Re: MED_vac

[Adam Shostack <adam@lighthouse.homeport.org>]

	If you have some personal data that includes your patient
number, why not have a card that instead lists your important data?
"This patient is diabetic, alergic to amoxicillin, and has Gold Cross
insurance." 

	The amount of important data that an ER needs is small.  There
is small benefit to building a huge infrastructure to get that data
carted around.  Also, in ERs, the computers are often authorized the
same way everything else is: a nurse will tell you to leave if you
don't belong there.

	At Defcon, Bruce Schneier was talking about the value stored
in casino chips.  Its sttaggering.  Its an alternate cash system, with
a huge float, astounding velocity, and very little fraud.  Transaction
costs are low, clearing is instantaneous.  The comparison is fairly
clear.

Adam

Thomas M. Swiss wrote:

|      I very much want hospitals to have fast access to my medical data if
| my broken and bleeding body should come through their door, even if I am
| unconscious and my personal physician cannot be reached. On the other hand,
| I don't want anyone to be snooping through them right now.

|      So, what if my records were available on the net, but encrypted with a
| an key known to my physician and an escrow agency? (Equivalently, they
| could be on that smartcard, but encrypted.) If an emergency occurs, the
| hospital fetches my encrypted records from my physician's server, then
| sends a message (signed with the hospital's key) to Keys R Us, the escrow
| agent, saying "This is Dr. McCoy at Frobnitz Memorial Hospital, we need the
| key for FooBar Medix, Inc., patient number 147258369." (My FooBar Medix,
| Inc., insurance card lists my physician's server, the escrow agency, and my



-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume