1 / 50

Be-Health: Driving Electronic Cooperation in Belgian Healthcare Sector

This presentation highlights the objectives, building blocks, and potential initiatives of Be-Health, aiming to optimize healthcare delivery, patient safety, and minimize bureaucracy. It emphasizes the importance of secure electronic information exchange and privacy protection in the healthcare sector.

jglenn
Télécharger la présentation

Be-Health: Driving Electronic Cooperation in Belgian Healthcare Sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Be-Health as a driving forceof electronic cooperationin the Belgian health care sector,based on the experiencein the social sector Frank Robben General manager Crossroads Bank for Social Security CEO Smals Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: Frank.Robben@ksz.fgov.be Website CBSS: www.ksz.fgov.be Personal website: www.law.kuleuven.ac.be/icri/frobben

  2. Structure of the presentation • objectives • useful building blocks • Be-Health • some possible useful initiatives of the EU

  3. Objectives • to optimize the quality and the continuity of health care delivery • to optimize patient safety • to avoid unnecessary bureaucracy for all actors in the health care sector • to support policymaking in health care • through a well organized electronic information exchange between all actors in the health care sector • with the necessary guarantees for information security and privacy protection

  4. Useful building blocks • general use of a patient identification number • platform for secure electronic exchange of information about patients, provided care and the results of the provided care, and for the exchange of electronic care prescriptions between all relevant actors in the health care sector • network • basic services • exchange standards • access channels for the users • user and access management • access channels for the users • Sectoral Committee of the Privacy Commission

  5. Useful building blocks • standardized content, format and methods for the exchange of electronic care prescriptions • minimal content of health care files that can be exchanged electronically • permanent availability and accessibility of the minimal electronically communicable content of health care files • appropriate legal framework

  6. Patient identification number • either social security identification number (SSIN) • or identification number irreversibly derived from the social security identification number by means of an algorithm available with each health care provider, that will be specified by Be-Health • either unique for each patient and used by all health care providers and institutions • or unique for each patient and used by one health care provider / institution with a possibility of conversion between patient identification numbers of the different health care providers / institutions by use of a basic service delivered by Be-Health • encoding or anonymization of information when the identification of the patient through the patient identification number is no longer necessary

  7. 1234567890 key 2 Social security card name Christian name date of birth sex social security identification number period of validity of the card card number sickness fund sickness fund registration number insurance period insurance status social exemption status key 1 other data to be added in the future, if useful

  8. Electronic identity card

  9. Exchange platform and standards • use of the existing network infrastructure (internet, social security extranet, FedMAN, ...) with end-to-end encryption of the information (concept of virtual private networks (VPN)) • basic services • integrated user and access management • logging • orchestration of electronic processes • reference directory • coding and anonymizing • time stamping • portal environment including a content management system and a search engine • personal electronic mailbox for each health care provider

  10. Exchange platform and standards • exchange based as much as possible on structured electronic messages from application to application • platform and exchange based as much as possible on open standards or at least open specifications

  11. User and access management • guarantee that only authorized health care providers / institutions get access • to the personal information they are authorized to according to the law or to the authorizations granted by the Sectoral Committee (see hereafter) • concerning patients whose personal information they need for the health care providing process

  12. User and access management • authentication of the identity of the health care provider, according to the required security level, by means of • electronic identity card • user number, password and citizen token • user number and password • on-line verification of the status of the health care provider through an electronic consultation of the authentic database(s) of health care providers • on-line verification of the mandates of the user to act on behalf of a health care provider / institution through the electronic consultation of the authentic database(s) containing the mandates

  13. User and access management • authentication of the patient’s identity through his electronic identity card or his SIS card, except • if a fixed care relation between the health care provider / institution and the patient has been registered (see hereafter, reference directory) • in cases of emergency • management of access authorizations with following specifications • which health care provider / institution / application • with which status • can have access in which situation • to which type of data • concerning which patients • and regarding which period

  14. Reference directory • content • mentions for each patient, identified through his patient identification number, the places where a specific type of electronic information is available about the patient, the provided care and the results of the provided care • on the one hand, table with fixed care relations between health care providers and their patients, the nature of the relation, the begin date and end date of the relation • on the other hand, a table with the places where, without a fixed care relation, electronic information is available about the different patients, possibly through a stepped system (general reference directory refers to specific reference directories for each group of health care providers or each health care institution) • no personal information !!!

  15. Reference directory • functions • preventive control on the legitimacy of the access to the information regarding a patient • routing of information requests to the places where the information about the patient is available • possibility of an automatic communication of information to certain health care providers

  16. User and access management • access authorizations are provided by the Sectoral Committee, unless they result from a law • conformity of a concrete access request with the access authorizations is preventively validated by Be-Health, without access to the content of the exchanged information • all accesses are subject to an electronic logging on the user level so that the legitimacy of the access can be verified afterwards (only who-what-when, no content) • access to the loggings is strictly protected

  17. Access channels for the users • several devices • PC and laptop • PDA • cell phone • … • maximal integrated access to the information regardless of the information source • preferably developed by the actual service providers of the health care providers • with at least one free and generally accessible application for the integrated access to the information

  18. Sectoral Committee • composed of • representatives of the Privacy Commission • independent health care experts appointed by the Parliament • tasks • to give authorizations for the (electronic) exchange of personal health data in cases not regulated by the law • to determine the organization and policies with regard to information security for the processing of personal health data • to give advices and recommendations with regard to information security for the processing of personal health data • to investigate complaints on violation of the information security during the processing of personal health data

  19. Electronic care prescriptions • standardized content and electronic format of the different types of care prescriptions • methods for the creation of electronic care prescriptions with a minimum of bureaucracy • within health care institutions • ambulant • methods for the electronic exchange of care prescriptions • guaranteed free choice of the care provider by the patient • incentives for care providers / institutions to create and exchange electronic care prescriptions

  20. Minimal communicable content health care file • agreements on the minimal content of a health care file that can be communicated electronically • information about the patient • information on the provided care • information on the results of the provided care • no monopoly or recognition of software products • but incentives for health care providers / institutions to keep electronic health care files with minimal communicable content and to make them permanently electronically available to authorized persons

  21. Accessibility health care file • minimal communicable content of health care files must be electronically available and accessible at all times for the authorized persons • either with the health care provider himself • or with a subcontractor chosen by the health care provider • health care institution • cooperation between health care providers • Be-Health • … • with the necessary back-up services

  22. Appropriate legal framework • possibility or obligation to use patient identification number • obligation to update the reference directory • probative value of electronic prescriptions and electronic data exchanges • method for determining the minimal electronically communicable content of health care files • incentives and gradual obligation of permanent electronic availability of the minimal electronically communicable content of the health care file and the electronic exchange of care prescriptions • organization of Be-Health

  23. Be-Health • (para)public organization administered by • various types of health care providers / institutions • sickness funds as representatives of the patients • public institutions responsible for the organization of the health care (insurance) • tasks • to develop a common vision and strategy on e-health • to define functional and technical standards and specifications with regard to e-health • to develop and manage the secure exchange platform: choice of the infrastructure, development of basis services, ... • to coordinate the development of electronic data exchange processes between the users of the exchange platform

  24. Be-Health • tasks • to orchestrate the electronic information exchange between the users of the exchange platform • to offer access channels for the users • possibly, to convert the patient identification numbers between health care providers / institutions • proactive policy to avoid illegitimate access to personal information, e.g. through • preventive control of the legitimacy of the access to personal information • keeping and analyzing loggings of the exchange of personal information (only who-what-when) • helpdesk

  25. PortaHealth SVA SVA SVA FPS-SS AVS SVA SVA SVA AVS Be-Health Be-Health platform Patients and care providers Portal SS SVA SVA SVA AVS Portal RIZIV PortalBeHealth MyCareNet SVA SVA SVA AVS SVA SVA SVA AVS Users Platform with basic services VAS VAS VAS VAS VAS VAS Suppliers

  26. Be-Health platform • basic service • a service that has been developed and made available by Be-Health and that can be used by the supplier of an added value service • added value service (AVS) • a service put at the disposal of the patients and/or the health care providers • the entity that develops and offers an added value service can use the basic services offered by Be-Health for this purpose • validated authentic source (VAS) • a database containing information used by Be-Health • the administrator of the database is responsible for the availability and (the organization of) the quality of the information made available

  27. Available basic services • network, based on existing infrastructure (internet, carenet, social security extranet, FedMAN, ...) • portal environment (https://www.behealth.be), including • a content management system • a search engine • personal electronic mailbox for each health care provider • integrated user and access management • logging management

  28. Portal

  29. Portal

  30. User and access management • authentication of the identity: according to the required security level • electronic identity card • user number, password and citizen token • user number and password • verification of statuses and mandates : access to validated authentic sources • authorization to use an added value service: management by service supplier • elaborated on the basis of a generic policy enforcement model

  31. Action on Action application on Policy DENIED application User Enforcement Application PERMITTED ( PEP ) Action on application Decision Decision request reply Information request/ Policy Decision Policy reply retrieval (PDP) Information request/ reply Policy Policy Administration Policy Information Policy Information management ( PAP ) ( PIP ) ( PIP ) Manager Policy repository Authentic source Authentic source Policy Enforcement Model

  32. Policy Enforcement Point (PEP) • intercepts the request for authorization with all available information about the user, the requested action, the resources and the environment • passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization • grants access to the application and provides relevant credentials Action on Action application on Policy DENIED application User Enforcement Application PERMITTED ( PEP ) Action on application Decision Decision request reply Policy Decision ( PDP )

  33. Policy Decision Point (PDP) • based on the request for authorization received, retrieves the appropriate authorization policy from the Policy Administration Point(s) (PAP) • evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP) • takes the authorization decision (permit/deny/not applicable) and sends it to the PEP Policy Enforcement ( PEP ) Decision Decision request reply Information Request / Policy Policy Reply retrieval Decision ( PDP ) Informatie Vraag / Antwoord Policy Administration Policy Information Policy Information ( PAP ) ( PIP ) ( PIP )

  34. Policy Administration Point (PAP) • environment to store and manage authorization policies by authorised person(s) appointed by the application managers • puts authorization policies at the disposal of the PDP Authorization Policy management retrieval PDP PAP Manager Policy repository

  35. Policy Information Point (PIP) • puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, mandates, etc.) Information Request / Reply PDP Information Request / Reply PIP 1 PIP 2 Authentic source Authentic source

  36. WebApp XYZ Role Mapper DB PDP Role Provider Role DB Provider PIP PIP PIP Attribute Attribute Attribute Provider Provider Management DB RIZIV XYZ VAS Architecture Non social FPS (Fedict) Be-Health Social sector (CBSS) USER USER USER APPLICATIONS APPLICATIONS APPLICATIONS Authen - Authorisation Authen - Authorisation Authen - Authorisation tication tication tication PEP PEP PEP WebApp WebApp Role Role Role XYZ XYZ Mapper Mapper Mapper Role Role Mapper Mapper DB DB PDP Role PAP PDP Role PAP PAP Provider Role Provider ‘’Kephas’’ Role ‘’Kephas’’ ‘’Kephas’’ DB Provider DB Provider PIP PIP PIP PIP PIP PIP Attribute Attribute Attribute Attribute Attribute Attribute Provider Provider Provider Provider Provider Provider Provider Management DB DB Management Gerechts- deurwaar- ders DB DB DB DB UMAF XYZ XYZ Mandaten Mandaten XYZ VAS VAS

  37. Validated authentic sources • register of health care providers • administrator: FPS Public Health • contains information about the diploma and the specialization of a health care provider identified through his social security identification number (SSIN) • database with recognitions of the National Institute for Sickness and Invalidity Insurance (RIZIV) • administrator : RIZIV • contains information about the RIZIV recognition of health care providers identified through their SSIN • database with persons authorized to act on behalf of a health care institution • administrator : NOSS (division user management for companies) • contains information about which persons, identified through their SSIN, are authorized to use which applications on behalf of a health care institution

  38. Principle of “circles of trust" • aim • to avoid unnecessary centralization • to avoid unnecessary threats to the protection of the privacy • to avoid multiple similar controls and registration of loggings • method: division of tasks between the entities associated with the electronic service, including clear agreements on • who is in charge of which authentications, verifications and controls by which means and who is responsible for this • how the results of the authentications, verifications and controls can be safely exchanged electronically between the entities concerned • who keeps which loggings • how to ensure that in case of an investigation, on one’s own initiative or in response to a complaint, a complete tracing can be realized in order to know which natural person has used which service or transaction concerning which citizen or company, when, through which channel and for which purposes

  39. Examples of added value services • third party billing • Medic-e • input in cancer register • Medattest • support of electronic care prescription in hospitals • electronic registration of birth

  40. Third party billing • supplier: National College of Sickness Funds • users: nurses, their groupings and representatives • functionality: send the third party billings electronically to the sickness funds • basic services used • identification and authentication of the identity of the user (eID or user number-password-citizen token) • verification of the status of nurse with RIZIV recognition • verification of the mandate • electronic mailbox (publication of documents) • logging

  41. Medic-e • supplier: FPS Social Security • users: medical doctors who evaluate medical handicapped persons • functionality: enter the evaluation of handicapped persons electronically into the information system of the FPS Social Security • basic services used • identification and authentication of the identity of the user (eID or user number-password-citizen token) • verification of the status of medical doctor with RIZIV recognition • electronic mailbox (publication of documents) • logging

  42. Input in cancer register • supplier: Cancer Register • users: oncologists in health care institutions and labs • functionality: electronic input of information into the cancer register and access to the registered information • basic services used • identification and authentication of the identity of the user (eID) • verification of the status of medical doctor with RIZIV recognition • electronic mailbox (publication of documents) • logging

  43. Medattest • supplier: RIZIV • users: medical doctors, dentists, kinesthesiologists, nurses, speech therapists, orthopedists, health care institutions and their mandataries • functionality: on-line order of care prescription formulars • basic services used : • identification and authentication of the identity of the user (eID or user number-password-citizen token) • verification of the status of users • verification of the mandate • logging

  44. Electronic care prescription in health care institutions • analysis of required functionalities • functionalities before a prescription can be processed • authentication of the identity of the person who writes the prescription • verification of the status of the person who writes the prescription • system to ensure that the prescription cannot be modified unnoticeably after applying the methods to guarantee the integrity and the electronic time stamping • authentication of the identity, verification of the status of the person who has written the prescription, guaranteeing the integrity and electronic date for each individual prescription • the time necessary for authenticating the identity, verifying the status and guaranteeing the integrity must not exceed ¼ of a second per prescription • a person that writes prescriptions must be able to switch between prescription places without overhead • local validation that the prescription has not been modified after applying the methods to guarantee the integrity and the electronic time stamping

  45. Electronic care prescription in health care institutions • analysis of required functionalities • functionalities during the processing of the prescription • the electronic time stamping must be requested immediately after applying the method to guarantee the integrity and must be placed within 30 seconds after the request • organizational requirements • velocity of replacing an authentication tool when useless • traceability of who has done which processing at which moment for the creation of a prescription (must be kept during a certain period) • traceability of the content and of the exact date and time of each request and processing of a request to revoke an authentication tool • point of special interest • avoid that care institutions have to work with different systems for the authentication of the identity, the verification of the status, the guarantee of the integrity of documents, electronic time stamping, … for different types of processes

  46. Electronic care prescription in health care institutions • possible solution • the authentication of the identity and the verification of the status are performed on the local level using at least a user-id, a password [and something one possesses], on condition that each person that writes prescriptions signs a document that stipulates that he is responsible for everything that is authenticated in terms of identity and status through his user id, his password [and the possessed element] • the prescriptions are hashed • the hashing results (not the content of the prescription itself !) receive an electronic time stamp from Be-Health • clear organizational rules concerning the management of user-id’s, passwords [and the possessed elements], based on the results of Elodis, are incorporated in an royal decree in implementation of article 21 of the royal decree n° 78 • a regulation is being elaborated that indicates under which conditions postscriptions are possible

  47. Critical success factors • cooperation between all actors in the health care sector, based on a division of tasks rather than a centralization of tasks • trust of all stakeholders in the preservation of the necessary autonomy and the security of the system • firstly the development of the exchange platform and the creation of the necessary institutions (management organization for exchange platform, Sectoral Committee, ...) and then further elaboration of processes between these institutions • quick wins in combination with a long term vision • legal framework

  48. Some possible useful initiatives of EU • common and reliable patient identification methods • cross-border user and access management based on the policy enforcement model • common functional and technical standards and specifications as a basis for interoperability • quality standards in health care delivery in order to stimulate cooperation between actors in the health sector

  49. More information • website Crossroads Bank for Social Security • http://www.ksz.fgov.be • portal Be-Health • https://www.behealth.be • personal website Frank Robben • http://www.law.kuleuven.ac.be/icri/frobben

  50. Th@nk you !Any questions ?

More Related