Page 1

Issues in and perspectives onelectronic authentication

of health professionals

Pascal POITEVIN Marketing and Communication manager

GIP-CPS

e-Health 2005, TromsöMay, 24

Page 2

Content

What is the need of a PKI in the Health sector ?Why do Health organisations implement IT systems ?The PKI definition The Health actors and the exchanges to be secured

The experience of the GIP-CPS, first European public PKICertificates : guarantee of identity, profession, activityRecording, publication Deployment statusExamples of applications The GIP-CPS business development

PKI interoperability issues

Page 3

The HealthCare Information System Why do Health organisations implement IT systems ?

1. To share medical information between all parties assuming some responsibility towards patients

2. To implement public health security information systems (medical watching, epidemiological surveys, clinical research….)

3. To improve administrative and financial management processes

4. To develop continuous access to information and knowledge for the HealthCare system participants

Page 4

What is a PKI ?A Public Key Infrastructure (PKI) manages the space of confidence of the organization, enable to control all the security aspects of the environment :

• users’ authentication, • confidentiality, • data integrity, • non-repudiation of the transactions.

To achieve this goal, the PKI offers the administration services, the generation and diffusion of keys and electronic certificates necessary to the security products (secured e-mail, SSL server and clients, signature software...).

REGISTRATION AUTHORITY

(Med. Assoc., State and Insurance

representatives)

Valid the professional record

CERTIFICATION AUTHORITY

(GIP-CPS)produces cards as well

as associated keys and certificates

PUBLICATION SERVICEHealthCarePROFESSIONAL

CPS PKI Directory

OppositionLists CRL

Page 5

Fournisseurs

Payeu

rs

Care providers

Regulator

Payers

Suppliers

HealthCare Structures HealthCare Professionals

Pharmaceutical laboratories

Pharmacies

Health web sites

Compulsory National Health Insurances

Complementary Health Insurances

Employers

What is the need of a PKI in the Health sector ?Many data exchanges to secure

Page 6

The GIP-CPS « Groupement d’Intérêt Public – Carte de Professionnel de Santé »

It fits the demands for confidence and security in electronic exchanges and sharing of medical data

Its members :

- the French state,

- the 3 compulsory national health insurances,

- the complementary health insurances,

- the professional associations,

- different user organizations.

Page 7

In France, the certification authority of the health sector

Since it was created (in 1993), the GIP-CPS has developed the health professional card (CPS smart card) for the SESAM-Vitale application (the electronic refund claim form exchanged between health professionals and health insurance). Within its card, the GIP-CPS delivers to health professionals certificates usable by all the applications of the health sector allowing :

the authentication, the signature.

Moreover, confidentiality certificates are used for messages’ encoding.

Page 8

The certificate : official « electronic professional identity document »

• Quality of the recording process : rigorous checking of identity and professional skills of the holder (Medical Associations, Stateand Insurance representatives’ visas).

• Publication of valid certificates and revocation list accessible for applications 24/24 and 7/7

• Setting up of a single French health professional repository (RPPS*)

* RPPS : « Répertoire Partagé des Professionnels de Santé »

Confidence guarantee bring by the GIP-CPS

Page 9

The deployment status (16/04/2005 figures)

Valid cards’ holders : 570 506

Liberal sector : 495 382 (8 out of 10 liberal health professional) –Regulated health professionals : 286 924–Employees : 208 458

Health structures : 75 124–Regulated health professionals : 19 571–Employees : 55 553

Page 10

Examples of applications

• Management of medical duties in Dordogne• Access to medical files in medical departments of military units

(health service of the Armies) • Access for liberal professionals to a hospital medical file in Antibes • Shared Patient Medical File between doctors in Lyon (Oncora

network) • Management of working time, secured accesses to buildings and

workstations in a hospital in Angers • e-transmission of the refund claim forms (Sesam-Vitale) :

76 580 000 in January 2005

Page 11

The GIP-CPS business development

• The new national projects (Shared Personal Medical File “DMP”, secured access to health insurance data, electronic prescriptions...) will :

– Stimulate exchanges and sharing of medical electronic data,– Require the protection of these exchanges and data.

• To adapt its offer to these emergent needs, the GIP-CPS enhances its range of certificates with :

– Certificates with software support (being able to be embarked by industries in a USB key, a key server, a personal electronic assistant...),

– Server Certificates.

Page 12

PKI interoperability issues

Necessity of interoperability Why interoperability ? It is a precondition to secured interconnection of applications and networks

How interoperability is checked? by comparison of certification policies, of exploitation procedures and

implemented means

What are the means of implementation ? – Accreditation by national reference organizations– Mutual recognition of PKI at an international level

Interoperability within European countries - Would a European certification authority be of any interest ? - How can we study and experiment interoperability of electronic certificates

with other State members ?

Page 13

Conclusion

Thank you for your attention !

www.gip-cps.fr

Contact for international relationship : marketing@gip-cps.fr