Toronto-based Diversinet Corp. has announced new versions of its MobiSecure Wallet and Vault applications for secure mobile access to medical and personal information.
The software Wallet creates a one-time password for access to the vault, with the smart phone or PDA itself serving as the second factor in a two-factor authentication system, according to Stuart Vaeth, the company’s chief security officer.
Files are stored in the server-side Vault application and can be downloaded to the wallet on the phone. “The safety deposit box is a good analogy,” Vaeth said. Not only does the Vault application validate the phone accessing the account, “the phone actually validates the server based on a shared key” known only to the server and the device. “Data at rest is always encrypted,” and data in transit is encrypted by the password, Vaeth said.
The information is stored as data cards, wrapped in an XML document to allow presentation on the phone. The information can be viewed, e-mailed or faxed to another device.
There can be multiple wallets for a single vault, and users can temporarily delegate access to the vault to another device, for example, if a user goes to a new medical clinic that’s not equipped with the software.
“If they’re not a vault user … you can do that by generating a one-time password” for access through the clinic’s PC, Vaeth said.
The MobiSecure applications are the engine that drives the Mobile Lockbox service from Intersections Inc., which provides risk and identity management services. Users can aggregate their personal records and monitor their credit and identity information. It’s a subscription-based service, a value-add to Intersections’ Identity Guard offering.
AllOne Health Group, launched by the Hospital Service Association of Northeastern Pennsylvania, is offering AllOne Mobile, to allow users mobile access to their health records. And while Diversinet is exploring relationships with Canadian health care providers, there are fundamental differences in the systems that make the U.S. the primary market, said Jay Couse, the company’s senior vice-president of business development.
In the U.S., where there is no public health insurance program, 200 million people are insured by companies like Blue Cross. There’s competition and churn and cost pressure, according to Couse, and the insurers are looking for a stickier relationship. Providing properly formatted eligibility and payment forms speeds processes and cuts customer service costs, and pushing fitness, dietary and blood pressure tools out to clients can reduce clinic visits.
In the U.S., personal health records are the property of the individual, whereas in Canada, the records are owned by the provincial health authority. So a Diversinet offering for the Canadian market would have to be focused on the provider, rather than the patient, Couse said.
Canada Health Infoway, funded to the tune of $1.6 billion, has the goal of getting 50 per cent of health records to electronic versions by 2010, and offers incentives for practitioners to buy PCs and practice management software. “Interesting, but it’s not really relevant to what our objectives are,” Couse said.
However, as innovative health providers move farther along with electronic health records, they are looking to extend what they can do with the records, Couse said.
Bill Nagel, an Amsterdam-based security and risk management researcher with Forrester Research, said what stands out about the Diversinet product is that it puts security, information provisioning and storage components together in a single offering.
“There are a number of solutions out there that use the mobile phone as a security device at different levels,” Nagel said. “Some use the phone as a security token, delivering one-time passwords via SMS or via an on-handset Java application for use when logging in to, say, an online banking site. Other, more sophisticated and secure models, use the SIM card to store secure PKI-based identity credentials and perform authentication completely out-of-band. The latter type could be said to be more secure than Diversinet’s offering, but they’re also more complex and expensive to set up and run.”
There are also solutions that are primarily messaging and service delivery platforms that might offer better functionality, Nagel said. “But one thing I like about Diversinet is that it’s first and foremost a security platform that uses that as the basis upon which messaging and storage services are delivered, rather than being a messaging and storage solution that has the security bolted on after the fact,” he said.
Nagel sees a potential market for the MobiSecure offering in any industry that handles sensitive data that must be delivered to strongly authenticated parties. Aside from health care, the legal profession and e-government are likely markets, though “as a practical matter I think government moves too slowly for there to be any chance of major adoption of a MobiSecure-type solution anytime soon,” he said.