Be-Health as a driving force of electronic cooperation in the Belgian health care sector, based on the experience in the social sector - PowerPoint PPT Presentation

Loading...

PPT – Be-Health as a driving force of electronic cooperation in the Belgian health care sector, based on the experience in the social sector PowerPoint presentation | free to download - id: 71d2a3-OWZmM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Be-Health as a driving force of electronic cooperation in the Belgian health care sector, based on the experience in the social sector

Description:

Be-Health as a driving force of electronic cooperation in the Belgian health care sector, based on the experience in the social sector Frank Robben – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 51
Provided by: BWO74
Learn more at: http://www.law.kuleuven.be
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Be-Health as a driving force of electronic cooperation in the Belgian health care sector, based on the experience in the social sector


1
Be-Health as a driving forceof electronic
cooperationin the Belgian health care
sector,based on the experiencein the social
sector
Frank Robben General manager Crossroads Bank for
Social Security CEO Smals Sint-Pieterssteenweg
375 B-1040 Brussels E-mail Frank.Robben_at_ksz.fgov.
be Website CBSS www.ksz.fgov.be Personal
website www.law.kuleuven.ac.be/icri/frobben
2
Structure of the presentation
  • objectives
  • useful building blocks
  • Be-Health
  • some possible useful initiatives of the EU

3
Objectives
  • to optimize the quality and the continuity of
    health care delivery
  • to optimize patient safety
  • to avoid unnecessary bureaucracy for all actors
    in the health care sector
  • to support policymaking in health care
  • through a well organized electronic information
    exchange between all actors in the health care
    sector
  • with the necessary guarantees for information
    security and privacy protection

4
Useful building blocks
  • general use of a patient identification number
  • platform for secure electronic exchange of
    information about patients, provided care and the
    results of the provided care, and for the
    exchange of electronic care prescriptions between
    all relevant actors in the health care sector
  • network
  • basic services
  • exchange standards
  • access channels for the users
  • user and access management
  • access channels for the users
  • Sectoral Committee of the Privacy Commission

5
Useful building blocks
  • standardized content, format and methods for the
    exchange of electronic care prescriptions
  • minimal content of health care files that can be
    exchanged electronically
  • permanent availability and accessibility of the
    minimal electronically communicable content of
    health care files
  • appropriate legal framework

6
Patient identification number
  • either social security identification number
    (SSIN)
  • or identification number irreversibly derived
    from the social security identification number by
    means of an algorithm available with each health
    care provider, that will be specified by
    Be-Health
  • either unique for each patient and used by all
    health care providers and institutions
  • or unique for each patient and used by one health
    care provider / institution with a possibility of
    conversion between patient identification numbers
    of the different health care providers /
    institutions by use of a basic service delivered
    by Be-Health
  • encoding or anonymization of information when the
    identification of the patient through the patient
    identification number is no longer necessary

7
Social security card
name Christian name date of birth sex social
security identification number period of validity
of the card card number
sickness fund sickness fund registration
number insurance period insurance status social
exemption status
key 1
other data to be added in the future, if useful
8
Electronic identity card
9
Exchange platform and standards
  • use of the existing network infrastructure
    (internet, social security extranet, FedMAN, ...)
    with end-to-end encryption of the information
    (concept of virtual private networks (VPN))
  • basic services
  • integrated user and access management
  • logging
  • orchestration of electronic processes
  • reference directory
  • coding and anonymizing
  • time stamping
  • portal environment including a content management
    system and a search engine
  • personal electronic mailbox for each health care
    provider

10
Exchange platform and standards
  • exchange based as much as possible on structured
    electronic messages from application to
    application
  • platform and exchange based as much as possible
    on open standards or at least open specifications

11
User and access management
  • guarantee that only authorized health care
    providers / institutions get access
  • to the personal information they are authorized
    to according to the law or to the authorizations
    granted by the Sectoral Committee (see hereafter)
  • concerning patients whose personal information
    they need for the health care providing process

12
User and access management
  • authentication of the identity of the health care
    provider, according to the required security
    level, by means of
  • electronic identity card
  • user number, password and citizen token
  • user number and password
  • on-line verification of the status of the health
    care provider through an electronic consultation
    of the authentic database(s) of health care
    providers
  • on-line verification of the mandates of the user
    to act on behalf of a health care provider /
    institution through the electronic consultation
    of the authentic database(s) containing the
    mandates

13
User and access management
  • authentication of the patients identity through
    his electronic identity card or his SIS card,
    except
  • if a fixed care relation between the health care
    provider / institution and the patient has been
    registered (see hereafter, reference directory)
  • in cases of emergency
  • management of access authorizations with
    following specifications
  • which health care provider / institution /
    application
  • with which status
  • can have access in which situation
  • to which type of data
  • concerning which patients
  • and regarding which period

14
Reference directory
  • content
  • mentions for each patient, identified through his
    patient identification number, the places where a
    specific type of electronic information is
    available about the patient, the provided care
    and the results of the provided care
  • on the one hand, table with fixed care relations
    between health care providers and their patients,
    the nature of the relation, the begin date and
    end date of the relation
  • on the other hand, a table with the places where,
    without a fixed care relation, electronic
    information is available about the different
    patients, possibly through a stepped system
    (general reference directory refers to specific
    reference directories for each group of health
    care providers or each health care institution)
  • no personal information !!!

15
Reference directory
  • functions
  • preventive control on the legitimacy of the
    access to the information regarding a patient
  • routing of information requests to the places
    where the information about the patient is
    available
  • possibility of an automatic communication of
    information to certain health care providers

16
User and access management
  • access authorizations are provided by the
    Sectoral Committee, unless they result from a law
  • conformity of a concrete access request with the
    access authorizations is preventively validated
    by Be-Health, without access to the content of
    the exchanged information
  • all accesses are subject to an electronic logging
    on the user level so that the legitimacy of the
    access can be verified afterwards (only
    who-what-when, no content)
  • access to the loggings is strictly protected

17
Access channels for the users
  • several devices
  • PC and laptop
  • PDA
  • cell phone
  • maximal integrated access to the information
    regardless of the information source
  • preferably developed by the actual service
    providers of the health care providers
  • with at least one free and generally accessible
    application for the integrated access to the
    information

18
Sectoral Committee
  • composed of
  • representatives of the Privacy Commission
  • independent health care experts appointed by the
    Parliament
  • tasks
  • to give authorizations for the (electronic)
    exchange of personal health data in cases not
    regulated by the law
  • to determine the organization and policies with
    regard to information security for the processing
    of personal health data
  • to give advices and recommendations with regard
    to information security for the processing of
    personal health data
  • to investigate complaints on violation of the
    information security during the processing of
    personal health data

19
Electronic care prescriptions
  • standardized content and electronic format of the
    different types of care prescriptions
  • methods for the creation of electronic care
    prescriptions with a minimum of bureaucracy
  • within health care institutions
  • ambulant
  • methods for the electronic exchange of care
    prescriptions
  • guaranteed free choice of the care provider by
    the patient
  • incentives for care providers / institutions to
    create and exchange electronic care prescriptions

20
Minimal communicable content health care file
  • agreements on the minimal content of a health
    care file that can be communicated electronically
  • information about the patient
  • information on the provided care
  • information on the results of the provided care
  • no monopoly or recognition of software products
  • but incentives for health care providers /
    institutions to keep electronic health care files
    with minimal communicable content and to make
    them permanently electronically available to
    authorized persons

21
Accessibility health care file
  • minimal communicable content of health care files
    must be electronically available and accessible
    at all times for the authorized persons
  • either with the health care provider himself
  • or with a subcontractor chosen by the health care
    provider
  • health care institution
  • cooperation between health care providers
  • Be-Health
  • with the necessary back-up services

22
Appropriate legal framework
  • possibility or obligation to use patient
    identification number
  • obligation to update the reference directory
  • probative value of electronic prescriptions and
    electronic data exchanges
  • method for determining the minimal electronically
    communicable content of health care files
  • incentives and gradual obligation of permanent
    electronic availability of the minimal
    electronically communicable content of the health
    care file and the electronic exchange of care
    prescriptions
  • organization of Be-Health

23
Be-Health
  • (para)public organization administered by
  • various types of health care providers /
    institutions
  • sickness funds as representatives of the patients
  • public institutions responsible for the
    organization of the health care (insurance)
  • tasks
  • to develop a common vision and strategy on
    e-health
  • to define functional and technical standards and
    specifications with regard to e-health
  • to develop and manage the secure exchange
    platform choice of the infrastructure,
    development of basis services, ...
  • to coordinate the development of electronic data
    exchange processes between the users of the
    exchange platform

24
Be-Health
  • tasks
  • to orchestrate the electronic information
    exchange between the users of the exchange
    platform
  • to offer access channels for the users
  • possibly, to convert the patient identification
    numbers between health care providers /
    institutions
  • proactive policy to avoid illegitimate access to
    personal information, e.g. through
  • preventive control of the legitimacy of the
    access to personal information
  • keeping and analyzing loggings of the exchange of
    personal information (only who-what-when)
  • helpdesk

25
Be-Health platform
Patients and care providers
Portal SS
SVA
SVA
SVA
AVS
Portal RIZIV
PortalBeHealth
MyCareNet
SVA
SVA
SVA
AVS
SVA
SVA
SVA
AVS
Users
Platform with basic services
VAS
VAS
VAS
VAS
VAS
VAS
Suppliers
26
Be-Health platform
  • basic service
  • a service that has been developed and made
    available by Be-Health and that can be used by
    the supplier of an added value service
  • added value service (AVS)
  • a service put at the disposal of the patients
    and/or the health care providers
  • the entity that develops and offers an added
    value service can use the basic services offered
    by Be-Health for this purpose
  • validated authentic source (VAS)
  • a database containing information used by
    Be-Health
  • the administrator of the database is responsible
    for the availability and (the organization of)
    the quality of the information made available

27
Available basic services
  • network, based on existing infrastructure
    (internet, carenet, social security extranet,
    FedMAN, ...)
  • portal environment (https//www.behealth.be),
    including
  • a content management system
  • a search engine
  • personal electronic mailbox for each health care
    provider
  • integrated user and access management
  • logging management

28
Portal
29
Portal
30
User and access management
  • authentication of the identity according to the
    required security level
  • electronic identity card
  • user number, password and citizen token
  • user number and password
  • verification of statuses and mandates access to
    validated authentic sources
  • authorization to use an added value service
    management by service supplier
  • elaborated on the basis of a generic policy
    enforcement model

31
Policy Enforcement Model
32
Policy Enforcement Point (PEP)
  • intercepts the request for authorization with all
    available information about the user, the
    requested action, the resources and the
    environment
  • passes on the request for authorization to the
    Policy Decision Point (PDP) and extracts a
    decision regarding authorization
  • grants access to the application and provides
    relevant credentials

Action
on
Action
application
Policy
on
DENIED
application
User
Enforcement
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Policy
Decision
(
PDP
)
33
Policy Decision Point (PDP)
  • based on the request for authorization received,
    retrieves the appropriate authorization policy
    from the Policy Administration Point(s) (PAP)
  • evaluates the policy and, if necessary, retrieves
    the relevant information from the Policy
    Information Point(s) (PIP)
  • takes the authorization decision (permit/deny/not
    applicable) and sends it to the PEP

Policy
Enforcement
(
PEP
)
Decision
Decision
request
reply
Information
Request
/
Policy
Policy
Reply
retrieval
Decision
(
PDP
)
Informatie
Vraag /
Antwoord
Policy Information
Policy Administration
Policy Information
(
PAP
)
(
PIP
)
(
PIP
)
34
Policy Administration Point (PAP)
  • environment to store and manage authorization
    policies by authorised person(s) appointed by the
    application managers
  • puts authorization policies at the disposal of
    the PDP

Authorization
Policy
management
retrieval
PDP
PAP
Manager
Policy
repository
35
Policy Information Point (PIP)
  • puts information at the disposal of the PDP in
    order to evaluate authorization policies
    (authentic sources with characteristics,
    mandates, etc.)

Information
Request /
Reply
PDP
Information
Request /
Reply
PIP
1
PIP
2
Authentic source
Authentic source
36
Architecture
Non social FPS (Fedict)
Be-Health
Social sector (CBSS)
USER
USER
USER
APPLICATIONS
APPLICATIONS
APPLICATIONS
Authorisation
Authen
-
Authorisation
Authen
-
Authorisation
Authen
-
tication
tication
tication
PEP
PEP
PEP
WebApp
WebApp
Role
Role
Role
XYZ
XYZ
Mapper
Mapper
Mapper
Role
Role
Mapper
Mapper
DB
DB
PDP
Role
PAP
PDP
Role
PAP
PAP
Provider
Role
Provider
Role
Kephas
Kephas
Kephas
DB
Provider
DB
Provider
PIP
PIP
PIP
PIP
PIP
PIP
Attribute
Attribute
Attribute
Attribute
Attribute
Attribute
Provider
Provider
Provider
Provider
Provider
Provider
Provider
Management
DB
DB
Management
Gerechts- deurwaar- ders
DB
DB
DB
DB
UMAF
XYZ
XYZ
XYZ
VAS
Mandaten
Mandaten
VAS
37
Validated authentic sources
  • register of health care providers
  • administrator FPS Public Health
  • contains information about the diploma and the
    specialization of a health care provider
    identified through his social security
    identification number (SSIN)
  • database with recognitions of the National
    Institute for Sickness and Invalidity Insurance
    (RIZIV)
  • administrator RIZIV
  • contains information about the RIZIV recognition
    of health care providers identified through their
    SSIN
  • database with persons authorized to act on behalf
    of a health care institution
  • administrator NOSS (division user management
    for companies)
  • contains information about which persons,
    identified through their SSIN, are authorized to
    use which applications on behalf of a health care
    institution

38
Principle of circles of trust"
  • aim
  • to avoid unnecessary centralization
  • to avoid unnecessary threats to the protection of
    the privacy
  • to avoid multiple similar controls and
    registration of loggings
  • method division of tasks between the entities
    associated with the electronic service, including
    clear agreements on
  • who is in charge of which authentications,
    verifications and controls by which means and who
    is responsible for this
  • how the results of the authentications,
    verifications and controls can be safely
    exchanged electronically between the entities
    concerned
  • who keeps which loggings
  • how to ensure that in case of an investigation,
    on ones own initiative or in response to a
    complaint, a complete tracing can be realized in
    order to know which natural person has used which
    service or transaction concerning which citizen
    or company, when, through which channel and for
    which purposes

39
Examples of added value services
  • third party billing
  • Medic-e
  • input in cancer register
  • Medattest
  • support of electronic care prescription in
    hospitals
  • electronic registration of birth

40
Third party billing
  • supplier National College of Sickness Funds
  • users nurses, their groupings and
    representatives
  • functionality send the third party billings
    electronically to the sickness funds
  • basic services used
  • identification and authentication of the identity
    of the user (eID or user number-password-citizen
    token)
  • verification of the status of nurse with RIZIV
    recognition
  • verification of the mandate
  • electronic mailbox (publication of documents)
  • logging

41
Medic-e
  • supplier FPS Social Security
  • users medical doctors who evaluate medical
    handicapped persons
  • functionality enter the evaluation of
    handicapped persons electronically into the
    information system of the FPS Social Security
  • basic services used
  • identification and authentication of the identity
    of the user (eID or user number-password-citizen
    token)
  • verification of the status of medical doctor with
    RIZIV recognition
  • electronic mailbox (publication of documents)
  • logging

42
Input in cancer register
  • supplier Cancer Register
  • users oncologists in health care institutions
    and labs
  • functionality electronic input of information
    into the cancer register and access to the
    registered information
  • basic services used
  • identification and authentication of the identity
    of the user (eID)
  • verification of the status of medical doctor with
    RIZIV recognition
  • electronic mailbox (publication of documents)
  • logging

43
Medattest
  • supplier RIZIV
  • users medical doctors, dentists,
    kinesthesiologists, nurses, speech therapists,
    orthopedists, health care institutions and their
    mandataries
  • functionality on-line order of care prescription
    formulars
  • basic services used
  • identification and authentication of the identity
    of the user (eID or user number-password-citizen
    token)
  • verification of the status of users
  • verification of the mandate
  • logging

44
Electronic care prescription in health care
institutions
  • analysis of required functionalities
  • functionalities before a prescription can be
    processed
  • authentication of the identity of the person who
    writes the prescription
  • verification of the status of the person who
    writes the prescription
  • system to ensure that the prescription cannot be
    modified unnoticeably after applying the methods
    to guarantee the integrity and the electronic
    time stamping
  • authentication of the identity, verification of
    the status of the person who has written the
    prescription, guaranteeing the integrity and
    electronic date for each individual prescription
  • the time necessary for authenticating the
    identity, verifying the status and guaranteeing
    the integrity must not exceed ¼ of a second per
    prescription
  • a person that writes prescriptions must be able
    to switch between prescription places without
    overhead
  • local validation that the prescription has not
    been modified after applying the methods to
    guarantee the integrity and the electronic time
    stamping

45
Electronic care prescription in health care
institutions
  • analysis of required functionalities
  • functionalities during the processing of the
    prescription
  • the electronic time stamping must be requested
    immediately after applying the method to
    guarantee the integrity and must be placed within
    30 seconds after the request
  • organizational requirements
  • velocity of replacing an authentication tool when
    useless
  • traceability of who has done which processing at
    which moment for the creation of a prescription
    (must be kept during a certain period)
  • traceability of the content and of the exact date
    and time of each request and processing of a
    request to revoke an authentication tool
  • point of special interest
  • avoid that care institutions have to work with
    different systems for the authentication of the
    identity, the verification of the status, the
    guarantee of the integrity of documents,
    electronic time stamping, for different types
    of processes

46
Electronic care prescription in health care
institutions
  • possible solution
  • the authentication of the identity and the
    verification of the status are performed on the
    local level using at least a user-id, a password
    and something one possesses, on condition that
    each person that writes prescriptions signs a
    document that stipulates that he is responsible
    for everything that is authenticated in terms of
    identity and status through his user id, his
    password and the possessed element
  • the prescriptions are hashed
  • the hashing results (not the content of the
    prescription itself !) receive an electronic time
    stamp from Be-Health
  • clear organizational rules concerning the
    management of user-ids, passwords and the
    possessed elements, based on the results of
    Elodis, are incorporated in an royal decree in
    implementation of article 21 of the royal decree
    n 78
  • a regulation is being elaborated that indicates
    under which conditions postscriptions are possible

47
Critical success factors
  • cooperation between all actors in the health care
    sector, based on a division of tasks rather than
    a centralization of tasks
  • trust of all stakeholders in the preservation of
    the necessary autonomy and the security of the
    system
  • firstly the development of the exchange platform
    and the creation of the necessary institutions
    (management organization for exchange platform,
    Sectoral Committee, ...) and then further
    elaboration of processes between these
    institutions
  • quick wins in combination with a long term vision
  • legal framework

48
Some possible useful initiatives of EU
  • common and reliable patient identification
    methods
  • cross-border user and access management based on
    the policy enforcement model
  • common functional and technical standards and
    specifications as a basis for interoperability
  • quality standards in health care delivery in
    order to stimulate cooperation between actors in
    the health sector

49
More information
  • website Crossroads Bank for Social Security
  • http//www.ksz.fgov.be
  • portal Be-Health
  • https//www.behealth.be
  • personal website Frank Robben
  • http//www.law.kuleuven.ac.be/icri/frobben

50
Th_at_nk you !Any questions ?
About PowerShow.com