HL7 Encryption

During our bi-weekly call today (April 1), we briefly discussed encryption of the HL7 protocol and secure transmission of data using HL7. I wanted to post a discussion forum on encryption concerns of HL7 and also receive feedback from the community on how encryption is addressed or not addressed currently in the field.

I found this wiki article on the HL7.org site title "Encryption and Security": http://wiki.hl7.org/index.php?title=Implementation_FAQ:Encryption_and_Se...

Encryption of data in transit does require significant technical overhead and management to allow for the secure creation of keys, transmission of keys and PKI infrastructure management just to name a few. The above article seems to stress that encryption is not a concern of the HL7 protocol, but should, instead be addressed by a seperate protocol such as SSL (HTTPS). However, during the call it was stated that HTTPS is not used for transmitting HL7 data, that HL7 data is transmitted directly using TCP/IP.

The only other alternative that comes to my mind that would allow for the secure transmission of HL7 data is at the Internet Protocol (IP) layer using IPsec (http://en.wikipedia.org/wiki/IPsec).

Encrypting host-to-host communication would help ensure that sensitive medical information can not be captured by other systems residing on the same network as the two communicating systems. Reliance on VPN for encryption does not ensure "end-to-end" secure communication channels, and sensitive information may still be readily obtainable by 3rd parties.