applications, processes, or accounts reflecting role assignment; (2) basic individual certificates issued to natural persons involved in the exchange of health information used for healthcare provisioning; and (3) clinical individual certificates issued to natural persons and used for authentication of prescriptive orders relating to the clinical treatment of patients.
1.3 The policy defined by this practice covers: (1) definition of healthcare certificates, healthcare certification authorities, healthcare subscribers, and healthcare relying parties; (2) appropriate use of healthcare certificates; (3) general conditions for the issuance of healthcare certificates; (4) healthcare certificate formats and profile; and (5) requirements for the protection of key material.
1.4 The policy establishes minimum responsibilities for healthcare certification authorities, relying parties, and certificate subscribers.
