Health Data are sensitive to loss, manipulation and breach of confidentiality. Systems handling health data must be especially secure. Anyone accessing health data - be they stored in data banks or in personalised chipcards - must be specifically authorised to do so and must be strongly authenticated before access is granted.
Authorisation is normally restricted to certain data or facilities; it is granted and controlled by the owner of the data.
Authentication of users must precede authorisation, as it should also precede any act of communication between users, allowing them to corroborate that the partner is indeed the one he pretends to be.
Data integrity must be provided and protected against manipulation and replacement of data, deceptive delay of transmission and other attacks.
Data confidentiality must be provided to let only those have the information who are entitled to it.
This protects the data and their owners from misuse by malicious third parties. It does not completely protect a service provider from a malicious regular user and vice versa. For example, a sender of a message can repudiate its integrity/authenticity as presented by its receiver, although both he and the receiver may know that repudiation is not justified; yet none of both can prove the truth to a judge. There need to be a witnessing trusted third party. A communication system providing non-repudiation service must employ such trusted third parties or trust centres (as also specified by CCITT X.400 “Message Handling I Information Processing Systems - Text Communication - MOTIS” and CCITT X.500 “Directory”). Some trust centres are listed in the following:
Naming authorities provide their clients with distinguished names. They must be trusted to the extent that they will carefully check the identity of an applicant and give him a unique and authentic distinguished name. This name must be protected against manipulation by anybody, including its bearer.
Certification authorities issue certificates, i.e. they certify a person's distinguished name together with a public key for use by his partners to recognise the person's authentic digital signature.
Key distribution centres may be needed to generate cryptographic keys for any pair of users who want to communicate confidentially. Key distribution centres must be trusted by the users. The general public may want to trust them in a sense that they will not permit subversive use of their services.
Directories will store and grant access to information on users that is primarily needed to promote communication. They must be trusted by the general public that they will not grant unauthorised access for any misuse of information.
TeleTrusT seeks international consensus on mechanisms and services to provide for general compatibilities and for input to standardisation bodies.