Issues in and perspectives on electronic authentication of health professionals

1. Issues in and perspectives on electronic authentication of health professionals Pascal POITEVIN Marketing and Communication manager GIP-CPS e-Health 2005, Tromsö May, 24

2. Content • What is the need of a PKI in the Health sector ? • Why do Health organisations implement IT systems ? • The PKI definition • The Health actors and the exchanges to be secured • The experience of the GIP-CPS, first European public PKI • Certificates : guarantee of identity, profession, activity • Recording, publication • Deployment status • Examples of applications • The GIP-CPS business development • PKI interoperability issues

3. TheHealthCare Information System Why do Health organisations implement IT systems ? 1.To share medical information between all parties assuming some responsibility towards patients 2. To implement public health security information systems (medical watching, epidemiological surveys, clinical research….) 3. To improve administrative and financial management processes 4. To develop continuous access to information and knowledge for the HealthCare system participants

4. What is a PKI ? • A Public Key Infrastructure (PKI) manages the space of confidence of the organization, enable to control all the security aspects of the environment : • users’ authentication, • confidentiality, • data integrity, • non-repudiation of the transactions. • To achieve this goal, the PKI offers the administration services, the generation and diffusion of keys and electronic certificates necessary to the security products (secured e-mail, SSL server and clients, signature software...). PUBLICATION SERVICE HealthCare PROFESSIONAL REGISTRATION AUTHORITY (Med. Assoc., State and Insurance representatives) Valid the professional record CERTIFICATION AUTHORITY (GIP-CPS) produces cards as well as associated keys and certificates CPS PKI Directory Opposition Lists CRL

5. What is the need of a PKI in the Health sector ? Many data exchanges to secure HealthCare Structures HealthCare Professionals Care providers Pharmaceutical laboratories Employers Payers Payeurs Suppliers Fournisseurs Compulsory National Health Insurances Pharmacies Health web sites Complementary Health Insurances Regulator

6. The GIP-CPS« Groupement d’Intérêt Public – Carte de Professionnel de Santé » It fits the demands for confidence and security in electronic exchanges and sharing of medical data Its members : - the French state, - the 3 compulsory national health insurances, - the complementary health insurances, - the professional associations, - different user organizations.

7. In France, the certification authority of the health sector • Since it was created (in 1993), the GIP-CPS has developed the health professional card (CPS smart card) for the SESAM-Vitale application (the electronic refund claim form exchanged between health professionals and health insurance). • Within its card, the GIP-CPS delivers to health professionals certificates usable by all the applications of the health sector allowing : • the authentication, • the signature. • Moreover, confidentiality certificates are used for messages’ encoding.

8. Confidence guarantee bring by the GIP-CPS The certificate : official « electronic professional identity document » • Quality of the recording process : rigorous checking of identity and professional skills of the holder (Medical Associations, Stateand Insurance representatives’ visas). • Publication of valid certificates and revocationlist accessible for applications 24/24 and 7/7 • Setting up of a single French health professional repository (RPPS*) * RPPS : « Répertoire Partagé des Professionnels de Santé »

9. The deployment status(16/04/2005 figures) Valid cards’ holders : 570 506 Liberal sector : 495 382 (8 out of 10 liberal health professional) • Regulated health professionals : 286 924 • Employees : 208 458 Health structures : 75 124 • Regulated health professionals : 19 571 • Employees : 55 553

10. Examples of applications • Management of medical duties in Dordogne • Access to medical files in medical departments of military units (health service of the Armies) • Access for liberal professionals to a hospital medical file in Antibes • Shared Patient Medical File between doctors in Lyon (Oncora network) • Management of working time, secured accesses to buildings and workstations in a hospital in Angers • e-transmission of the refund claim forms (Sesam-Vitale) : 76 580 000 in January 2005

11. The GIP-CPS business development • The new national projects (Shared Personal Medical File “DMP”, secured access to health insurance data, electronic prescriptions...) will : • Stimulate exchanges and sharing of medical electronic data, • Require the protection of these exchanges and data. • To adapt its offer to these emergent needs, the GIP-CPS enhances its range of certificates with : • Certificates with software support(being able to be embarked by industries in a USB key, a key server, a personal electronic assistant...), • Server Certificates.

12. PKI interoperability issues •  Necessity of interoperability • Why interoperability ? • It is a precondition to secured interconnection of applications and networks • How interoperability is checked? • by comparison of certification policies, of exploitation procedures and implemented means • What are the means of implementation ? • Accreditation by national reference organizations • Mutual recognition of PKI at an international level • Interoperability within European countries • - Would a European certification authority be of any interest ? • - How can we study and experiment interoperability of electronic certificates • with other State members ?

13. Thank you for your attention ! www.gip-cps.fr Contact for international relationship : marketing@gip-cps.fr Conclusion