Cancer institute's PKI system shows how it's done
System uses PIV cards and links federal, pharmacuetical bridge authorities
The idea of using a public-key infrastructure to secure transmissions of data is an old idea whose time might finally have come.
PKI, a system that uses public and private cryptographic keys, or digital certificates, to authenticate users and electronically sign documents, has been around since 1969, predating the Internet as it exists today. It has always been effective, and it has long had its proponents in government. But it’s never quite caught on, at least in part because it’s difficult. Even its proponents admit it can be a bear to implement.
PKI doesn’t have to be perfect to be worthwhile
At its essence, PKI isn’t that different from the ciphers used for secret messages in medieval times. It uses a pair of encryption keys — one public, the other private and known only to the user. Someone sending information uses the public key to encrypt material that can only be opened by the private key of the person receiving the information.
But it requires an infrastructure, policies, agreement on standards and third-party authorities to authenticate users — that is, a culture — to make it work, and that has slowed it down. PKI hasn’t been dormant. It has had success in the Defense Department and elsewhere, but implementations mostly have been small and sporadic.
However, as William Jackson writes in this issue, the National Cancer Institute and Bristol-Myers Squibb have developed a working example of PKI that increases efficiency, saves money and eliminates paper at little cost to NCI. And it appears to set an example that others can follow.
The system links the pharmaceutical industry’s SAFE-BioParma Bridge, which manages its PKI, with the Federal Bridge Certification Authority, which has authenticated digital certificates for federal agencies since 2002. Perhaps most significantly, NCI employees use their Personal Identity Verification cards, which are widespread in the government, for their digital certificates. PIV cards could be the key, as it were, for other agencies looking to implement PKI.
NCI’s system, created for a cancer treatment evaluation program, has taken paper completely out of the process, reduced the time it takes to conduct evaluations and promises to dramatically reduce the cost of future clinical trials.
It’s one project, but it could at last provide a template for other agencies, both at the National Institutes of Health and elsewhere. As Peter Alterman of NIH put it: “I think this thing is going to go viral in government.”