ISO 17090:2008 Parts 1-3 were released on February 14. But is this a new standard or just a rehash of existing standards? ISO 17090 is not new (previously released in 2002), but there’s no clear indication on how it has changed.

ISO 17090 sets out PKI standards and interoperability requirements for the healthcare industry – including certificate profiles, CPs, etc. I’d love to be able to read those standards (they’re about $125 each) to see how they compare to already existing standards such as SAFE and the Federal Bridge PKI. SAFE’s bridge is explicitly for the healthcare industry, but complies with the Federal Bridge certificate policies which spans multiple industries.

Has the new updated version taken into account these existing standards? Does the ISO standard include encryption certificates? Neither SAFE nor the Federal Bridge focus on encryption (it’s allowed in certificate profiles, but not for identity).

Either way, published standards for PKI interoperability (and not just technical standards) are good for the industry because it allows more PKIs to interoperate and “trust” each other. This gets more certificates in to the hands of healthcare professionals and providers and allows them to protect electronic health records – whether that’s a doctor sending a signed e-mail to a pharmacist containing a scrip for a patient, or pharmaceutical companies submitting electronic information to the FDA for approval.

No offense to the post office, but bits on a wire move a heck of a lot faster than they do.

This entry was posted on Thursday, February 28th, 2008 at 2:23 pm by Laura Raderman and is filed under standards. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.