Regulating Patient information: The UZI-pass
In 2006 the so called UZI-pass will be introduced. This chip card is meant to be used by medical personnel (doctors, nurses) to gain access to patient information that is needed to provide the best health care. Because patient information is considered private, it is important that the access to this information is regulated: not everyone is allowed to gain access. The Uzi-pass contains cryptographic means to do so.
Although the UZI-pass will already be introduced soon, it is unclear (at least to the large public) how secure the system is. Nevertheless, much information is already available on the UZI-pass itself as well as on the organization NICTIZ which has developed the requirements for the pass and the infrastructure to be build.
Research Questions:
- What security measures are proposed? Are there any weak spots in the proposal?
- Look at the "security requirement engineering". What security demands were formulated and how did they influence (or not) the current proposal?
- What security measures are needed for each of the involved parties (in particular the patient)? Are these security measures met by the proposal?
Plan:
- Analyse the setup developed by NICTIZ and the UZI-pass. (Note that there is a lot of information already online, which is good, but try to focus on a topic/question, or it becomes overwhelming.)
- Map the goals/functionality of the UZI-pass. Have state-of-the-art techniques been used by the designers of the card?
- Modeling the proposed infrastructure (PKI). Who signs what certificate?
- Modeling used protocols and (formally) verify properties.
Notes:
- Contact already exists with NICTIZ