Medicine is one field in which serious attempts are underway in a number of countries to build large-scale decentralised trusted systems over the Internet to support a number of aspects of patient care, administration and research. Medical informatics has made unique contributions to the general pool of security know-how, and as medical practice is highly decentralised, many of these lessons may be applicable to Internet applications in general. Examples include the following.

• Conventional security policy models like Bell-LaPadula and Clark-Wilson do not work well in medical telematics, as they assume that security administration is centralised. Medicine is a business in which the field operatives are the most highly trained, the most trusted by the clientèle, and in most countries are also legally burdened with the duty to make access control decisions [Hor97]. This has led to the development of security policy models that locate the control in the leaves rather than in the root of the access control structure [And96]
• An attempt by the UK government's Department of Health to introduce a conventional X.509 certificate structure [Zer96] was opposed by the medical profession. There was not just an ethical objection to the escrow features of the proposed key management protocol [JMW96]; it had also become clear that a central trusted third party could not cope with a health service whose approximately one million employees are spread over 12,000 separate organisations.
• In addition to the engineering costs of centralisation, there was also the principle that electronic trust structures should mirror those in existing professional practice. This principle was first enunciated by Alexander Rossnagel, a German lawyer, who feared that certification authorities would deprive notaries of their income [Ros95]; it has since been adopted by the UK government and the medical profession as one of the principles by which disputes over electronic privacy issues are to be resolved [NHSE96].
• Governments attempted to solve security problems in Germany and Austria by introducing smartcards as access tokens for both patients and healthcare professionals. Despite careful government studies of the likely social consequences [BSI95], it has turned out that these cards have had a centralising effect that many professionals find intolerable [HW97].

The previous work that directly concerns us is Wax [Wax97a]. This is a proprietary hypertext system used for medical publishing; its goal is the secure and timely electronic distribution of information used to support clinical practice, such as treatment protocols and drug formularies. It will also be used for government circulars ranging from purely administrative information such as advice on coping with the Y2K bug to notices of newly discovered adverse drug reactions; and for local information such as hospital waiting lists.

Wax is already used in several health trusts in the UK for providing a mixture of trust-specific and general information. It is also used in the US for delivery of medical knowledge relating to HIV and AIDS by Intelligent Medical Objects, Inc. (Northbrook, Illinois, USA). There are clear safety and medico-legal reasons why the authenticity, integrity and timeliness of the information it distributes should be protected, and a project was undertaken during 1996-8 to design and implement this. That project is described in [Wax97a], but we will describe it here briefly so this article is self-contained.

Previous: Abstract Up: The Eternal Resource Locator: Next: Wax