Title: Plan for the Establishment and Operation of the Healthcare Certification Authority
1Plan for the Establishment and Operation of the
Healthcare Certification Authority
- Shyu, Charng-Er
- Information Management Center
- Department of Health
- Taiwan, R.O.C.
- 01/24/2005
2Report Outline
- 1. Project Overview
- 2. Four types of HCA-issued cards
- 3. Membership Roster of HCA
- 4. Rules and regulations on the RA RAO
- 5. Certification Specifications
- 6. Operational Status of HCA
- 7. Certification IC card issuance for medical
care personnel
- 8.Registration Authority Operators (RAO)
- 9. Applications of Healthcare Certification IC
Cards
- 10. Related Regulations
- 11. HCA Legal Basis
- 12. Budget
31.Project Overview (1/4)
- Project Origins
- In view of the rapid development of the medical
information environment, healthcare institutions
are also actively implementing plans to switch
from paper to electronic medical records and
computerize healthcare procedures and hospital
management. The goal of these plans is to
increase the quality and effectiveness of medical
care and reduce the cost of healthcare
management.
41. Project Overview (2/4)
- Project Basis
- The Executive Yuan Research, Development and
Evaluation Commissions E-Government Electronic
Certification Services Conference resolution
item All governing bodies shall provide
electronic license or electronic certificate
certification services. (11/13/2000) - In accordance with the Knowledge Economy
Development Practical Implementation Project
passed by the Executive Yuan in 2001 (No.
006016), the DOH received approval for the active
promotion and implementation of the sub-project
Online Health Services Promotion Plan
(1/29/2001). The Healthcare Certification
Authority Plan is one of the subplan. - By order of the Executive Yuan (No. 0910080314),
the Electronic Signature Act went into effect on
April 1, 2002.
51. Project Overview (3/4)
- Project timeframe 2002.8.12005.12.31
- Project content the setup of software, hardware
and operating environments, the drafting of
operational procedures and standards, the
establishment of certification IC card production
and distribution services, promotion of
certification usage and the provision of related
training courses, and the maintenance of the
services and security management of HCA.
61. Project Overview (4/4)
- HCA goals
- Providing e-healthcare certification services,
establishing an electronic signature mechanism,
and creating a secure environment for the
exchange of healthcare information within the
healthcare system. - Assuring the confidentiality, integrity, identity
verification, and non-repudiation of electronic
healthcare information
- To facilitate the sharing of information, HPC
capabilities will be added to physicians medical
personnel certification IC cards.
72. The four types of HCA-issued cards (1/3)
- 1. Healthcare Institutional certification IC
cards
- Serve as electronic representation of the
institutions corporate actionslike a corporate
seal.
- Provide encryption and signatures for electronic
documents, online birth reporting, etc.
- 2. Healthcare personnel certification IC cards
- Serve as electronic representation of medical
personnels personal behaviorlike a specimen
seal (i.e. personal electronic signature).
- Limits access to NHI IC Card information (only
doctors have access), medical records signatures.
82. The four types of HCA-issued cards(2/3)
- 3.Auxiliary certification IC cards for healthcare
institutions
- In order to cater to healthcare institutions that
have multiple application systems or single
systems with multiple administrators, and thus
have the need to use multiple certification cards
simultaneously, auxiliary certification IC cards
shall be issued with functions identical to the
original card. - The DOH began accepting applications from medical
centers for temporary card usage on December 29,
2004. After the fee rules have been ratified, the
DOH will begin collecting fees from applicants. - Auxiliary Certification IC cards shall be
controlled by healthcare institutions, with
management guidelines to be established by said
institutions.
92. The four types of HCA-issued cards(3/3)
- 4. Temporary Certification IC cards for doctors
- These cards are for use by doctors who are
temporarily unable to access NHI IC cards using
their physicians Certification IC Cards.
- In the case that cards are lost, damaged, left at
home, or when codes are forgotten.
- Cards have HPC functions, but no HCA functions
(signature).
- The DOH began accepting applications from medical
centers for temporary card usage since December
29, 2004. After the fee rules have been ratified,
the DOH will begin collecting fees from
applicants. - Temporary Certification IC cards should be
controlled by medical care institutions, with
management guidelines to be established by said
institutions.
103. Membership Roster of HCA(1/3)
CA
Card-issuing Center
113. Membership Roster of HCA(2/3)
- CAcertification authority
- Responsible for issuing certification IC cards.
- RA/RAOregistration authority / registration
authority operator
- Responsible for certification registration,
applicant identity checks, and related
certification services (application,
cancellations, extensions, card decryption,
etc.) - Repository
- Posting of CA certifications, confirmation of
certification users, posting of certificate
revoked list (CRL), drafting of Certification
Practice Statement (CPS), etc. - Card-issuing Center
- Responsible for producing and issuing cards.
123. Membership Roster of HCA(3/3)
- Subscribers
- Certification users
- Certified healthcare staff and licensed
healthcare institutions, holders of healthcare
certification IC cards
- Relying Party
- Parties that recognize and place trust in holders
of CA-issued certification cards.
134. Rules and regulations on the RA RAO
- The RA is responsible for stipulating the
detailed procedures concerning the registration
of certified users and the authentication of
their identities, in accordance with the
processes concerned with applications from
certified users, as well as with the inquiry and
the cancellation of the certification process. - During the application process, RAO personnel
will authenticate the applicants identity and
documents in accordance with the procedural
guidelines. - Public health bureaus nationwide will be
authorized to serve as RAOs to carry out a wide
range of services as mentioned above in the
implementation of the RAs onsite application
processes.
145. Certification Specifications
- The issuance of X.509 V3 format certifications,
which include the name of the user, the public
key, the issuer, the effective date and the
expiration date among others. - Using the RSA asymmetric encryption algorithm,
the length of a certification users key is 1024
bits, while the length of the key using the CA is
2048 bits. - Additional remarks
- The RSA asymmetric encryption algorithm
This is a patented encryption algorithm developed
by three Massachusetts Institute of Technology
(USA) scholarsRivest, Shamir and Adleman. - The length of the key The key is composed
of randomized bits. The longer the bits, the
longer and more secure the key (i.e. the key will
be harder to decipher).
156. Operational Status of HCA
- As of December 31, 2004, 97,163 certification IC
cards have been produced and issued, including
- 86,057 IC cards for medical care personnel
(including 45,417 cards for doctors)
- 11,106 IC cards for medical care institutions
- The service hotline 0800-364422 (3 lines) is
available for further inquiries.
167. Certification IC card issuance for medical
care personnel(1/2)
- Doctors (including practitioners of Western
medicine, Chinese medicine, and dentistry)
- The HCA took the initiative to send application
forms to these doctors nationwide (August
2003December 2003)
- Reply forms have been received and 35,023 cards
have been issued
- In accordance with the value-added NHI IC card
mobilization plan, application forms were further
sent to doctors who have not yet completed the
application (Oct. 19, 2004) - Reply forms have been received and 10,394 cards
have been issued
177. Certification IC card issuance for medical
care personnel(2/2)
- Certification IC card issuance for medical care
personnel
- Applications were opened to other medical care
personnel during the period of Mar. 2004Dec.
2004)
- 51,666 cards were issued, in accordance with the
2004 plan, to other medical care personnel (with
doctors applications still ongoing).
- 80,614 reply forms from other medical care
personnel have been received, and 40,640 cards
have been issued (the remaining cards will be
issued in 2005).
188. Registration Authority Operators (RAO) (1/ 3)
- Registration Authority Operator (RAO)
- RAOs are certified registration windows
authorized by the Healthcare Certification
Authority (HCA)
- In accordance with the Government Public Key
Infrastructure Certification Policy assurance
level guidelines, the HCA provides Assurance
Level 3 certification services. The applicant or
his/her agent must complete the application in
person. - There are 79 RAOs in Health Bureaus nationwide,
and Health Stations in Taipei and Kaohsiung City,
as well as Taipei County.
- RAOs supervise the onsite identity authentication
of medical care personnel or institutional
applicants.
- Schedule for full implementation of RAOs will be
in March 2005.
198. Registration Authority Operators (RAO) (2/3)
- RAO Project Tasks include
- Application and re-issuance of certification IC
cards
- Extension, cancellation, and key recovery
(institutional cards) of certification cards.
- Medical care certification IC card decryption
services.
- Project Guidelines
- Healthcare Certification IC Card Issuing and
Management Guidelines (draft), Registration
Authority Operator operating procedures overview
(draft), and other guidelines for RAO personnel.
208. Registration Authority Operators (RAO) (3/3)
219. Applications of Healthcare Certification IC
Cards (1/7)
- Benefits
- Provides confidentiality, integrity,
authentication and non-repudiation of relevant
information.
- Electronic medical records signed in accordance
with the system policy do not have paper
counterparts. This saves substantial time for
accessing and transferring medical records, and
maximizes human resource deployment, paving the
road towards a paper-free environment. - Access to healthcare resources can be monitored,
ensuring the privacy of patients.
- Safety can be ensured for the transfer of medical
information, reducing the possibility of waste in
healthcare resources, and provide patients more
convenience in receiving medical care.
229. Applications of Healthcare Certification IC
Cards (2/7)
- Electronic medical record exchange
- Facilitates sharing of healthcare resources and
the implementation of patient referral systems
- Medical record index center
- Ensure the confidentiality of the information,
its integrity, and the authentication of the
identities of both parties involved in the file
exchange - Healthcare Information Systems
- HIS, PACS, RIS and other medical record
electronic signature applications
- Intra-hospital medical personnel ID
authentication applications
239. Applications of Healthcare Certification IC
Cards (3/7)
- Healthcare Project Applications
- The application of Online Birth Reporting System
for medical care institutions.
- Plans for convenient online services for the
general public
- Department of Health online services for the
general public (with single sign on identity
authentication using medical certification)
includes online application of license for
medical personnel, healthcare institutions, or
healthcare advertising online physicians
support reporting, suicide prevention reporting
or administrative penalties reporting, etc. - Restricted access to NHI IC Card information
(access limited to physicians with medical
personnel certification IC cards).
249. Applications of Healthcare Certification IC
Cards (4/7)
- The example of the intra-hospital HIS system
- Situations requiring the production of
signatures
- Upon the completion of the doctors diagnosis
- Upon the registration of reports by medical lab
technologists
- Upon treatment by nursing personnel
- All situations that currently require the signing
of forms by physicians and medical care personnel
shall require electronic signatures in the
future.
259. Applications of Healthcare Certification IC
Cards (5/7)
- Situations requiring the authentication of
signatures
- When medical disputes arise, and higher
authorities order to send relevant medical
records
- When insurance companies request medical records
(with the patients consent)
- When the patient or the patients legal proxy
files for medical record copies
- Other situations that reasonably require printing
of medical records
269. Applications of Healthcare Certification IC
Cards (6/7)
- Electronic medical records flow chart
2
Test the chapter
1.Obtain public key 2.Utilize public key to aut
henticate signature
Access of medical records
Electronic medical records
Signature
1
Utilize private key signature stored in the IC
card
279. Applications of Healthcare Certification IC
Cards (7/7)
- Electronic file exchange flow chart
1. Obtain and utilize hospital Bs public key for
encryption 2. Use private key in own IC card to s
ign
1
Public key of Hospital B
1. Obtain and utilize hospital As public key to
authenticate the signature 2. Utilize private key
in own IC card for decryption
2
The materials exchanging
Signature, Encryption
Hospital A
Hospital B
2810. Related Regulations (1/2)
- Electronic Signature Act (promulgated on Apr. 1,
2002)
- According to the law, paper-based documents
should be preserved as they are, and if contents
remain complete and available for future
reference, then they may be converted into
electronic form. (Article no. 6) - Documents that are required by law to bear
signatures may be converted into electronic form
with the consent of relevant personnel. (Article
no. 9) - Certification institutions should provide
Certification Practice Statement, describing
operating procedures for certification
institutions regarding general operations and
authentication services, which are to be
announced on the public website of the said
certification institution for public viewing
after its authentication, and will thereafter be
available for certification services. (Article
no. 11)
2910. Related Regulations (2/2)
- The Healthcare Certification Authority
Certification Practice Statement were verified
and promulgated by the Department of Commerce,
Ministry of Economic Affairs on June 6, 2003, and
officially enable certification services. - Medical Care Act (revised on Apr. 28, 2004)
Healthcare institutions that produce and store
medical records as electronic documents shall
avoid producing paper-based copies of these
records. Related conditions, means of production,
content and other requirements shall established
by the highest healthcare authority. (Article no.
69).
3012. Budget
- Total of funds used by HCA (Aug. 1, 2002Dec. 31,
2005) 89,824,661 NT dollars, averaging an
approximate 26 million NT dollars per year.