Industry Specific Digital IDs

by William Crawford

Related link:

A client of ours recently asked about Verisign's partnership with the American Medical Association to provide digital certificates to AMA members. This initiative was launched early last year, and was intended to be a simple application of Verisign's Public Key Infrastructure products, using the AMA's membership database to validate the identities of participants. It got me thinking again about the role of identity services in network applications and some of the implications for both productivity and privacy.

The AMA, with over 400,000 members, encompasses most of the doctors, nurses, physician assistants, medical students and so forth in the country. That's a lot of motivated, professional users, and it's easy to see why this opportunity looked exciting for Verisign. Between the sheer volume of data exchanged in healthcare and the increasingly stringent privacy regulations being introduced at the state level and higher (including the recent HIPPA legislation, which is going to produce huge revenues for certain consulting firms I'm not involved with), standardized healthcare PKI is extremely attractive. And say what you will about Verisign's marketing of domain registry services, the integration software they provide for their PKI product is well thought out, reasonably licensed, and easy to use.

My company's flagship product happens to be all about managing information on physicians, in this case in the pharmaceutical industry. So I watched the AMA's announcement with interest, as we were already including support for PKI. I sat back and waited for the rush, which never came. According to a Verisign representative I spoke to last week, only about two thousand AMA members have signed up for an ID. It's probable that a sizeable minority of them never got around to installing it, and no major providers have gotten on board to push the issue. The whole program has been a nonstarter so far, although it could still be turned around by the right kind of corporate support.

One might think that a secure communications infrastructure would be easier to build at the industry level than at the national level. I've spent years hoping that the FDA would introduce a standard identifier for doctors doing clinical research. So far it hasn't happened. The most interesting development towards pervasive identity management I've seen so far has been the DOD's JavaCard based ID card system, which was pushed heavily at this year's JavaOne.

Since we can't build the applications without the infrastructure, we're stuck with proprietary solutions for the foreseeable future. But the propriety approach makes data aggregation and incorporation of new users much more difficult than it has to be. This may be just as well from the consumer privacy perspective, but the limitation often proves crippling when building real-life networked applications. Adding users to a networked workspace by typing in a few AMA numbers and letting the software do the rest is a much more reliable and efficient approach than anything else I can think of.

Industry based PKI is going to be much more secure than citizenry based PKI, and much more controllable. This might mean I have start collecting digital IDs, but I doubt the process will get out of control. Keeping professional and personal separate is a start.

What do you think? Should the government just go ahead and issue us all a digital signature?