230 likes | 250 Vues
Explore the similarities between the social security and health care sectors, and learn about the Crossroads Bank model which includes distributed data storage, common identification keys, a reference directory, interoperability framework, and security measures.
E N D
The Crossroads Bank for Social Security,a model for the health care sector ? Frank Robben General managerCrossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: Frank.Robben@ksz.fgov.be Website CBSS: www.ksz.fgov.be Personal website: http://www.law.kuleuven.ac.be/icri/frobben Crossroads Bank for Social Security
Structure of the presentation • relevant similarities between the social security sector and the health care sector • the model of the Crossroads Bank • the overall concept • the basic building blocks • critical success factors for an implementation
Relevant similarities • many actors, each having their own competencies and interests • huge need for electronic exchange of sensitive personal data between those actors, with sufficient guarantees on • interoperability • efficiency • data quality • security (availability, integrity, confidentiality) • a central data storage is not possible or desirable for reasons of • privacy protection • unacceptability for the actors
The Crossroads Bank model • distributed data storage, conform to a functional task sharing between the actors • the use of common identification keys for every entity that has to be identified • a reference directory, serving as a base for the organization of information exchange • a common technical and functional interoperability framework • a common security framework • a legal framework • the creation of an institution that elaborates the vision, stimulates, co-ordinates and manages the necessary frameworks
Distributed data storage • functional task sharing concerning • validation of information • storage of information • information is dynamically assembled • in function of business needs • on the initiative of the actor who needs the information or of the concerned person • according to the authorizations • by the use of the common interoperability and security framework
Common identification keys • characteristics • unicity • one entity – one identification key • same identification key is not assigned to several entities • exhaustivity • every entity to be identified has an identification key • stability through time • identification key doesn’t contain variable characteristics of the identified entity • identification key doesn’t contain references to the identification key or characteristics of other entities • identification key doesn’t change when a capacity or a characteristic of the identified entity changes
Common identification keys • concrete implementation • citizens • social security number (national register number or CBSS-number) • (electronically) readable from the SIS-card or the electronic identity card • controlled access to basic identification data in National Register and CBSS • Belgian Privacy Commission: in health care sector preferable use of common identification key derived from social security number, rather than social security number itself • enterprises, including organizations and professionals • enterprise number (based on VAT-number) • number for every plant of an enterprise • generalized access to basic identification data in the Enterprise Register • regulation on data interconnection
Reference directory • serves as a base for the organization of information exchange • structure • directory of persons: which actors have data on which persons in which capacities for which periods • data availability table: which actor disposes of which type of data for which capacity • access authorization table: which data may be transmitted to which actors for which capacities • functions • routing of information • preventive access control • automatic communication of changes to information
Interoperability framework • goal: to guarantee the ability of all actors to share information and to integrate information and business processes by the use of • interconnected physical networks • (open) technical standards • functional agreements • harmonized concepts and data modelling
Technical standards Information Exchange ServicesRepository Interconnection Services Register (~ UDDI)Agreements (~ ebXML)PoliciesVocabularia (content + metadata) TCP/IPSMTPLDAPFTPS/MIME XMLXSLSOAPWSDLmetadata (RDF, XTM, XMI, …) Security
Functional agreements • standardized codification • standardized use of objects and attributes • standardized layout of header of messages, independent from information exchange format and type of information exchange • version management • backwards compatibility • SLA’s on disponibility and performance of services • access autorisation management • anonimization rules • acceptation and production environments • priority management • …
Security framework: institutional measures • no central data storage • independent Control Committee, assigned by Parliament • supervision of information security • authorizing the information exchange • complaint handling • information security recommendations • extensive investigating powers • annual activity report • publication of the authorizations of information exchange • preventive control on legitimacy of data exchange by Crossroads Bank according to authorizations of the independent Control Committee • information security department in each institution • certified specialized information security service providers • working party on information security
Security framework: extended ISO 17799 • security policy • security organization • asset classification and control • personnel security • physical and environmental security • computer and operations management • access control • system development and maintenance • specific measures with regard to the processing of personal data • business continuity planning • compliance • communication towards the public opinion concerning the security policy and the measures with regard to security and privacy protection
Security framework: legal measures • obligations of the controller • principles relating to data quality • criteria for making data processing legitimate • specific rules for processing of sensitive data • information to be given to the data subject • confidentiality and security of processing • notification of the processing of personal data • rights of the data subject • right of information • right of access • right of rectification, erasure or blocking • right of a judicial remedy • penalties
Security framework: authentication • some basic concepts • identification: answer to the question “who are you ?” • authentication: answer to the question “can you proof who or what you pretend to be ?” • who: authentication of the identity • what: authentication of an attribute (e.g. role, characteristic, mandate, ...) • autorisation: answer to the question “what are you allowed to do ?” • authentication • of the identity • electronic identity card • meanwhile, for some applications user-id – password – token • of an attribute • stored in a database or • stored in attribute certificate
1234567890 key 2 SIS card: identification & proof of insurance status • name • Christian names • date of birth • sex • social security number • period of validity of the card • card number • sickness fund • sickness fund registration number • insurance period • insurance status • social exemption status key 1 • other data to be added in the future, • if useful
Electronic identity card: identification & authentication • name • Christian names • nationality • birth place and date • sex • national register number • main residence • place of deliveryof the card • period ofvalidityof the card • card number • the photo of the holder • identity and signature keys • identity and signature certificates • accredited certification service furnisher • information necesary for authentication of the card and securizationof the electronic data
Harmonized concepts and data modelling • standard elements • with well defined characteristics • used within all services • OO-oriented • version management in an ever changing environment • define once, use many (different presentations) • workflow for validation of standard elements and characteristics • multi criteria search • by element • by scheme • by version • …
Changes of the legal environment • organization of integrated information management and electronic service delivery • organizational principles of the co-operation • permission or obligation to use common identification keys • rights and obligations of the different actors • role of the Crossroads Bank • liability • ICT-law: only basic principles, technology-neutral, but not technology unaware • data protection • electronic signature • probative value
Creation of an institution (Crossroads Bank) • managed by representatives of the concerned actors • tasks • elaboration of the common vision in co-operation with the concerned actors • stimulation • co-ordination and program and project management • management of • the reference directory • the common interoperability framework • the common security framework • the legal framework • harmonization of the concepts and data modelling
A proven model • this model has been implemented • with end-to-end integration of electronic processes between • 2.000 public and private social security institutions • those institutions and all enterprises • with integrated electronic service delivery via a web portal to all citizens and enterprises • 170 types of structured data exchanges have already been implemented • 242 million messages were exchanged in 2002 • the model is mentioned as best practice in E-government in the last 2 surveys of the European Commission
Critical success factors • a long term vision deliberated with the concerned actors • respect of the repartition of tasks and competences between the actors: co-operation between all actors rather than centralization of tasks • trust of all actors in the co-operation model and the security of the system • search for win-win situations • sufficient financial means, skills and knowledge • support of and access to policymakers at the highest level • legal framework • creation of an institution that elaborates the common vision, stimulates, co-ordinates and manages the necessary frameworks
Th@nk you ! Crossroads Bank for Social Security